oss-sec mailing list archives

[white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0)

From: Dawid Golunski <dawid () legalhackers com>
Date: Wed, 3 May 2017 17:32:03 -0300

Here's a paper I wrote back in December.  It was originally meant to go
into Phrack but the team wanted a more general article on parameter injection
as mail() was supposedly an outdated technique.
Meanwhile, the RCE-chain continues :) So I decided to post it as it is without
changing it as mail() injection deserves a separate article imho.

https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html

I reveal some exim code-execution vectors in there that should change
the whole game slightly :)

See my exploit for WordPress Core that is based on it:
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html


I'll attach copies of the white-paper here in the next revision as I
haven't slept for 3 nights and need to double check on everything
before it goes into the archive forever :)


Regards,
Dawid Golunski
https://legalhackers.com
https://ExploitBox.io
t: @dawid_golunski

Current thread:

[white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Sam Pizzey (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Kash Pande (May 07)
  - Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 07)