oss-sec mailing list archives

Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0)

From: Sam Pizzey <sam () pizzey me>
Date: Wed, 3 May 2017 16:42:25 -0500

Looks good! Especially the Exim RCE technique which I now need to goplay with.


However:

'Also note that the output log file contains a lot of debug information
added by Sendmail MTA. This might'

Might ..?

On 03/05/2017 15:32, Dawid Golunski wrote:

Here's a paper I wrote back in December.  It was originally meant to go
into Phrack but the team wanted a more general article on parameter injection
as mail() was supposedly an outdated technique.
Meanwhile, the RCE-chain continues :) So I decided to post it as it is without
changing it as mail() injection deserves a separate article imho.

https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html

I reveal some exim code-execution vectors in there that should change
the whole game slightly :)

See my exploit for WordPress Core that is based on it:
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html


I'll attach copies of the white-paper here in the next revision as I
haven't slept for 3 nights and need to double check on everything
before it goes into the archive forever :)


Regards,
Dawid Golunski
https://legalhackers.com
https://ExploitBox.io
t: @dawid_golunski

Current thread:

[white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Sam Pizzey (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Kash Pande (May 07)
  - Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 07)