Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 May 2017 16:42:25 -0500
From: Sam Pizzey <sam@...zey.me>
To: oss-security@...ts.openwall.com
Subject: Re: [white-paper] Pwning PHP mail() function For Fun
 And RCE (ver 1.0)

Looks good! Especially the Exim RCE technique which I now need to go 
play with.

However:

'Also note that the output log file contains a lot of debug information
added by Sendmail MTA. This might'

Might ..?

On 03/05/2017 15:32, Dawid Golunski wrote:
> Here's a paper I wrote back in December.  It was originally meant to go
> into Phrack but the team wanted a more general article on parameter injection
> as mail() was supposedly an outdated technique.
> Meanwhile, the RCE-chain continues :) So I decided to post it as it is without
> changing it as mail() injection deserves a separate article imho.
>
> https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
>
> I reveal some exim code-execution vectors in there that should change
> the whole game slightly :)
>
> See my exploit for WordPress Core that is based on it:
> https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
>
>
> I'll attach copies of the white-paper here in the next revision as I
> haven't slept for 3 nights and need to double check on everything
> before it goes into the archive forever :)
>
>
> Regards,
> Dawid Golunski
> https://legalhackers.com
> https://ExploitBox.io
> t: @dawid_golunski

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ