Date: Wed, 3 May 2017 16:42:25 -0500 From: Sam Pizzey <sam@...zey.me> To: oss-security@...ts.openwall.com Subject: Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Looks good! Especially the Exim RCE technique which I now need to go play with. However: 'Also note that the output log file contains a lot of debug information added by Sendmail MTA. This might' Might ..? On 03/05/2017 15:32, Dawid Golunski wrote: > Here's a paper I wrote back in December. It was originally meant to go > into Phrack but the team wanted a more general article on parameter injection > as mail() was supposedly an outdated technique. > Meanwhile, the RCE-chain continues :) So I decided to post it as it is without > changing it as mail() injection deserves a separate article imho. > > https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html > > I reveal some exim code-execution vectors in there that should change > the whole game slightly :) > > See my exploit for WordPress Core that is based on it: > https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html > > > I'll attach copies of the white-paper here in the next revision as I > haven't slept for 3 nights and need to double check on everything > before it goes into the archive forever :) > > > Regards, > Dawid Golunski > https://legalhackers.com > https://ExploitBox.io > t: @dawid_golunski
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ