Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 May 2017 17:32:03 -0300
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0)

Here's a paper I wrote back in December.  It was originally meant to go
into Phrack but the team wanted a more general article on parameter injection
as mail() was supposedly an outdated technique.
Meanwhile, the RCE-chain continues :) So I decided to post it as it is without
changing it as mail() injection deserves a separate article imho.

https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html

I reveal some exim code-execution vectors in there that should change
the whole game slightly :)

See my exploit for WordPress Core that is based on it:
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html


I'll attach copies of the white-paper here in the next revision as I
haven't slept for 3 nights and need to double check on everything
before it goes into the archive forever :)


Regards,
Dawid Golunski
https://legalhackers.com
https://ExploitBox.io
t: @dawid_golunski

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.