I was looking at your exploit code and it looks like it won't work, as you are passing "vulnerables@ -OQueueDirectory=/tmp -X/backdoor.php" to the setFrom() function, and the setFrom() function first verifies the passed email by some regex, and your malformed email address will not pass the verification
public function setFrom($address, $name = '', $auto = true) { $address = trim($address); $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim // Don't validate now addresses with IDN. Will be done in send(). if (($pos = strrpos($address, '@')) === false or (!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported()) and !$this->validateAddress($address)) { $error_message = $this->lang('invalid_address') . " (setFrom) $address"; $this->setError($error_message); $this->edebug($error_message);
There is a $this->validateAddress
call, and if it fails, the function's execution is stopped and the following code is not executed
$this->From = $address; $this->FromName = $name; if ($auto) { if (empty($this->Sender)) { $this->Sender = $address; } }
Since $this->Sender is not set up with Sender's address then, the exploit will fail as it will use the default initialized value for $this->Sender.
All of the above code is from class.phpmailer.php