WinWebMail & amp; 7i24 Elevation of Privilege

One worker winwebmailprogram is installed as a system service. The program runs under adminprivilege, and the service program emsvr.exe runs under the system permission. In this way, we can improve the permissions through this vulnerability. Suppose we get a low-privilege WebShell with the modification permission. If the server is installed with WinWebMail, we only need to be able to modify the opusers. the INI file can be used to escalate permissions. You can add users and open ports as needed.
In the NTFS format, WinWebMail requires that the installation directory be everyone writable. This is because it is a Web-based Mail System and needs to read and write user mailboxes through ASP files, that is, the folder corresponding to a user name, and the normal ASP program has a low parsing permission, so the directory where WinWebMail is located must have the everyone write permission, otherwise, the program will not be able to read and write these user folders. In the FAT32 format, we can modify the popusers. ini file at will to obtain higher permissions through overflow.
Finally, let's talk about the remote exploitation method. Because we can register users through the Web, we can use the packet capture software to modify the registration information, so as to indirectly modify the INI file and wait until the server
The vulnerability can be exploited during restart.
This vulnerability affects versions earlier than 3.7.3.1.
------------------------------------
It is the winwebmail mail server system. The username and password are all stored in the popusers. ini file in the installation directory of winwebmail! Including admin administrator users! Of course, the password is encrypted!
All we need to do is install winwebmail of the same version locally, and then replace the locally encrypted password code with webshell on the server. This mail server is ready! (To put it bluntly, WinWebMail will require the installation directory to be writable by everyone)
------------------------------------
The everyone permission must be set for the web in the WinWebMail directory to be readable and writable, or the email cannot be logged in. Therefore, find the winwebmail shortcut in the Start Program, view the path, and access the path to web shell, after accessing the shell, the default permission is system, and the remote control enters the startup Item. Wait for the next restart. The user is added directly without the cmd component.
For example, if c: winwebmailweb cannot be viewed, it should be replaced by d: winwebmailweb (it must be a web directory. I do not have permission to view c: winwebmail in many ways)
If the path cannot be found, use the registry to read it:
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinWebMail Serverimagepath

2. The 7i24 web directory is also writable and the permission is administrator.
Note: 7i24 directory is readable and writable by default, written into the IISSAFE that directory, access asp "> http://lan3a.com/iissafe/shell.asp

3. The server with Magic Winmail will enable port 8080 on the system to provide external mail services. People who have used it should know. The Magic Winmail server supports php script parsing. Magic Winmail cannot parse asp scripts. Magic Winmail is the world of php.
X: Magic Winmailserverwebmail. This directory has the system permission by default.
When installing Magic Winmail, the network management must be installed as a system-level identity. Of course, Magic Winmail inherits the system-level permission restriction, while our Magic Winmail can parse the php script. For example, our cute php script is a system-level script. This Magic Winmail software is a bit like the Netbox made in China.