POC详情: ea96838b2c1eff17336ce0325a6304b2d18bfa24

来源
https://github.com/SLSteff/CVE-2020-0688-Scanner
关联漏洞
标题: Microsoft Exchange Server 授权问题漏洞 (CVE-2020-0688)
描述:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 中存在授权问题漏洞,该漏洞源于程序无法正确处理内存中的对象。攻击者可借助特制的电子邮件利用该漏洞在系统用户的上下文中运行任意代码。以下产品及版本受到影响:Microsoft Exchange Server 2010,Microsoft Exchange Server 2013,Micro
描述
Scans for Microsoft Exchange Versions with masscan
介绍
[![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)](https://www.gnu.org/software/bash/)

# CVE-2020-0688-Scanner
This script scans an IP/range/CIDR and outputs the Microsoft Exchange Servers and Versions discovered. The specified IP/range/CIDR will be scanned with [`masscan`](https://github.com/robertdavidgraham/masscan) on port **tcp/443**. After a successful scan it tries to HTTP GET **"/owa/auth/logon.aspx"** with curl to grab the Outlook Web Access page source for build versions to display.

On Small Business Server 2011 with Exchange Server 2010 SP3 Update Rollup 30 the version on **"/owa/auth/logon.aspx"** wasn't updated. The page source shows the build version **"14.3.487"** (Exchange Server 2010 SP3 probably CU29, which is vulnerable) instead of **"14.3.496"** (mentioned by Remy S on [blog.rapid7.com](https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/)). In this case the script will try to get the following file: **"/ecp/14.3.496.0/Scripts/microsoftajax.js"**, if this file is available the Exchange Server is not vulnerable and as of this writing up to date.

The output of the script will be enriched with additional information like DNS reverse lookup of the IP and the certificate subject name.


# Requirements
[`masscan`](https://github.com/robertdavidgraham/masscan) from [Robert David Graham](https://github.com/robertdavidgraham)


# Usage
### Scan IP/Range/CIDR:
Specifiy the IP/Range/CIDR with the **`-n`** flag:

	$ ./CVE-2020-0688-Scanner.sh -n <ip/range/cidr>

Turn verbosity on with the **`-v`** flag (very noisy):

	$ ./CVE-2020-0688-Scanner.sh -n <ip/range/cidr> -v


### Scan a single IP:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.xxx


### Scan a subnet:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.0/24


### Scan an ip-range:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.10-xxx.xxx.xxx.45


### Combine these options with a comma:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.xxx,xxx.xxx.xxx.10-xxx.xxx.xxx.45,xxx.xxx.xxx.0/19


# Screenshot
![alt text](https://github.com/SLSteff/project-pictures/blob/main/CVE-2020-0688-Scanner.png "CVE-2020-0688-Scanner Screenshot of a /19 scan")
Scan of a /19 network with multiple vulnerable Microsoft Exchange Server.


# ToDo
I don't think I'll update this anytime soon, it did it's job
- [x] put it on github
- [ ] clean up code... (ain't nobody got time for that...)
- [ ] rewrite in python... (maybe in the future...)
- [ ] add log function
文件快照

 [4.0K]  /data/pocs/ea96838b2c1eff17336ce0325a6304b2d18bfa24
├── [ 25K]  CVE-2020-0688-Scanner.sh
├── [1.0K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。