Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/http/exchange_proxynotshell_rce.md
Views: 11789
Vulnerable Application
This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.
By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
This vulnerability affects:
Exchange 2013 CU23 < 15.0.1497.44
Exchange 2016 CU22 < 15.1.2375.37
Exchange 2016 CU23 < 15.1.2507.16
Exchange 2019 CU11 < 15.2.986.36
Exchange 2019 CU12 < 15.2.1118.20
Verification Steps
Start msfconsole
Do:
use exploit/windows/http/exchange_proxynotshell_rceDo:
set RHOSTS [IP]Do:
set USERNAME [USERNAME]Do:
set PASSWORD [PASSWORD]Do:
run
Advanced Options
EemsBypass
Technique to bypass the EEMS rule.
none -- Make no attempt to bypass the EEMS rule. This can be used with the check method to determine if the EEMS M1 rule is applied. IBM037v1 -- Use IBM037 encoding combined with the X-Up-Devcap-Post-Charset header and UP User-Agent prefix. See ProxyNotRelay for more information.
MaxBackendRetries
The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.