CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/http/exchange_proxyshell_rce.md
Views: 1904
Vulnerable Application
This module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve the RCE (Remote Code Execution).
By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
This vulnerability affects:
Exchange 2013 CU23 < 15.0.1497.15
Exchange 2016 CU19 < 15.1.2176.12
Exchange 2016 CU20 < 15.1.2242.8
Exchange 2019 CU8 < 15.2.792.13
Exchange 2019 CU9 < 15.2.858.10
Exploit Internals
At a high level, the steps the exploit takes are as follows:
Build a Common Access Token corresponding to a user with the "Mailbox Import Export" role
If an email address is specified using the
EMAILdatastore option, the exploit will attempt to use the ownerIf no email address is specified
The exploit will leverage the SSRF to issue a request to EWS and enumerate the email addresses
This technique was taken from dmassland/proxyshell-poc
The module will store the enumerated email addresses in a CSV file
Each of the email addresses will be checked for the necessary role
A common access token will be built using the verified user's SID
Email addresses are mapped to SIDs using a request to autodiscover and MAPI
A draft email is saved to the identified user's mailbox containing an encoded webshell embedded within an attachment
The
New-MailboxExportRequestcmdlet is used to export the attachment and write the webshell to an accessible locationThe exploit waits for the webshell to be written and uses it to execute OS commands
The webshell*, export request and draft email are all removed
*The webshell can only be remove automatically if the selected payload establishes a sessions (such as Meterpreter)
Verification Steps
Start msfconsole
Do:
use exploit/windows/http/exchange_proxyshell_rceDo:
set RHOSTS [IP]Do:
run
Options
A known email address for this organization. If specified, the user who owns the mailbox must either have the "Mailbox Import Export" role already or have the necessary permissions to assign it to themselves. This would typically be some sort of an administrative user. If this option is left blank, the module will enumerate all valid email addresses and check each one for the necessary privileges.
UseAlternatePath
Use the IIS root dir as alternate path. Default: false
Advanced Options
BackendServerName
Force the name of the backend Exchange server targeted. Default: Automatic
If not set, the automatic method will use an RPC call to detect the backend server FQDN. This is required because the kerberos-authenticated SSRF can only be sent when the FQDN is known.
ExchangeBasePath
The base path where Exchange is installed. Default: C:\Program Files\Microsoft\Exchange Server\V15
ExchangeWritePath
The path where you want to write the backdoor. Default: owa\auth
You can for example, set it to: ecp\auth
IISBasePath
The base path where IIS wwwroot directory is. Default: C:\inetpub\wwwroot
IISWritePath
The path where you want to write the backdoor. Default: aspnet_client
MapiClientApp
This is MAPI client version sent in the request.
MaxBackendRetries
The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.