Skip to content

Instantly share code, notes, and snippets.

@jonade

jonade/Exchange-IISRewriteRules.md

Last active December 16, 2022 06:28
Show Gist options
  • Save jonade/1e8918044e720021cf3ca8c0a79eb6b1 to your computer and use it in GitHub Desktop.
Save jonade/1e8918044e720021cf3ca8c0a79eb6b1 to your computer and use it in GitHub Desktop.
Download ZIP
Exchange Server - Create IIS Rewrite rules
Raw
Exchange-IISRewriteRules.md

Configure IIS URL Rewrite rule on Exchange Server

1. Install pre-requisites

URL Rewrite module available at https://www.iis.net/downloads/microsoft/url-rewrite

Start-Process "https://www.iis.net/downloads/microsoft/url-rewrite"

# Download v2.1 on x64
Invoke-WebRequest -Uri "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi" -OutFile "C:\Temp\rewrite_amd64_en-US.msi" 
msiexec.exe /i "C:\Temp\rewrite_amd64_en-US.msi" /qb

2. Block POST method for AutoDiscover virtual directory

$name = 'Block POST to Autodiscover'
$site = 'IIS:\Sites\Default Web Site\Autodiscover'
$root = 'system.webServer/rewrite/rules'
$filter = "{0}/rule[@name='{1}']" -f $root, $name

Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name=$name; patternSyntax='Wildcard'; stopProcessing='True'}
Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value "*autodiscover.json*"
Set-WebConfigurationProperty -PSPath $site -filter "$filter/conditions" -name '.' -value @{input='{REQUEST_METHOD}'; matchType='0'; pattern='POST*'; ignoreCase='True'; negate='False'}
Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name '.' -value @{type='CustomResponse'; statusCode=404; statusReason='Not found'}

3. Hafnium / ProxyLogon mitigations

https://aka.ms/exchangevulns

$HttpCookieInput = '{HTTP_COOKIE}'
$root = 'system.webServer/rewrite/rules'
$inbound = '.*'
$site = 'IIS:\Sites\Default Web Site\'
$name = 'X-AnonResource-Backend Abort - inbound'
$name2 = 'X-BEResource Abort - inbound'
$pattern = '(.*)X-AnonResource-Backend(.*)'
$pattern2 = '(.*)X-BEResource=(.+)/(.+)~(.+)'
$filter = "{0}/rule[@name='{1}']" -f $root, $name
$filter2 = "{0}/rule[@name='{1}']" -f $root, $name2


Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name; patternSyntax = 'Regular Expressions'; stopProcessing = 'False' }
Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value $inbound
Set-WebConfigurationProperty -PSPath $site -filter "$filter/conditions" -name '.' -value @{input = $HttpCookieInput; matchType = '0'; pattern = $pattern; ignoreCase = 'True'; negate = 'False' }
Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'type' -value 'AbortRequest'

Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name2; patternSyntax = 'Regular Expressions'; stopProcessing = 'True' }
Set-WebConfigurationProperty -PSPath $site -filter "$filter2/match" -name 'url' -value $inbound
Set-WebConfigurationProperty -PSPath $site -filter "$filter2/conditions" -name '.' -value @{input = $HttpCookieInput; matchType = '0'; pattern = $pattern2; ignoreCase = 'True'; negate = 'False' }
Set-WebConfigurationProperty -PSPath $site -filter "$filter2/action" -name 'type' -value 'AbortRequest'

4. CVE-2022-41040 and CVE-2022-41082 mitigations

Code is replaced with the EOMTv2.ps1 script provided by Microsoft

Invoke-Command -ComputerName YOUR-SERVER -ScriptBlock {
    $IIS_Autodiscover_path = 'MACHINE/WEBROOT/APPHOST/Default Web Site/Autodiscover'

    Add-WebConfigurationProperty -pspath $IIS_Autodiscover_path  -filter "system.webServer/rewrite/rules" -name "." -value @{name='zerodaysep22';patternSyntax='ECMAScript';stopProcessing='True'}
    Set-WebConfigurationProperty -pspath $IIS_Autodiscover_path  -filter "system.webServer/rewrite/rules/rule[@name='zerodaysep22']/match" -name "url" -value ".*"
    Add-WebConfigurationProperty -pspath $IIS_Autodiscover_path  -filter "system.webServer/rewrite/rules/rule[@name='zerodaysep22']/conditions" -name "." -value @{input='{REQUEST_URI}';pattern='.*autodiscover\.json.*\@.*Powershell.*'}
    Set-WebConfigurationProperty -pspath $IIS_Autodiscover_path  -filter "system.webServer/rewrite/rules/rule[@name='zerodaysep22']/action" -name "type" -value "CustomResponse"
    Set-WebConfigurationProperty -pspath $IIS_Autodiscover_path  -filter "system.webServer/rewrite/rules/rule[@name='zerodaysep22']/action" -name "statusCode" -value 403
    Set-WebConfigurationProperty -pspath $IIS_Autodiscover_path  -filter "system.webServer/rewrite/rules/rule[@name='zerodaysep22']/action" -name "statusReason" -value "Forbidden: Access is denied."
    Set-WebConfigurationProperty -pspath $IIS_Autodiscover_path  -filter "system.webServer/rewrite/rules/rule[@name='zerodaysep22']/action" -name "statusDescription" -value "You do not have permission to view this directory or page using the credentials that you supplied."
}
@mjpagan
Copy link

mjpagan commented Sep 30, 2022

I have created a URL rewrite rule for the latest vulnerability based on your work. Would you like to have it added to your rewrite rules?

@jonade
Copy link
Author

jonade commented Sep 30, 2022

I'll be honest, I completely forgot about this code. I think the EOMT ended up replacing the code I have here anyway.

I had a script for todays vuln that I can add

@Ghuzz
Copy link

Ghuzz commented Dec 16, 2022

I want to add permit an IP address for Exchange URL Rewrite patch. is there any way?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment