Skip to content

Instantly share code, notes, and snippets.

@technion

technion/Exchange Version.nse

Created November 17, 2021 22:50
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Scan Microsoft Exchange Version for vulnerability
Raw
Exchange Version.nse
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local string = require "string"
author = {"technion@lolware.net"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
-- Detection rule based on: https://twitter.com/GossiTheDog/status/1424673929382268932
portrule = shortport.http
action = function(host, port)
local output_info = {}
local response = http.generic_request(host, port, "GET","/autodiscover/autodiscover.json?@abc.com/owa/?&Email=autodi
scover/autodiscover.json%3F@abc.com" )
if response.status == 404 or response.status == 302 or response.status == nil then
output_info.detected = "Exchange has not been detected"
return output_info, stdnse.format_output(true, output_info)
end
output_info.owa_version = {}
if response.header['x-owa-version'] then
local owa_version = response.header['x-owa-version']
table.insert(output_info.owa_version, "x-owa-version:" .. owa_version)
if owa_version == '15.1.2308.20' or owa_version == '15.1.2375.17' then
output_info.vuln = "November 9 Patches applied"
elseif owa_version == '15.1.2375.12' or owa_version == '15.1.2308.15' then
output_info.vuln = "October 12 2012 Patch level - Vulnerable to November 9 exploit"
else
output_info.vuln = "VULNERABLE TO PROXYSHELL"
end
else
output_info.detected = "Exchange version has not been detected"
end
return output_info, stdnse.format_output(true, output_info)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment