Add version check to exploit/windows/http/exchange_ecp_dlp_policy

[wvu]

[+] The target appears to be vulnerable. Exchange Server 15.1.2044 is a vulnerable build.

owa_login could use some love, too. But someone else can do that.

Updates #14126 and #14265.

[smcintyre-r7]

Tested both the exchange module and the sharepoint module with these changes and the check method is still working as intended.

Exchange

msf6 exploit(windows/http/exchange_ecp_dlp_policy) > show options 

Module options (exploit/windows/http/exchange_ecp_dlp_policy):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        OWA password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.42   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   USERNAME                    no        OWA username
   VHOST                       no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Exchange Server <= 2016 CU17 and 2019 CU6


msf6 exploit(windows/http/exchange_ecp_dlp_policy) > check
[*] 192.168.159.42:443 - The target appears to be vulnerable. Exchange Server 15.1.1713 is a vulnerable build.
msf6 exploit(windows/http/exchange_ecp_dlp_policy) > 

SharePoint

msf6 exploit(windows/http/sharepoint_ssi_viewstate) > show options 

Module options (exploit/windows/http/sharepoint_ssi_viewstate):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   HttpPassword                     no        SharePoint password
   HttpUsername                     no        SharePoint username
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          192.168.159.37   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /                yes       Base path
   URIPATH                          no        The URI to use for this exploit (default is random)
   VALIDATION_KEY                   no        ViewState validation key
   VHOST                            no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   2   PowerShell Stager


msf6 exploit(windows/http/sharepoint_ssi_viewstate) > set VHOST SHRPNT2019
VHOST => SHRPNT2019
msf6 exploit(windows/http/sharepoint_ssi_viewstate) > check
[*] 192.168.159.37:80 - The target appears to be vulnerable. SharePoint 16.0.0.10337 is a vulnerable build.

[smcintyre-r7]

Release Notes

Added extended version checks for SharePoint and Exchange servers as used by the exploit modules for CVE-2020-16875 and CVE-2020-16952.

[wvu]

Thank you so much for handling this!