# CVE-2022-41040-RCE-POC aka ProxyNotShell
CVE-2022-41040 Remote Code Exeuction vulnerability

![ProxyNotShell](proxynotshell.png?raw=true "ProxyNotShell")

## CVE description

Microsoft says:
"CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that allows remote code execution (RCE) when PowerShell is accessible to the attacker." So not only does this give RCE, but it's a level up from Proxyshell, where ProxyNotShell gives you actual god permissions in the Exchange server.

## URL Rewrite
![URL Rewrite](urlrewrite.png?raw=true "URL Rewrite")

## Alert, Stage execution
![Alert, Stage execution](alertstageexecution.png?raw=true "Alert, Stage execution")

## Emulate Microsoft Exchange EWS service
![Emulate EWS](emulateews.jpeg?raw=true "Emulate EWS")

## Who is vulnerable?

Tested vulnerable hosts:
- Microsoft Exchange Server 2013 (15.0)
- Microsoft Exchange Server 2016 (15.1)
- Microsoft Exchange Server 2019 (15.2)
![Vulnerable](vulnerable.png?raw=true "Vulnerable")

## CVE-2022-41040 download exploit

As mentioned at the beginning, CVE-2022-41040 was given such a high CVSS score because it is remote code execution. This means it can go unnoticed by the user and potentially by the security team as well. Such a powerfull tool should not be fully public, there is strictly only 1 copy available so a REAL researcher can use it:  https://satoshidisk[.]com/pay/CGaT4H

This should attract attention to importance of cyber security, it can be tempting to ignore, or palm it off to the IT team. But both of these options can leave you susceptible to real and damaging risks. Do NOT resell or leak this PoC or you can be at risk of breaking the law.

## Patching
There are currently no patches from Microsoft.

## Detection

You should run the following command to scan IIS log files in the MS Sentinel Format, for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
You can see more at ThreatHunting/Exchange-CVE-2021โ€“34473-SSRF, the indicators of compromise are the same as the previous Proxyshell

## Mitigation

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String โ€œ.*autodiscover\.json.*\@.*Powershell.*โ€ (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}

## Disclamer

This project is intended for educational purposes only and cannot be used for law violation or personal gain.
The authors of this project is not responsible for any damages caused by direct or indirect use of the information or functionality provided by those script.