# CVE-2022-41082-POC
PoC for CVE-2022-41082 RCE as known as ProxyNotShell


This is only a Proof-of-Concept! It can trigger unpredictable behavior. Don't use it on real systems without permission.

## CVE description

Microsoft says:
"CVE-2022-41082, is a Server-Side Request Forgery (SSRF) vulnerability that allows remote code execution (RCE) when PowerShell is accessible to the attacker."

## Who is vulnerable?

Tested vulnerable hosts:
- Microsoft Exchange Server 2013 (15.0)
- Microsoft Exchange Server 2016 (15.1)
- Microsoft Exchange Server 2019 (15.2)

We will update that list later. We suspect almost all builds with running Outlook Web Application and open 443 port will suffer.

## CVE-2022-41082 download exploit

As mentioned at the beginning, CVE-2022-41082 was given such a high CVSS score because it is remote code execution. This means it can go unnoticed by the user and potentially by the security team as well. Such a powerfull tool should not be fully public, there are strictly 10 copies for sale at fair price:
This should attract attention to importance of cyber security, it can be tempting to ignore, or palm it off to the IT team. But both of these options can leave you susceptible to real and damaging risks.

## Rules

Do not resell!
Do not publish!

## Detection

You should run the following command to scan IIS log files for indicators of compromise:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

## Mitigation

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String โ€œ.*autodiscover\.json.*\@.*Powershell.*โ€ (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}

## Disclamer

This project is intended for educational purposes only and cannot be used for law violation or personal gain.
The authors of this project is not responsible for any damages caused by direct or indirect use of the information or functionality provided by those script.