Exploit for Improper Authentication in Microsoft CVE-2020-0688

Name: Exploit for Improper Authentication in Microsoft CVE-2020-0688
Rating: 5 (81 reviews)
2020-10-29 | CVSS 8.8
## https://sploitus.com/exploit?id=F1CA855B-967C-5A5E-9256-FDDE87702713
[![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)](https://www.gnu.org/software/bash/)

# CVE-2020-0688-Scanner
This script scans an IP/range/CIDR and outputs the Microsoft Exchange Servers and Versions discovered. The specified IP/range/CIDR will be scanned with [`masscan`](https://github.com/robertdavidgraham/masscan) on port **tcp/443**. After a successful scan it tries to HTTP GET **"/owa/auth/logon.aspx"** with curl to grab the Outlook Web Access page source for build versions to display.

On Small Business Server 2011 with Exchange Server 2010 SP3 Update Rollup 30 the version on **"/owa/auth/logon.aspx"** wasn't updated. The page source shows the build version **"14.3.487"** (Exchange Server 2010 SP3 probably CU29, which is vulnerable) instead of **"14.3.496"** (mentioned by Remy S on [blog.rapid7.com](https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/)). In this case the script will try to get the following file: **"/ecp/14.3.496.0/Scripts/microsoftajax.js"**, if this file is available the Exchange Server is not vulnerable and as of this writing up to date.

The output of the script will be enriched with additional information like DNS reverse lookup of the IP and the certificate subject name.


# Requirements
[`masscan`](https://github.com/robertdavidgraham/masscan) from [Robert David Graham](https://github.com/robertdavidgraham)


# Usage
### Scan IP/Range/CIDR:
Specifiy the IP/Range/CIDR with the **`-n`** flag:

	$ ./CVE-2020-0688-Scanner.sh -n <ip/range/cidr>

Turn verbosity on with the **`-v`** flag (very noisy):

	$ ./CVE-2020-0688-Scanner.sh -n <ip/range/cidr> -v


### Scan a single IP:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.xxx


### Scan a subnet:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.0/24


### Scan an ip-range:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.10-xxx.xxx.xxx.45


### Combine these options with a comma:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.xxx,xxx.xxx.xxx.10-xxx.xxx.xxx.45,xxx.xxx.xxx.0/19


# Screenshot
![alt text](https://github.com/SLSteff/project-pictures/blob/main/CVE-2020-0688-Scanner.png "CVE-2020-0688-Scanner Screenshot of a /19 scan")
Scan of a /19 network with multiple vulnerable Microsoft Exchange Server.


# ToDo
I don't think I'll update this anytime soon, it did it's job
- [x] put it on github
- [ ] clean up code... (ain't nobody got time for that...)
- [ ] rewrite in python... (maybe in the future...)
- [ ] add log function