## https://sploitus.com/exploit?id=FDA8A3EC-5064-5E8B-83E5-CFE94D3848EA
# CVE-2018-8581 Testing Environment
This directory contains a realistic mock environment for testing the **CVE-2018-8581** (Microsoft Exchange Server EoP / PrivExchange) Nuclei template. The mock server is designed to emulate authentic IIS 8.5, ASP.NET 4.0, and Exchange 2013/2016 HTTP request/response sequences.
## Components
- `mock_exchange.py`: Realistic mock server for the **vulnerable** state.
- `mock_patched_exchange.py`: Realistic mock server for the **patched** state (imitates the `DisablePushNotifications` mitigation).
- `Dockerfile` & `docker-compose.yml`: For containerized testing.
- `scripts/test.sh`: Automated bash script to run tests.
## Prerequisites
- **Python 3.x** (for running mocks directly)
- **Docker & Docker Compose** (optional, for containerized testing)
- **Nuclei** (latest version recommended)
## Step-by-Step Testing
### 1. Test Vulnerable Environment (True Positive)
To verify that the template correctly identifies a vulnerable system:
**Option A: Manual (Python)**
1. Start the vulnerable mock:
```bash
python3 mock_exchange.py
```
2. In another terminal, run Nuclei:
```bash
nuclei -t ../http/cves/2018/CVE-2018-8581.yaml -u http://127.0.0.1:8080 -debug
```
**Option B: Docker**
1. Start the container:
```bash
docker-compose up --build
```
2. Run Nuclei:
```bash
nuclei -t ../http/cves/2018/CVE-2018-8581.yaml -u http://127.0.0.1:8080 -debug
```
### 2. Test Patched Environment (Avoid False Positive)
To verify that the template correctly ignores a patched system:
1. Start the patched mock:
```bash
python3 mock_patched_exchange.py
```
2. Run Nuclei:
```bash
nuclei -t ../http/cves/2018/CVE-2018-8581.yaml -u http://127.0.0.1:8082 -debug
```
*Expected Result: You should see the DSL fingerprinting match (dsl-2), but NO vulnerability match (word-3), as the server returns an `ErrorPushNotificationsDisabled` code.*
### 3. Automated Script
You can run the provided automation script to verify the vulnerable state:
```bash
bash scripts/test.sh
```
## Debugging
Use the `-debug` flag in Nuclei to see the raw request/response sequence. For a successful match, look for:
- `Authorization: NTLM TlRMTVNTUAAB...` in the first request.
- `SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/Subscribe"` in the second request.
- `ResponseClass="Success"` and `NoError` in the final XML response.