Share
## https://sploitus.com/exploit?id=FDA8A3EC-5064-5E8B-83E5-CFE94D3848EA
# CVE-2018-8581 Testing Environment

This directory contains a realistic mock environment for testing the **CVE-2018-8581** (Microsoft Exchange Server EoP / PrivExchange) Nuclei template. The mock server is designed to emulate authentic IIS 8.5, ASP.NET 4.0, and Exchange 2013/2016 HTTP request/response sequences.

## Components

- `mock_exchange.py`: Realistic mock server for the **vulnerable** state.
- `mock_patched_exchange.py`: Realistic mock server for the **patched** state (imitates the `DisablePushNotifications` mitigation).
- `Dockerfile` & `docker-compose.yml`: For containerized testing.
- `scripts/test.sh`: Automated bash script to run tests.

## Prerequisites

- **Python 3.x** (for running mocks directly)
- **Docker & Docker Compose** (optional, for containerized testing)
- **Nuclei** (latest version recommended)

## Step-by-Step Testing

### 1. Test Vulnerable Environment (True Positive)

To verify that the template correctly identifies a vulnerable system:

**Option A: Manual (Python)**
1. Start the vulnerable mock:
   ```bash
   python3 mock_exchange.py
   ```
2. In another terminal, run Nuclei:
   ```bash
   nuclei -t ../http/cves/2018/CVE-2018-8581.yaml -u http://127.0.0.1:8080 -debug
   ```

**Option B: Docker**
1. Start the container:
   ```bash
   docker-compose up --build
   ```
2. Run Nuclei:
   ```bash
   nuclei -t ../http/cves/2018/CVE-2018-8581.yaml -u http://127.0.0.1:8080 -debug
   ```

### 2. Test Patched Environment (Avoid False Positive)

To verify that the template correctly ignores a patched system:

1. Start the patched mock:
   ```bash
   python3 mock_patched_exchange.py
   ```
2. Run Nuclei:
   ```bash
   nuclei -t ../http/cves/2018/CVE-2018-8581.yaml -u http://127.0.0.1:8082 -debug
   ```
   *Expected Result: You should see the DSL fingerprinting match (dsl-2), but NO vulnerability match (word-3), as the server returns an `ErrorPushNotificationsDisabled` code.*

### 3. Automated Script

You can run the provided automation script to verify the vulnerable state:
```bash
bash scripts/test.sh
```

## Debugging

Use the `-debug` flag in Nuclei to see the raw request/response sequence. For a successful match, look for:
- `Authorization: NTLM TlRMTVNTUAAB...` in the first request.
- `SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/Subscribe"` in the second request.
- `ResponseClass="Success"` and `NoError` in the final XML response.