├── README.md ├── exploit.sh └── proxynotshell_checker.nse /README.md: -------------------------------------------------------------------------------- 1 | # Exploit-Microsoft-Exchange-Server 2 | Zero-day vulnerabilities affecting Microsoft Exchange Server 3 | 4 | # Add this nse file to your nmap scripting engine by adding it to 5 | /usr/share/nmap/scripts 6 | -------------------------------------------------------------------------------- /exploit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | mkdir -p Results 4 | 5 | cd Results; 6 | subfinder -d $1 -all -silent -o domains.txt ; nmap -iL domains.txt -p 443 --script proxynotshell_checker.nse 7 | -------------------------------------------------------------------------------- /proxynotshell_checker.nse: -------------------------------------------------------------------------------- 1 | local http = require "http" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local string = require "string" 5 | 6 | description = [[ 7 | Check for Microsoft Exchange servers potentially vulnerable to ProxyNotShell (CVE-2022-40140 & CVE-2022-41082) due to the fact that temporary mitigation is not applied. 8 | References: 9 | https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html 10 | https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ 11 | https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9 12 | ]] 13 | 14 | 15 | -- @usage 16 | -- nmap --script proxynotshell_checker.nse -p443 17 | 18 | author = "Germán Fernández (1ZRR4H)" 19 | license = "GPLv3" 20 | categories = {"default", "discovery", "safe"} 21 | portrule = shortport.http 22 | 23 | local function CheckVuln(host,port) 24 | payload = "/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell" 25 | payload_bypass = "/autodiscover/autodiscover.json?a..foo.var/owa/?&Email=autodiscover/autodiscover.json?a..foo.var&Protocol=XYZ&FooProtocol=Powershell" 26 | local options = {header={}} 27 | options["redirect_ok"] = false 28 | options["header"]["User-Agent"] = 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0' 29 | response = http.get(host,port,payload,options) 30 | 31 | if (response.status == 302) and (response.header['x-feserver'] ~= nil) then 32 | return "["..response.header['x-feserver'].."] Potentially vulnerable to ProxyShell and ProxyNotShell (mitigation not applied)." 33 | elseif (response.status ~= 302) and (response.header['x-feserver'] ~= nil) then 34 | return "["..response.header['x-feserver'].."] Potentially vulnerable to ProxyNotShell (mitigation not applied)." 35 | elseif (response.status == 401) then 36 | return "Not Vulnerable (resource requires basic authentication)." 37 | elseif (response.status == 404) then 38 | return "Not Vulnerable (affected resource not found)." 39 | elseif (response.status == 403) then 40 | return "Not Vulnerable (access to resource is blocked)." 41 | elseif (response.status == 500) then 42 | return "Not Vulnerable (internal server error)." 43 | elseif (response.status == nil) then 44 | response_bypass = http.get(host,port,payload_bypass,options) 45 | if (response_bypass.status == 302) and (response_bypass.header['x-feserver'] ~= nil) then 46 | return "["..response_bypass.header['x-feserver'].."] Potentially vulnerable to ProxyShell and ProxyNotShell (mitigation bypassed)." 47 | elseif (response_bypass.status ~= 302) and (response_bypass.header['x-feserver'] ~= nil) then 48 | return "["..response_bypass.header['x-feserver'].."] Potentially vulnerable to ProxyNotShell (mitigation bypassed)." 49 | else 50 | return "Not vulnerable (possible mitigation applied)." 51 | end 52 | else 53 | return "Server not vulnerable or inaccessible." 54 | end 55 | end 56 | 57 | action = function(host, port) 58 | local response = stdnse.output_table() 59 | response["Microsoft Exchange"] = CheckVuln(host,port) 60 | return response 61 | end 62 | --------------------------------------------------------------------------------