Quick tool for checking CVE-2020-0688 on multiple hosts with a non-intrusive method.# CVE-2020-0688-Scanner
Quick C# tool for checking CVE-2020-0688 on multiple hosts with a non-intrusive method.
## Features
- Scan hosts from an input file.
- Passive check : grab exchange version by scraping html content.
- Produces an output file.
## Demo
[](https://github.com/onSec-fr/CVE-2020-0688-Scanner/blob/master/demo.png?raw=true)
## How to use
### Prerequisite
- Windows
- .NET framework 4.5.2
#### Download
```bash
git clone https://github.com/onSec-fr/CVE-2020-0688-Scanner.git
```
#### Run
```bash
./CVE-2020-0688-Scanner.exe [path_to_input_file]
```
Note : the input file can contain ip addresses, hostnames and FQDN.
#### Disclaimer
This tool has been developed to test your own system or for authorized security testing. Make sure you check with your local laws before running this tool.
#### Limitations
Since Exchange 2013, only the first 3 parts of the version number can be retrieved in this way. This means that sometimes the server may be vulnerable if it has not the very last cumulative update. In this case the server is flagged as "maybe patched".
## References
- Unofficial build chart lists all of the known KB articles, hotfixes, update rollups and other builds of MS Exchange Server 2019, 2016, 2013, 2010, 2007, 2003, 2000, 5.5, 5.0 and 4.0 that have been released. : https://exchangeserverversions.blogspot.com/
- Analysis of CVE-2020-0688 : https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
- https://fr.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution
- nmap implementation by Kevin Beaumont : https://github.com/PwnPeter/0day-scripts/blob/2845b2d7a62c1baec581afab8fb065dde4f63413/nmap-nse/http-vuln-exchange.nse
[4.0K] /data/pocs/50b992ce0b542188a3469199cc6b30c4985d793d
├── [ 13K] CVE-2020-0688-Scanner.exe
├── [ 184] CVE-2020-0688-Scanner.exe.config
├── [ 30K] CVE-2020-0688-Scanner.pdb
├── [ 64K] demo.png
├── [161K] HtmlAgilityPack.dll
├── [296K] HtmlAgilityPack.pdb
├── [152K] HtmlAgilityPack.xml
├── [1.0K] LICENSE
├── [1.9K] README.md
└── [4.0K] Sources
├── [ 184] App.config
├── [4.0K] bin
│ └── [4.0K] Release
│ ├── [ 13K] CVE-2020-0688-Scanner.exe
│ ├── [ 184] CVE-2020-0688-Scanner.exe.config
│ ├── [ 30K] CVE-2020-0688-Scanner.pdb
│ ├── [161K] HtmlAgilityPack.dll
│ ├── [296K] HtmlAgilityPack.pdb
│ └── [152K] HtmlAgilityPack.xml
├── [3.0K] CVE-2020-0688-Scanner.csproj
├── [ 286] CVE-2020-0688-Scanner.csproj.user
├── [1.1K] CVE-2020-0688-Scanner.sln
├── [4.0K] packages
│ └── [4.0K] HtmlAgilityPack.1.11.21
│ ├── [1.4M] HtmlAgilityPack.1.11.21.nupkg
│ └── [4.0K] lib
│ ├── [4.0K] Net35
│ │ ├── [152K] HtmlAgilityPack.dll
│ │ ├── [344K] HtmlAgilityPack.pdb
│ │ └── [141K] HtmlAgilityPack.xml
│ ├── [4.0K] Net40
│ │ ├── [156K] HtmlAgilityPack.dll
│ │ ├── [290K] HtmlAgilityPack.pdb
│ │ └── [142K] HtmlAgilityPack.XML
│ ├── [4.0K] Net40-client
│ │ ├── [156K] HtmlAgilityPack.dll
│ │ ├── [290K] HtmlAgilityPack.pdb
│ │ └── [142K] HtmlAgilityPack.xml
│ ├── [4.0K] Net45
│ │ ├── [161K] HtmlAgilityPack.dll
│ │ ├── [296K] HtmlAgilityPack.pdb
│ │ └── [152K] HtmlAgilityPack.XML
│ ├── [4.0K] NetCore45
│ │ ├── [127K] HtmlAgilityPack.dll
│ │ ├── [200K] HtmlAgilityPack.pdb
│ │ └── [ 83K] HtmlAgilityPack.XML
│ ├── [4.0K] netstandard1.3
│ │ ├── [ 46K] HtmlAgilityPack.deps.json
│ │ ├── [143K] HtmlAgilityPack.dll
│ │ ├── [ 40K] HtmlAgilityPack.pdb
│ │ └── [133K] HtmlAgilityPack.xml
│ ├── [4.0K] netstandard1.6
│ │ ├── [ 59K] HtmlAgilityPack.deps.json
│ │ ├── [154K] HtmlAgilityPack.dll
│ │ ├── [ 43K] HtmlAgilityPack.pdb
│ │ └── [141K] HtmlAgilityPack.xml
│ ├── [4.0K] netstandard2.0
│ │ ├── [ 42K] HtmlAgilityPack.deps.json
│ │ ├── [156K] HtmlAgilityPack.dll
│ │ ├── [ 44K] HtmlAgilityPack.pdb
│ │ └── [150K] HtmlAgilityPack.xml
│ ├── [4.0K] portable-net45+netcore45+wp8+MonoAndroid+MonoTouch
│ │ ├── [127K] HtmlAgilityPack.dll
│ │ ├── [200K] HtmlAgilityPack.pdb
│ │ └── [ 83K] HtmlAgilityPack.XML
│ ├── [4.0K] portable-net45+netcore45+wpa81+wp8+MonoAndroid+MonoTouch
│ │ ├── [127K] HtmlAgilityPack.dll
│ │ ├── [200K] HtmlAgilityPack.pdb
│ │ └── [ 83K] HtmlAgilityPack.XML
│ └── [4.0K] uap10.0
│ ├── [143K] HtmlAgilityPack.dll
│ ├── [256K] HtmlAgilityPack.pdb
│ ├── [ 688] HtmlAgilityPack.pri
│ └── [133K] HtmlAgilityPack.XML
├── [ 142] packages.config
├── [ 11K] Program.cs
└── [4.0K] Properties
├── [1.5K] AssemblyInfo.cs
├── [4.0K] Resources.Designer.cs
└── [6.2K] Resources.resx
18 directories, 62 files