Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0688 PoC — Microsoft Exchange Server 授权问题漏洞

Source
https://github.com/SLSteff/CVE-2020-0688-Scanner
Associated Vulnerability
Title:Microsoft Exchange Server 授权问题漏洞 (CVE-2020-0688)
Description:A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
Description
Scans for Microsoft Exchange Versions with masscan
Readme
[![made-with-bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)](https://www.gnu.org/software/bash/)

# CVE-2020-0688-Scanner
This script scans an IP/range/CIDR and outputs the Microsoft Exchange Servers and Versions discovered. The specified IP/range/CIDR will be scanned with [`masscan`](https://github.com/robertdavidgraham/masscan) on port **tcp/443**. After a successful scan it tries to HTTP GET **"/owa/auth/logon.aspx"** with curl to grab the Outlook Web Access page source for build versions to display.

On Small Business Server 2011 with Exchange Server 2010 SP3 Update Rollup 30 the version on **"/owa/auth/logon.aspx"** wasn't updated. The page source shows the build version **"14.3.487"** (Exchange Server 2010 SP3 probably CU29, which is vulnerable) instead of **"14.3.496"** (mentioned by Remy S on [blog.rapid7.com](https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/)). In this case the script will try to get the following file: **"/ecp/14.3.496.0/Scripts/microsoftajax.js"**, if this file is available the Exchange Server is not vulnerable and as of this writing up to date.

The output of the script will be enriched with additional information like DNS reverse lookup of the IP and the certificate subject name.


# Requirements
[`masscan`](https://github.com/robertdavidgraham/masscan) from [Robert David Graham](https://github.com/robertdavidgraham)


# Usage
### Scan IP/Range/CIDR:
Specifiy the IP/Range/CIDR with the **`-n`** flag:

	$ ./CVE-2020-0688-Scanner.sh -n <ip/range/cidr>

Turn verbosity on with the **`-v`** flag (very noisy):

	$ ./CVE-2020-0688-Scanner.sh -n <ip/range/cidr> -v


### Scan a single IP:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.xxx


### Scan a subnet:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.0/24


### Scan an ip-range:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.10-xxx.xxx.xxx.45


### Combine these options with a comma:

	$ ./CVE-2020-0688-Scanner.sh -n xxx.xxx.xxx.xxx,xxx.xxx.xxx.10-xxx.xxx.xxx.45,xxx.xxx.xxx.0/19


# Screenshot
![alt text](https://github.com/SLSteff/project-pictures/blob/main/CVE-2020-0688-Scanner.png "CVE-2020-0688-Scanner Screenshot of a /19 scan")
Scan of a /19 network with multiple vulnerable Microsoft Exchange Server.


# ToDo
I don't think I'll update this anytime soon, it did it's job
- [x] put it on github
- [ ] clean up code... (ain't nobody got time for that...)
- [ ] rewrite in python... (maybe in the future...)
- [ ] add log function
File Snapshot

 [4.0K]  /data/pocs/ea96838b2c1eff17336ce0325a6304b2d18bfa24
├── [ 25K]  CVE-2020-0688-Scanner.sh
├── [1.0K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →