Microsoft Exchange Server static validation key RCE

This repository is an exploit for CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server due to fixed cryptographic keys in ViewState. The main exploit logic is implemented in 'exploit.py', which automates authentication to OWA, checks for vulnerability, and leverages ysoserial.net (ysonet.exe) to generate a malicious ViewState payload. The exploit allows the attacker to execute arbitrary commands, upload files, and obtain a reverse shell on the target Exchange server. The attacker must provide valid credentials and host a web server for payload delivery. The 'script.bat' file is a base64-encoded PowerShell script that establishes a reverse shell using netcat. The repository structure is straightforward: 'exploit.py' (main exploit), 'script.bat' (reverse shell payload), and 'README.md' (usage instructions). The exploit targets Exchange servers accessible over the network and requires the attacker to modify configuration parameters for their environment.

This repository contains a PowerShell proof-of-concept exploit for CVE-2020-0688, a vulnerability in Microsoft Exchange Server where all unpatched servers use the same cryptographic keys for ViewState. The main script, PSForgot2kEyXCHANGE.ps1, allows an attacker with valid Exchange credentials to execute arbitrary commands as SYSTEM on a vulnerable Exchange server. The exploit works by authenticating to the server, generating a malicious ViewState payload using ysoserial.net, and sending it to the Exchange Control Panel endpoint. The repository includes a README with usage instructions and a LICENSE file. The only code file is the PowerShell script, which is self-contained but requires ysoserial.net to function. The attack vector is network-based, targeting Exchange servers over HTTP(S), and the script requires the attacker to supply the target server URL, credentials, command to execute, and the path to ysoserial.net.

This repository contains a Python exploit script (cve-2020-0688.py) targeting Microsoft Exchange Server's CVE-2020-0688 vulnerability. The exploit leverages ysoserial.exe to generate a malicious .NET ViewState payload containing an arbitrary system command, which is then sent to the Exchange Control Panel (ECP) endpoint via a crafted URL. The script requires the user to specify the target Exchange URL, a command to execute, and a valid ASP.NET session ID. The default payload writes a file to the target's C: drive, demonstrating successful code execution. The repository also includes documentation files, .xml files related to serialization libraries, and a configuration file for ysoserial.exe. The exploit is operational and demonstrates remote code execution capabilities against vulnerable Exchange servers.

This repository provides a proof-of-concept exploit for CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server's ECP (Exchange Control Panel) due to improper handling of ViewState. The repository contains two files: a README.md with usage instructions and a Python script (exploit.py) that automates the login process to the Exchange OWA/ECP interface. The script attempts to authenticate with provided credentials, extract the __VIEWSTATEGENERATOR and ASP.NET_SessionId values, and then constructs a ysoserial.net command to generate a malicious ViewState payload. The payload is designed to trigger a DNS request (as a demonstration of code execution) to an attacker-controlled domain. The exploit is not fully functional and is marked as a mockup requiring further development and a test environment. The main attack vector is network-based, targeting the Exchange web interface. Notable endpoints include the ECP default.aspx page, the OWA login endpoint (auth.owa), and a DNS domain used for out-of-band verification.

This repository is a C# WPF GUI tool for exploiting CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server. The project consists of a Visual Studio solution with a main application in 'CVE-2020-0688-GUI'. The GUI allows the user to specify a target Exchange server (without the protocol prefix), provide valid credentials, and choose between executing a command or loading a shellcode binary. The tool enforces that only one mode (command or shellcode) can be used at a time. The exploit logic is triggered via the 'EXPLOIT' button, which instantiates an 'ExchangeExploit' object (not included in the provided files, likely part of a dependency or omitted code) to perform the attack. The result of the exploitation attempt is displayed in the GUI. The repository is not part of a framework and is a standalone operational exploit tool. The README provides usage instructions and credits the original author of the command-line version. The only fingerprintable endpoint in the code is the example 'mail.nasa.gov', used as a placeholder for the target Exchange server address.

This repository contains a Python exploit script (CVE-2020-0688.py) targeting Microsoft Exchange Server 2016 and 2019 instances vulnerable to CVE-2020-0688. The exploit requires valid domain credentials and interacts with the Exchange server's /owa/auth.owa and /ecp/default.aspx endpoints over HTTPS. It uses ysoserial.exe (included in the Release directory) to generate a malicious .NET ViewState payload that, when delivered to the server, results in remote code execution of arbitrary system commands. The script is operational and automates the authentication, payload generation, and exploitation process. The other files in the repository are .xml documentation/configuration files and are not directly involved in the exploit process.

This repository contains a Go-based proof-of-concept exploit for CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server's ECP (Exchange Control Panel) component. The repository consists of three files: a LICENSE, a README.md with detailed usage instructions, and the main exploit code in 'ecp_slap.go'. ecpslap.go implements three main functions: - 'scan': Authenticates to the target Exchange server's ECP endpoint using provided credentials, checks for vulnerability indicators, and saves authentication cookies to 'cookies.txt'. - 'generate': Assists in generating a ysoserial.net ViewState payload for command execution, outputting the appropriate command line for ysoserial.net. - 'exploit': Uses the cookies and the serialized payload to send an authenticated request to the ECP endpoint, triggering code execution on the vulnerable server. The exploit requires valid credentials and targets the ECP endpoint (typically https://<target>/ecp). It leverages ysoserial.net to generate a malicious ViewState payload, which is then delivered to the server to achieve arbitrary command execution. The README provides comprehensive instructions, including manual validation steps and references to official advisories and write-ups. The code is a functional proof-of-concept and does not include weaponized features such as automated payload generation or post-exploitation modules.

This repository provides an exploit for CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server due to a fixed cryptographic key in the ViewState parameter. The main exploit script, CVE-2020-0688_EXP.py, is a Python tool that automates the exploitation process. It authenticates to the target Exchange server's OWA (Outlook Web App) interface using provided credentials, retrieves necessary session and ViewState information, and then generates a malicious ViewState payload using ysoserial.NET (included in the repository). The payload can execute arbitrary system commands on the server. The script supports both encrypted and unencrypted payloads. The README provides usage instructions and lists several example vulnerable endpoints under the /ecp/ path. The repository also includes documentation and configuration files for ysoserial.NET, which is used to generate the serialized payloads. The exploit requires valid credentials and network access to the Exchange server's ECP endpoints. The overall structure is straightforward: one main Python exploit script, a README, and supporting files for ysoserial.NET.

This repository contains a Python exploit script targeting Microsoft Exchange servers vulnerable to CVE-2020-0688, a .NET deserialization vulnerability. The exploit requires valid Exchange credentials and interacts with the server's /owa/auth.owa and /ecp/default.aspx endpoints to authenticate and leak necessary session and viewstate information. It then uploads an ASPX webshell to /ecp/HybridLogout.aspx, allowing the attacker to execute arbitrary system commands via the webshell's 'cmd' parameter. The script is operational, providing an interactive shell for command execution. The repository consists of a README and a single Python exploit script, with the main entry point being 'fuckchina_v2.py'. No hardcoded IPs or domains are present; endpoints are relative to the user-supplied Exchange server URL.

This repository contains operational exploit and detection tools for CVE-2020-0688, a critical deserialization vulnerability in Microsoft Exchange Server's MachineKeySection. The main files are: - ExchangeDetect.cs: A C# tool that authenticates to a target Exchange server using provided credentials, then crafts and sends a malicious __VIEWSTATE parameter to /ecp/default.aspx to detect if the server is vulnerable. It checks for a custom response header (X-ZCG-TEST) to confirm exploitation. - RemoteStub.cs: A C# web shell stub that can be deployed to a compromised server. It receives encrypted payloads via the __SCROLLPOSITION parameter, decrypts them, and can execute commands, run shellcode, or return the process architecture. It returns results in a hidden __VIEWSTATE field. - README.md: Provides build and usage instructions for the tools, including command-line options for detection and exploitation (command execution, shellcode injection, architecture detection). The exploit requires valid Exchange credentials and network access to the target's OWA and ECP endpoints. The tools are capable of both detecting the vulnerability and, with the related ExchangeCmd tool (not included in the provided files), achieving remote code execution. The endpoints targeted are the standard Exchange OWA and ECP URLs over HTTPS. The code is written in C# and is operational, providing real exploitation capabilities for CVE-2020-0688.

This repository contains a Python exploit script (CVE-2020-0688.py) targeting Microsoft Exchange Server instances vulnerable to CVE-2020-0688, a ViewState deserialization vulnerability. The exploit requires valid Exchange user credentials and interacts with the /owa/auth.owa endpoint to authenticate and obtain a session cookie. It then extracts the VIEWSTATEGENERATOR value from the Exchange Control Panel (ECP) page and prompts the user to generate a malicious ViewState payload using ysoserial.net. The payload is then delivered to the /ecp/default.aspx endpoint, resulting in arbitrary command execution on the server. The repository is structured simply, with the main exploit logic in a single Python file and a README providing usage instructions. The exploit is operational, requiring some manual steps (payload generation) but automating authentication and payload delivery.

This repository provides a set of Python scripts to exploit CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server (2010-2019) due to a fixed cryptographic key in ViewState. The main files are: - 'cve-2020-0688.py': Automates login to Exchange OWA, retrieves necessary session and ViewState information, and helps craft a ysoserial.NET ViewState payload for command execution. The user must supply a ysoserial-generated payload for exploitation. - '0688-detect.py': Similar to the main exploit, but appears to focus on detection and basic exploitation, including version checks and a hardcoded payload for testing vulnerability. - 'ExchangeCmdPy.py': A more advanced exploit script that, after authentication and exploitation, provides an interactive shell (via the GiveMeShell class) to execute commands, run shellcode, install a memory shell, and remove persistence artifacts. It automates the full exploitation chain and post-exploitation interaction. - 'requirements.txt': Lists dependencies (pycryptodome, requests, urllib3). The exploit requires valid Exchange credentials and network access to the target's OWA and ECP endpoints. It leverages the ViewState deserialization flaw to execute arbitrary commands, and can provide persistent access via a memory shell. Several Exchange ECP endpoints are referenced for exploitation. The repository is operational and provides both exploitation and post-exploitation capabilities.

This repository contains a PowerShell exploit script (CVE-2020-0688.ps1) targeting the Microsoft Exchange Server ViewState deserialization vulnerability (CVE-2020-0688). The exploit leverages the fact that all vulnerable Exchange installations use the same static cryptographic keys for ViewState, allowing an authenticated attacker to craft a malicious ViewState payload (using ysoserial.net) that is deserialized by the server, resulting in remote code execution as SYSTEM. The script requires the attacker to provide the Exchange ECP URL, valid credentials, the command to execute, and the path to ysoserial.exe. It automates the login process, retrieves necessary session and ViewState parameters, generates the payload, and triggers the exploit by sending a crafted request to the /ecp/default.aspx endpoint. The repository also includes a README with detailed usage instructions and a GPLv3 license file. The main attack vector is network-based, requiring access to the Exchange web interface and valid credentials. The endpoints of interest are /owa/auth.owa (for authentication) and /ecp/default.aspx (for payload delivery).