ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange Autodiscover

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

Small single-script Python exploit repository for Microsoft Exchange ProxyShell-style exploitation. The repository contains one executable code file, proxyhell_revisited.py, plus a short README, license, and .gitignore. The script uses requests and disables TLS verification warnings, indicating intended direct interaction with remote Exchange servers over HTTPS/HTTP. Its workflow is: (1) send a crafted Autodiscover request to leak the target mailbox LegacyDN using a supplied valid email address; (2) send a crafted MAPI request to extract a user SID from the Exchange response; (3) forge a serialized Windows token containing the recovered SID plus privileged group SIDs; (4) submit a SOAP/PowerShell remoting request with the forged token to execute a PowerShell command that writes a base64-decoded ASPX/JScript webshell into the IIS aspnet_client directory; and (5) print the resulting webshell URL for follow-on command execution. The embedded payload is not just a detector: it is a functional post-exploitation webshell that runs arbitrary commands via cmd.exe and returns output. The script also supports a limited --check mode that only tests the LegacyDN leak path and reports likely vulnerability to CVE-2021-34473. Overall, this is an operational PoC exploit for remote Exchange compromise and webshell deployment, not a framework module and not merely a README or scanner.

This repository contains a Python-based Proof of Concept (PoC) exploit for the ProxyShell vulnerability chain affecting Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). The main exploit script, 'exchange_proxyshell.py', automates the exploitation process by targeting Exchange's Autodiscover, MAPI, ECP, and EWS endpoints. It first enumerates users and emails from Active Directory, discovers LegacyDNs, and then abuses the ProxyShell vulnerabilities to obtain a valid access token. Using this token, the script establishes a PowerShell remoting session to the Exchange server, allowing the attacker to execute arbitrary commands. The exploit is operational and provides remote code execution capabilities. The repository is well-structured, with a detailed README explaining usage, features, and mitigation steps. No hardcoded IPs or domains are present; the target Exchange server is specified by the user at runtime.

This repository contains a Python proof-of-concept exploit for CVE-2021-34473, a critical remote code execution vulnerability in Microsoft Exchange Server (ProxyShell). The main file, CVE-2021-34473.py, implements the full exploit chain: it interacts with several Exchange endpoints (/autodiscover/autodiscover.json, /autodiscover/autodiscover.xml, /mapi/emsmdb, /EWS/exchange.asmx, and /powershell/) to obtain necessary tokens and identifiers, then establishes a local HTTP server that acts as a web shell interface. Through this interface, the attacker can send arbitrary PowerShell commands to the compromised Exchange server. The exploit requires the attacker to know a valid email address on the target server and for the server to be vulnerable to ProxyShell. The README clarifies that this is an experimental proof-of-concept and not a weaponized tool. The code is written in Python and is self-contained, with no external framework dependencies.

This repository provides proof-of-concept (POC) code and scanning resources for detecting the Proxyshell vulnerability (CVE-2021-34473) in Microsoft Exchange Server. The main exploit script, 'ProxyNotShell/CVE-2022-41040.py', is a Python script that sends a crafted HEAD request to the Exchange autodiscover endpoint and checks for the presence of the 'X-FEServer' header to determine vulnerability. The 'proxyshell.yaml' file is a Nuclei scanner template for automated detection of the same vulnerability, using a similar HTTP request and matching on a 302 redirect and a specific Location header. The 'shodan-query.py' script is a utility for querying Shodan for potentially vulnerable Exchange servers based on favicon hash, outputting URLs for further scanning. The repository is structured for both manual and automated detection, with no weaponized payloads or exploitation beyond vulnerability identification. No hardcoded IPs or domains are present beyond the crafted request parameters. The repository is focused on detection and reconnaissance for Proxyshell, not on post-exploitation or full RCE.

This repository contains operational exploit scripts for multiple high-profile Microsoft Exchange Server vulnerabilities: ProxyLogon (CVE-2021-26855, etc.), ProxyOracle (CVE-2021-31196), and ProxyShell (CVE-2021-34473, CVE-2021-31207). The structure includes four main Python scripts: - 26855.py: Implements the ProxyLogon exploit chain, culminating in the upload of a JScript webshell (api.aspx) to the Exchange server by abusing the OAB virtual directory. It automates the process of obtaining necessary tokens and SIDs, and provides a final webshell URL for remote code execution. - 31196.py: Implements the ProxyOracle padding oracle attack, allowing extraction of plaintext credentials from encrypted session cookies by exploiting a padding oracle vulnerability in OWA. It requires a valid 'cadata' cookie and outputs the decrypted username and password. - 34473.py: Implements the ProxyShell exploit chain, allowing remote PowerShell command execution on the Exchange server. It automates the process of obtaining a valid CommonAccessToken and then uses pypsrp to execute arbitrary PowerShell scripts remotely. - 31207.py: Works with 34473.py to deliver arbitrary files (e.g., malicious PDFs) to user mailboxes and then exports mailbox contents to a specified UNC path, leveraging Exchange's mailbox export features. A users.txt file provides a list of default or known usernames to assist in the exploitation process. The README.md gives usage instructions and references for each exploit. The scripts are operational and automate the full exploitation process, including credential extraction, webshell upload, remote command execution, and file delivery. The main attack vector is network-based, targeting exposed Exchange web services (ECP, OWA, Autodiscover, EWS, and PowerShell endpoints).

This repository provides a comprehensive exploit toolkit for ProxyShell, targeting Microsoft Exchange Server vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The main exploit script (ProxyShell.py) automates the exploitation process, including user/SID enumeration, token generation, and remote code execution via crafted HTTP(S) requests to Exchange endpoints such as /autodiscover/autodiscover.json, /EWS/exchange.asmx, and /powershell/. The toolkit includes auxiliary scripts for manual exploitation (manual/check.py, manual/proxyshell.py, manual/shell.py), a nuclei detection template (proxyshell.yaml), and a Shodan search script (shodan-query.py) for identifying vulnerable targets. The exploit achieves remote code execution by chaining SSRF, privilege escalation, and arbitrary file write vulnerabilities, ultimately allowing the attacker to execute arbitrary PowerShell commands or deploy webshells. The repository is well-structured for both automated and manual exploitation, and is operational in maturity, providing real-world attack capabilities against unpatched Exchange servers.