ProxyLogon post-auth arbitrary file write in Microsoft Exchange Server

Repository contains a single Python exploit script plus README and MIT license. The script presents itself as a ‘CTT-enhanced’ exploit chain for Microsoft Exchange Server targeting CVE-2021-26855 (ProxyLogon SSRF) and CVE-2021-27065 (post-auth arbitrary file write leading to RCE). Core capabilities visible in the provided content include: (1) Exchange service fingerprinting by probing common endpoints (OWA/ECP/EWS/Autodiscover/MAPI/ActiveSync) and checking for Exchange-specific strings/headers; (2) SSRF vulnerability checking using the known ProxyLogon technique of injecting an X-BEResource value (shown as being placed in a Cookie header) while requesting /owa/auth/Current/themes/resources/logon.css, attempting to reach internal endpoints like localhost/ews/Exchange.asmx and localhost/ecp/default.flt; (3) a multi-layer execution concept (‘CTT layers’) that varies timing (prime-aligned sleeps) and obfuscates request payloads via a custom XOR+base64 encoding routine (‘α-dispersion’) to claim evasion/reliability improvements; (4) post-exploitation behavior indicated by console output/README: deployment of an ASPX webshell and printing a shell URL with a ctt_cmd query parameter for command execution (documented example path: /owa/auth/ctt_shell.aspx). The README describes a full automation chain (SSRF → LegacyDN leak → SID conversion → WriteDACL/OAB abuse → webshell), but the code excerpt in CONTENT is truncated, so only the detection/SSRF-check portions and the stated end result (webshell URL output) can be directly confirmed from the provided snippet. No external C2 infrastructure is hardcoded; all network interaction is directed at the supplied target Exchange host and (via SSRF) internal loopback/localhost endpoints.

This repository is a proof-of-concept exploit for the ProxyLogon vulnerabilities (CVE-2021-26855 and CVE-2021-27065) affecting Microsoft Exchange Server. The main exploit script, 'exploit.py', is a Python program that automates the exploitation process, including backend host discovery, authentication bypass, and webshell upload. The exploit requires the attacker to provide the Exchange frontend URL, a valid email address (or SID), and a webshell payload. The script interacts with several Exchange endpoints, leveraging the ProxyLogon authentication bypass to gain administrative access and then abusing the OAB virtual directory to write a webshell to disk. Once the webshell is uploaded, the attacker can execute arbitrary commands on the server via HTTP requests to the webshell endpoint. The repository also includes a README with detailed usage instructions and an example attack flow. The exploit is operational and provides a working remote code execution vector, but the payload (webshell) must be supplied by the user and is subject to size and content restrictions.

This repository contains a fully operational exploit chain targeting Microsoft Exchange Server vulnerabilities CVE-2021-26855 (SSRF) and CVE-2021-27065 (RCE), known as the ProxyLogon exploit chain. The main file, 'Exchange_SSRFtoRCEChainExploit.py', is a Python script that automates the exploitation process: it first discovers the target's FQDN, then leverages SSRF to bypass authentication, escalates privileges, and finally uploads a JScript-based ASP web shell to the Exchange server's OWA authentication directory. The script interacts with several Exchange endpoints (notably /ecp/ and /owa/auth.owa) and writes the web shell to a known file path, enabling the attacker to execute arbitrary commands via HTTP requests. The exploit requires the attacker to provide the target Exchange server's URL and a valid email user. The README provides usage instructions and lists affected Exchange versions, confirming the exploit's applicability to Exchange 2010, 2013, 2016, and 2019 on Windows. The exploit is not part of a framework and is a standalone, weaponized script capable of achieving remote code execution.

This repository contains a multi-language (Python and Go) exploit toolkit for the ProxyLogon vulnerability chain (CVE-2021-26855 and CVE-2021-27065) affecting Microsoft Exchange Server 2013, 2016, and 2019. The main exploit scripts are 'proxylogon.py' (Python 3) and 'proxylogon.go' (Go), both of which automate the attack chain: 1) exploiting the SSRF authentication bypass to impersonate an admin, 2) leaking the SID and other necessary information, 3) exploiting the arbitrary file write to upload a web shell (ASPX/JScript), and 4) providing remote code execution via the web shell. The 'manual' directory contains supporting scripts for manual exploitation steps: 'check.py' (enumeration and exploitation), 'brute.py' (SID brute-forcing), and 'shell.py' (interacting with the web shell). The exploit requires a valid email address on the target Exchange server, which can be brute-forced if unknown. The toolkit is operational and provides a working web shell for post-exploitation. All network interactions are over HTTPS endpoints typical of Exchange (e.g., /ecp/, /rpc/, /aspnet_client/).

This repository contains a Python 3 exploit for the ProxyLogon vulnerabilities (CVE-2021-26855 and CVE-2021-27065) affecting Microsoft Exchange Server. The main file, ProxyLogon.py, implements a full exploit chain: it performs an SSRF (Server-Side Request Forgery) to bypass authentication, retrieves necessary information (such as domain and computer name), and leverages the vulnerabilities to write a web shell to the Exchange server's web directory. The exploit requires the attacker to specify the target Exchange server's hostname and a valid email address (or a file containing multiple addresses). Upon successful exploitation, a JScript-based web shell is uploaded to the server, granting the attacker remote code execution capabilities via HTTP requests. The code is operational and automates the entire attack chain, including NTLM authentication, mailbox SID retrieval, and web shell deployment. The README provides usage instructions and references the targeted CVEs. No detection-only scripts are present; the code is a working exploit.

This repository contains a Python exploit script (ProxyLogon.py) targeting Microsoft Exchange Server vulnerabilities CVE-2021-26855 (ProxyLogon) and CVE-2021-27065. The exploit chains an authentication bypass (SSRF) with an arbitrary file write to achieve remote code execution. The script performs multiple stages: it first discovers the Exchange FQDN, then uses SSRF to leak user information and the administrator's SID, and finally writes a JScript web shell (proxylogon.aspx) to the Exchange server's OWA authentication directory. The payload allows the attacker to execute arbitrary code via HTTP requests to the web shell. The repository also includes a README.md with background, usage instructions, and mitigation advice. The exploit is operational and provides a working web shell if the target is vulnerable and accessible.

This repository contains operational exploit scripts for multiple high-profile Microsoft Exchange Server vulnerabilities: ProxyLogon (CVE-2021-26855, etc.), ProxyOracle (CVE-2021-31196), and ProxyShell (CVE-2021-34473, CVE-2021-31207). The structure includes four main Python scripts: - 26855.py: Implements the ProxyLogon exploit chain, culminating in the upload of a JScript webshell (api.aspx) to the Exchange server by abusing the OAB virtual directory. It automates the process of obtaining necessary tokens and SIDs, and provides a final webshell URL for remote code execution. - 31196.py: Implements the ProxyOracle padding oracle attack, allowing extraction of plaintext credentials from encrypted session cookies by exploiting a padding oracle vulnerability in OWA. It requires a valid 'cadata' cookie and outputs the decrypted username and password. - 34473.py: Implements the ProxyShell exploit chain, allowing remote PowerShell command execution on the Exchange server. It automates the process of obtaining a valid CommonAccessToken and then uses pypsrp to execute arbitrary PowerShell scripts remotely. - 31207.py: Works with 34473.py to deliver arbitrary files (e.g., malicious PDFs) to user mailboxes and then exports mailbox contents to a specified UNC path, leveraging Exchange's mailbox export features. A users.txt file provides a list of default or known usernames to assist in the exploitation process. The README.md gives usage instructions and references for each exploit. The scripts are operational and automate the full exploitation process, including credential extraction, webshell upload, remote command execution, and file delivery. The main attack vector is network-based, targeting exposed Exchange web services (ECP, OWA, Autodiscover, EWS, and PowerShell endpoints).