Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

Small single-script Python exploit repository for Microsoft Exchange ProxyShell-style exploitation. The repository contains one executable code file, proxyhell_revisited.py, plus a short README, license, and .gitignore. The script uses requests and disables TLS verification warnings, indicating intended direct interaction with remote Exchange servers over HTTPS/HTTP. Its workflow is: (1) send a crafted Autodiscover request to leak the target mailbox LegacyDN using a supplied valid email address; (2) send a crafted MAPI request to extract a user SID from the Exchange response; (3) forge a serialized Windows token containing the recovered SID plus privileged group SIDs; (4) submit a SOAP/PowerShell remoting request with the forged token to execute a PowerShell command that writes a base64-decoded ASPX/JScript webshell into the IIS aspnet_client directory; and (5) print the resulting webshell URL for follow-on command execution. The embedded payload is not just a detector: it is a functional post-exploitation webshell that runs arbitrary commands via cmd.exe and returns output. The script also supports a limited --check mode that only tests the LegacyDN leak path and reports likely vulnerability to CVE-2021-34473. Overall, this is an operational PoC exploit for remote Exchange compromise and webshell deployment, not a framework module and not merely a README or scanner.

This repository contains a Python-based Proof of Concept (PoC) exploit for the ProxyShell vulnerability chain affecting Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). The main exploit script, 'exchange_proxyshell.py', automates the exploitation process by targeting Exchange's Autodiscover, MAPI, ECP, and EWS endpoints. It first enumerates users and emails from Active Directory, discovers LegacyDNs, and then abuses the ProxyShell vulnerabilities to obtain a valid access token. Using this token, the script establishes a PowerShell remoting session to the Exchange server, allowing the attacker to execute arbitrary commands. The exploit is operational and provides remote code execution capabilities. The repository is well-structured, with a detailed README explaining usage, features, and mitigation steps. No hardcoded IPs or domains are present; the target Exchange server is specified by the user at runtime.

This repository contains operational exploit scripts for multiple high-profile Microsoft Exchange Server vulnerabilities: ProxyLogon (CVE-2021-26855, etc.), ProxyOracle (CVE-2021-31196), and ProxyShell (CVE-2021-34473, CVE-2021-31207). The structure includes four main Python scripts: - 26855.py: Implements the ProxyLogon exploit chain, culminating in the upload of a JScript webshell (api.aspx) to the Exchange server by abusing the OAB virtual directory. It automates the process of obtaining necessary tokens and SIDs, and provides a final webshell URL for remote code execution. - 31196.py: Implements the ProxyOracle padding oracle attack, allowing extraction of plaintext credentials from encrypted session cookies by exploiting a padding oracle vulnerability in OWA. It requires a valid 'cadata' cookie and outputs the decrypted username and password. - 34473.py: Implements the ProxyShell exploit chain, allowing remote PowerShell command execution on the Exchange server. It automates the process of obtaining a valid CommonAccessToken and then uses pypsrp to execute arbitrary PowerShell scripts remotely. - 31207.py: Works with 34473.py to deliver arbitrary files (e.g., malicious PDFs) to user mailboxes and then exports mailbox contents to a specified UNC path, leveraging Exchange's mailbox export features. A users.txt file provides a list of default or known usernames to assist in the exploitation process. The README.md gives usage instructions and references for each exploit. The scripts are operational and automate the full exploitation process, including credential extraction, webshell upload, remote command execution, and file delivery. The main attack vector is network-based, targeting exposed Exchange web services (ECP, OWA, Autodiscover, EWS, and PowerShell endpoints).