Penetration Technique: Remote Access to Exchange PowerShell
0x00 Preface
Exchange PowerShell is based on PowerShell Remoting, which usually requires accessing port 80 of the Exchange Server from a domain-joined host, with many restrictions. This article introduces an implementation method that does not rely on initiating connections from domain-joined hosts, expanding the scope of application.
Note:
This method was fixed in CVE-2022–41040. Fix location: RemoveExplicitLogonFromUrlAbsoluteUri(string absoluteUri, string explicitLogonAddress) in C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.HttpProxy.Common.dll, as shown in the following figure
0x01 Introduction
This article will introduce the following content:
Implementation Ideas
Implementation Details
0x02 Implementation Ideas
In conventional usage, the following issues need to be noted when using Exchange PowerShell:
All domain users can connect to Exchange PowerShell
Connections need to be initiated from a domain-joined host
The connection address needs to use FQDN; IP is not supported
Conventional usage cannot initiate connections from outside the domain, but as we know, connections can be initiated from outside the domain via ProxyShell, using SSRF to execute Exchange PowerShell
Furthermore, after applying the ProxyShell patch, the SSRF that supports NTLM authentication was not removed, and we can access Exchange Powershell again via NTLM authentication
0x03 Implementation Details
In code implementation, we can add NTLM authentication to pass credentials; example code:
When executing Exchange Powershell commands, we can choose pypsrp or Flask; for specific details, refer to previous articles: ProxyShell Exploitation Analysis 2 – CVE-2021-34523 and ProxyShell Exploitation Analysis 3 – Adding Users and File Writing
Both pypsrp and Flask achieve command execution by establishing a web proxy to filter and modify communication data
To increase the code's applicability, another implementation method is chosen here: simulate the normal communication data of Exchange Powershell to achieve command execution
Reference code available at: https://gist.github.com/rskvp93/4e353e709c340cb18185f82dbec30e58
The code uses Python2 and implements ProxyShell exploitation
Based on this code, rewrite it to support Python3, with the function of accessing Exchange Powershell via NTLM authentication to execute commands. The specific details to note are as follows:
1. There are differences in string formatting between Python2 and Python3
(1)
Code usable under Python2:
When using the above code under Python3, it is necessary to convert Str to bytes, and to avoid invisible character parsing issues, the code structure has been redesigned. Code usable under Python3:
(2)
Code usable under Python2:
When using the above code in Python3, you need to convert Str to bytes. Example code available for Python3:
(3)
Code available for Python2:
When using the above code in Python3, you need to convert Str to bytes. To avoid invisible character parsing issues, you cannot use .decode('utf-8') here; instead, use .decode('ISO-8859-1')
Example code available for Python3:
2. XML file format supporting Exchange Powershell commands
XML file format example 1:
The corresponding command to execute is: Get-RoleGroupMember "Organization Management"
XML file format example 2:
The corresponding command to execute is: Get-Mailbox -Identity administrator
Through format analysis, the following conclusions can be drawn:
(1) The Cmd attribute corresponds to the command name
For example:
(2) Pay attention to the format of the incoming command parameters
If only one parameter is passed in, the corresponding format is:
If 2 parameters are passed in, the corresponding format is:
If 4 parameters are passed in, the corresponding format is:
To this end, we can use the following code to implement parameter filling:
Implementation code for constructing the XML file format:
After combining the above details, we can get the final implementation code, and the execution result of the code is as shown in the following figure
0x04 Summary
This article introduces the implementation method of remote access to Exchange PowerShell. Its advantage is that it does not rely on initiating connections from hosts within the domain, and this method was fixed in CVE-2022–41040.