Microsoft Exchange Server Remote Code Execution Vulnerability

This repository contains operational exploit scripts for multiple high-profile Microsoft Exchange Server vulnerabilities: ProxyLogon (CVE-2021-26855, etc.), ProxyOracle (CVE-2021-31196), and ProxyShell (CVE-2021-34473, CVE-2021-31207). The structure includes four main Python scripts: - 26855.py: Implements the ProxyLogon exploit chain, culminating in the upload of a JScript webshell (api.aspx) to the Exchange server by abusing the OAB virtual directory. It automates the process of obtaining necessary tokens and SIDs, and provides a final webshell URL for remote code execution. - 31196.py: Implements the ProxyOracle padding oracle attack, allowing extraction of plaintext credentials from encrypted session cookies by exploiting a padding oracle vulnerability in OWA. It requires a valid 'cadata' cookie and outputs the decrypted username and password. - 34473.py: Implements the ProxyShell exploit chain, allowing remote PowerShell command execution on the Exchange server. It automates the process of obtaining a valid CommonAccessToken and then uses pypsrp to execute arbitrary PowerShell scripts remotely. - 31207.py: Works with 34473.py to deliver arbitrary files (e.g., malicious PDFs) to user mailboxes and then exports mailbox contents to a specified UNC path, leveraging Exchange's mailbox export features. A users.txt file provides a list of default or known usernames to assist in the exploitation process. The README.md gives usage instructions and references for each exploit. The scripts are operational and automate the full exploitation process, including credential extraction, webshell upload, remote command execution, and file delivery. The main attack vector is network-based, targeting exposed Exchange web services (ECP, OWA, Autodiscover, EWS, and PowerShell endpoints).