ProxyNotShell RCE in Microsoft Exchange Server PowerShell

This repository is a proof-of-concept exploit for CVE-2022-41082 (OWASSRF), targeting Microsoft Exchange servers. It consists of three files: a README.md with detailed usage and background, a Python exploit script (poc.py), and a requirements.txt listing dependencies. The main exploit script, poc.py, automates the process of authenticating to the Exchange OWA endpoint, starting a local RPC server, and leveraging the OWASSRF vulnerability to execute arbitrary PowerShell commands on the target server. The attacker provides a command file containing the payload, which is base64-encoded and injected into the PowerShell session. The exploit can be used for a variety of post-exploitation actions, including establishing a reverse shell. The script requires valid credentials for a user with Remote PowerShell access and targets the Exchange server over HTTPS endpoints. The repository is structured as a standalone PoC and does not belong to a larger exploit framework.

This repository provides a working exploit for two Microsoft Exchange vulnerabilities: CVE-2022-41082 (ProxyNotShell/OWASSRF, post-auth RCE) and CVE-2022-41076 (TabShell, privilege escalation via PowerShell sandbox escape). The main exploit is implemented in 'poc.py', a Python script that authenticates to the Exchange OWA endpoint using provided credentials, sets up a local HTTP server to relay PowerShell requests, and abuses the Exchange PowerShell endpoint to execute arbitrary commands on the server. The command to execute is read from a file (default: 'cmd'), which can be set to any desired payload (e.g., launching calc.exe). The exploit leverages the PowerShell Remoting Protocol (PSRP) via a bundled 'pypsrp' library. The included 'TabShell.ps1' PowerShell script is used for privilege escalation after initial access, allowing the attacker to break out of the restricted PowerShell sandbox. The repository is well-structured, with clear separation between the exploit logic, supporting library code, and payload scripts. It targets unpatched Exchange 2013, 2016, and 2019 servers as of November 2022, and requires valid credentials for exploitation. The attack vector is network-based, targeting the Exchange OWA and PowerShell endpoints over HTTP(S).

This repository provides a working exploit for two Microsoft Exchange vulnerabilities: CVE-2022-41082 (ProxyNotShell/OWASSRF, a post-auth RCE) and CVE-2022-41076 (TabShell, a privilege escalation via PowerShell sandbox escape). The main exploit logic is in 'poc.py', which authenticates to the Exchange OWA endpoint using provided credentials, then abuses the PowerShell endpoint to execute arbitrary commands. The exploit sets up a local HTTP server to relay requests and uses the included 'pypsrp' library for PowerShell Remoting Protocol (PSRP) communication. The payload is customizable and can be any PowerShell command, with examples provided (calc.exe, mspaint.exe, ipconfig.exe). The 'TabShell.ps1' script demonstrates privilege escalation by breaking out of the restricted PowerShell sandbox after initial access is gained. The repository is structured with a main PoC script, a PowerShell privilege escalation script, a command file for payloads, and a full implementation of the pypsrp library for PSRP communication. The exploit is operational and can be used to achieve RCE and privilege escalation on vulnerable, unpatched Exchange servers with valid credentials.