ProxyLogon SSRF in Microsoft Exchange Server

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

Repository contains a single Python exploit script plus README and MIT license. The script presents itself as a ‘CTT-enhanced’ exploit chain for Microsoft Exchange Server targeting CVE-2021-26855 (ProxyLogon SSRF) and CVE-2021-27065 (post-auth arbitrary file write leading to RCE). Core capabilities visible in the provided content include: (1) Exchange service fingerprinting by probing common endpoints (OWA/ECP/EWS/Autodiscover/MAPI/ActiveSync) and checking for Exchange-specific strings/headers; (2) SSRF vulnerability checking using the known ProxyLogon technique of injecting an X-BEResource value (shown as being placed in a Cookie header) while requesting /owa/auth/Current/themes/resources/logon.css, attempting to reach internal endpoints like localhost/ews/Exchange.asmx and localhost/ecp/default.flt; (3) a multi-layer execution concept (‘CTT layers’) that varies timing (prime-aligned sleeps) and obfuscates request payloads via a custom XOR+base64 encoding routine (‘α-dispersion’) to claim evasion/reliability improvements; (4) post-exploitation behavior indicated by console output/README: deployment of an ASPX webshell and printing a shell URL with a ctt_cmd query parameter for command execution (documented example path: /owa/auth/ctt_shell.aspx). The README describes a full automation chain (SSRF → LegacyDN leak → SID conversion → WriteDACL/OAB abuse → webshell), but the code excerpt in CONTENT is truncated, so only the detection/SSRF-check portions and the stated end result (webshell URL output) can be directly confirmed from the provided snippet. No external C2 infrastructure is hardcoded; all network interaction is directed at the supplied target Exchange host and (via SSRF) internal loopback/localhost endpoints.

This repository contains a single exploit script (exp.py) and a license file. The exploit targets Microsoft Exchange Server, attempting to gain remote code execution by writing a webshell to the /owa/auth/ directory. The script automates the process of discovering valid email addresses (fuzzing common usernames or using a provided one), interacting with Exchange's Autodiscover and MAPI endpoints, and leveraging the ProxyLogon/ProxyShell attack chain to escalate privileges and write a JScript-based webshell. Once the shell is written, the script provides an interactive command execution interface via HTTP POST requests to the shell. The exploit is operational, providing a working payload and interactive shell, and is designed for use against vulnerable, internet-accessible Exchange servers. The main attack vector is network-based, requiring HTTPS access to the target's Exchange Control Panel and OWA endpoints. The repository is structured simply, with all exploit logic contained in exp.py.

This repository is a proof-of-concept exploit for the ProxyLogon vulnerabilities (CVE-2021-26855 and CVE-2021-27065) affecting Microsoft Exchange Server. The main exploit script, 'exploit.py', is a Python program that automates the exploitation process, including backend host discovery, authentication bypass, and webshell upload. The exploit requires the attacker to provide the Exchange frontend URL, a valid email address (or SID), and a webshell payload. The script interacts with several Exchange endpoints, leveraging the ProxyLogon authentication bypass to gain administrative access and then abusing the OAB virtual directory to write a webshell to disk. Once the webshell is uploaded, the attacker can execute arbitrary commands on the server via HTTP requests to the webshell endpoint. The repository also includes a README with detailed usage instructions and an example attack flow. The exploit is operational and provides a working remote code execution vector, but the payload (webshell) must be supplied by the user and is subject to size and content restrictions.

This repository contains a Python exploit script (proxylogon_rce.py) targeting the ProxyLogon vulnerability (CVE-2021-26855) in Microsoft Exchange Server. The exploit automates the full attack chain: it abuses the Exchange Control Panel (ECP) endpoints to authenticate as an administrator, retrieves necessary tokens and identifiers, and ultimately writes a JScript-based webshell to the server's OWA authentication directory. The webshell allows arbitrary command execution via HTTP POST requests. The script requires the attacker to provide the target Exchange server's address, a valid email address on the server, and the command to execute. The README provides usage instructions and credits. The exploit is operational and provides a working remote code execution capability against vulnerable Exchange servers.

This repository contains a Python proof-of-concept (PoC) exploit for CVE-2021-26855, a critical SSRF vulnerability in Microsoft Exchange Server (part of the ProxyLogon vulnerabilities). The main file, CVE-2021-26855.py, takes a target Exchange server domain and an attacker-controlled domain (such as a Burp Collaborator endpoint) as arguments. It crafts a GET request to the Exchange server's /owa/auth/x.js endpoint, setting special cookies to trigger the SSRF. If the Exchange server is vulnerable, it will make a request to the attacker's domain, which can be monitored for interaction. The README provides usage instructions and describes how to interpret the results, including checking for specific headers in the response. The repository is structured simply, with one exploit script and a README, and is intended for vulnerability verification rather than weaponized exploitation.

This repository contains a Go-based proof-of-concept exploit for CVE-2021-26855, a critical SSRF vulnerability in Microsoft Exchange Server (2013 < CU23, 2016 < CU18, 2019 < CU7). The main file, 'CVE-2021-26855-PoC.go', implements several capabilities: (1) detection of the vulnerability via SSRF by sending crafted HTTP requests with specific cookies, (2) NTLM authentication negotiation to extract the FQDN and domain information from the server, (3) user enumeration by reading a supplied user list, and (4) reading mailbox information (mail IDs, headers, and optionally downloading emails) via crafted XML requests to the Exchange Web Services endpoint. The exploit does not require authentication and is designed to work against Exchange servers behind load balancers. The README provides detailed usage instructions and context about the vulnerability, including affected versions and exploitation requirements. No weaponized payload is included; the tool is primarily for detection and information gathering, not for remote code execution. The code is self-contained and does not rely on external frameworks.

This repository contains a fully operational exploit chain targeting Microsoft Exchange Server vulnerabilities CVE-2021-26855 (SSRF) and CVE-2021-27065 (RCE), known as the ProxyLogon exploit chain. The main file, 'Exchange_SSRFtoRCEChainExploit.py', is a Python script that automates the exploitation process: it first discovers the target's FQDN, then leverages SSRF to bypass authentication, escalates privileges, and finally uploads a JScript-based ASP web shell to the Exchange server's OWA authentication directory. The script interacts with several Exchange endpoints (notably /ecp/ and /owa/auth.owa) and writes the web shell to a known file path, enabling the attacker to execute arbitrary commands via HTTP requests. The exploit requires the attacker to provide the target Exchange server's URL and a valid email user. The README provides usage instructions and lists affected Exchange versions, confirming the exploit's applicability to Exchange 2010, 2013, 2016, and 2019 on Windows. The exploit is not part of a framework and is a standalone, weaponized script capable of achieving remote code execution.

This repository contains a Python exploit (proxylogon.py) targeting Microsoft Exchange Server's ProxyLogon vulnerability (CVE-2021-26855). The exploit automates the full attack chain: it first abuses the SSRF and authentication bypass to gain administrative access, then writes a JScript webshell to the Exchange server's OWA directory. The webshell is used to execute system commands, including creating a new local user, adding that user to the administrators group, and establishing a reverse shell to the attacker's machine. The exploit requires the attacker to provide the target Exchange server's address, a valid email address on the server, and the attacker's IP for the reverse shell. The main code file is proxylogon.py, which orchestrates the entire attack. The README provides a brief description and usage instructions. The exploit is operational and provides both privilege escalation and remote code execution capabilities.

This repository contains a Python exploit (proxylogon.py) targeting Microsoft Exchange Server's ProxyLogon vulnerability (CVE-2021-26855). The exploit leverages SSRF and authentication bypass to gain administrative access, then drops a JScript-based web shell into the Exchange server's web root directory (C:\inetpub\wwwroot\aspnet_client\<random>.aspx). The attacker can then execute arbitrary commands via HTTP requests to the web shell. The exploit requires the Impacket library and takes as arguments the target Exchange server URL and a valid email address. The README provides usage instructions. The code is operational and automates the full exploitation chain, including information gathering, privilege escalation, and web shell deployment. No hardcoded endpoints are present, but the exploit is designed for use against Exchange servers accessible over HTTP/HTTPS.

This repository contains a multi-language (Python and Go) exploit toolkit for the ProxyLogon vulnerability chain (CVE-2021-26855 and CVE-2021-27065) affecting Microsoft Exchange Server 2013, 2016, and 2019. The main exploit scripts are 'proxylogon.py' (Python 3) and 'proxylogon.go' (Go), both of which automate the attack chain: 1) exploiting the SSRF authentication bypass to impersonate an admin, 2) leaking the SID and other necessary information, 3) exploiting the arbitrary file write to upload a web shell (ASPX/JScript), and 4) providing remote code execution via the web shell. The 'manual' directory contains supporting scripts for manual exploitation steps: 'check.py' (enumeration and exploitation), 'brute.py' (SID brute-forcing), and 'shell.py' (interacting with the web shell). The exploit requires a valid email address on the target Exchange server, which can be brute-forced if unknown. The toolkit is operational and provides a working web shell for post-exploitation. All network interactions are over HTTPS endpoints typical of Exchange (e.g., /ecp/, /rpc/, /aspnet_client/).

This repository contains a Python 3 exploit for the ProxyLogon vulnerabilities (CVE-2021-26855 and CVE-2021-27065) affecting Microsoft Exchange Server. The main file, ProxyLogon.py, implements a full exploit chain: it performs an SSRF (Server-Side Request Forgery) to bypass authentication, retrieves necessary information (such as domain and computer name), and leverages the vulnerabilities to write a web shell to the Exchange server's web directory. The exploit requires the attacker to specify the target Exchange server's hostname and a valid email address (or a file containing multiple addresses). Upon successful exploitation, a JScript-based web shell is uploaded to the server, granting the attacker remote code execution capabilities via HTTP requests. The code is operational and automates the entire attack chain, including NTLM authentication, mailbox SID retrieval, and web shell deployment. The README provides usage instructions and references the targeted CVEs. No detection-only scripts are present; the code is a working exploit.

This repository contains a single exploit script, ExchangeSheller.py, which targets Microsoft Exchange Server vulnerabilities CVE-2021-26855 (SSRF/ProxyLogon) and CVE-2021-27065 (arbitrary file write). The exploit is written in Python and automates the full attack chain: it performs SSRF to bypass authentication, retrieves necessary tokens and identifiers, and leverages the file write vulnerability to drop a JScript-based web shell (exchmshell.aspx) into the Exchange server's OWA authentication directory. The script then verifies the shell's presence and demonstrates command execution by posting code to the shell endpoint. The README provides usage instructions and notes that a valid email address on the target Exchange server is required. The exploit is operational and provides SYSTEM-level command execution if successful. The main network endpoints involved are HTTPS URLs on the target Exchange server, and the web shell is accessible at /owa/auth/exchmshell.aspx. The repository is focused and contains only the exploit script, a README, and code owner files.

This repository contains a Go-based exploit for CVE-2021-26855, a critical SSRF vulnerability in Microsoft Exchange Server (2013 < CU23, 2016 < CU18, 2019 < CU7). The main file, CVE-2021-26855.go, implements the exploit logic, allowing an attacker to: - Detect if a target Exchange server is vulnerable by sending crafted HTTP requests with specific cookies. - Perform NTLM negotiation to extract the FQDN and domain information from the server. - Enumerate internal users by submitting XML payloads to Exchange Web Services (EWS). - List and optionally download email metadata and contents from user mailboxes. The exploit does not require valid credentials and leverages SSRF to access internal resources. The README provides usage instructions, affected versions, and operational notes. The code is functional and demonstrates practical exploitation, including user enumeration and email extraction, making it an operational exploit rather than a simple proof of concept.

This repository contains a C# proof-of-concept exploit for the ProxyLogon vulnerability chain (notably CVE-2021-26855) affecting Microsoft Exchange Server 2013, 2016, and 2019. The main exploit logic is implemented in 'SharpProxyLogon/Program.cs', which orchestrates the attack steps: leaking the internal FQDN, performing Autodiscover requests, manipulating the OAB Virtual Directory, and ultimately achieving remote code execution. The exploit can either drop a webshell (JScript or C#) to the OWA auth directory for command execution or inject arbitrary shellcode into a process (commonly svchost.exe) using the TikiTorch loader (SharpProxyLogon/TikiTorch.cs). The exploit is operational and provides SYSTEM-level access on vulnerable Exchange servers. The repository is structured as a Visual Studio C# project, with supporting model classes for parsing Exchange responses and configuration files for build and dependency management. No detection-only scripts are present; the code is a functional exploit.

This repository contains a single Python proof-of-concept exploit (PoC_proxyLogon.py) for CVE-2021-26855, also known as ProxyLogon, targeting Microsoft Exchange Server. The exploit chains a server-side request forgery (SSRF) vulnerability to achieve authentication bypass and ultimately writes a web shell to the target server. The script requires the attacker to provide the target Exchange server's address and a valid email address. It performs a series of crafted HTTP(S) requests to the Exchange Control Panel (ECP) endpoints, abuses the SSRF to obtain sensitive tokens and session information, and leverages these to write a JScript-based web shell (ahihi.aspx) to a known location on the server. The web shell allows arbitrary code execution via HTTP requests. The repository also includes a README.md describing the exploit and its censorship history. The exploit is a functional PoC and does not belong to any framework.

This repository contains a Python exploit script (ExchangeSheller.py) targeting Microsoft Exchange Server vulnerabilities CVE-2021-26855 (SSRF/ProxyLogon) and CVE-2021-27065 (arbitrary file write). The exploit chains these vulnerabilities to achieve unauthenticated remote code execution as SYSTEM on vulnerable Exchange servers. The script performs a series of HTTP(S) requests to the Exchange Control Panel (ECP) endpoints, leveraging SSRF and authentication bypass to obtain necessary tokens and session information. It then writes a JScript-based web shell (exchmshell.aspx) to the Exchange server's OWA authentication directory. Once deployed, the attacker can interact with the web shell via HTTP POST requests to execute arbitrary system commands. The repository includes a README with usage instructions and a description of the exploit's capabilities. The only code file is ExchangeSheller.py, which is the main entry point and contains all exploit logic. No detection or brute-force functionality is included; a valid email address on the target server is required for exploitation.

This repository provides a Proof-of-Concept (PoC) and scanner for CVE-2021-26855 (ProxyLogon), a critical vulnerability in Microsoft Exchange Server. The main exploit is implemented in Go (CVE-2021-26855-PoC.go), which performs the following actions: verifies if a target Exchange server is vulnerable by sending crafted HTTP requests with special cookies, leverages NTLM authentication to extract FQDN and domain information, enumerates users, extracts mailbox contents, downloads emails, and reads contacts from the target server. The exploit interacts with Exchange's OWA and EWS endpoints, saving downloaded emails as .eml files. A supporting Python script (scan.py) enables mass scanning of IP:port pairs to identify vulnerable Exchange servers by checking for the 'NegotiateSecurityContext' string in the OWA authentication response. The repository also includes a requirements.txt for Python dependencies and a README.md with usage instructions, including how to use Shodan to gather potential targets. Overall, the repository is operational and provides both detection and exploitation capabilities for CVE-2021-26855, targeting Microsoft Exchange servers over HTTPS. The main attack vector is network-based, and the exploit can result in significant data exposure from vulnerable servers.

This repository contains a Python exploit script (ProxyLogon.py) targeting Microsoft Exchange Server vulnerabilities CVE-2021-26855 (ProxyLogon) and CVE-2021-27065. The exploit chains an authentication bypass (SSRF) with an arbitrary file write to achieve remote code execution. The script performs multiple stages: it first discovers the Exchange FQDN, then uses SSRF to leak user information and the administrator's SID, and finally writes a JScript web shell (proxylogon.aspx) to the Exchange server's OWA authentication directory. The payload allows the attacker to execute arbitrary code via HTTP requests to the web shell. The repository also includes a README.md with background, usage instructions, and mitigation advice. The exploit is operational and provides a working web shell if the target is vulnerable and accessible.

This repository contains operational exploit scripts for multiple high-profile Microsoft Exchange Server vulnerabilities: ProxyLogon (CVE-2021-26855, etc.), ProxyOracle (CVE-2021-31196), and ProxyShell (CVE-2021-34473, CVE-2021-31207). The structure includes four main Python scripts: - 26855.py: Implements the ProxyLogon exploit chain, culminating in the upload of a JScript webshell (api.aspx) to the Exchange server by abusing the OAB virtual directory. It automates the process of obtaining necessary tokens and SIDs, and provides a final webshell URL for remote code execution. - 31196.py: Implements the ProxyOracle padding oracle attack, allowing extraction of plaintext credentials from encrypted session cookies by exploiting a padding oracle vulnerability in OWA. It requires a valid 'cadata' cookie and outputs the decrypted username and password. - 34473.py: Implements the ProxyShell exploit chain, allowing remote PowerShell command execution on the Exchange server. It automates the process of obtaining a valid CommonAccessToken and then uses pypsrp to execute arbitrary PowerShell scripts remotely. - 31207.py: Works with 34473.py to deliver arbitrary files (e.g., malicious PDFs) to user mailboxes and then exports mailbox contents to a specified UNC path, leveraging Exchange's mailbox export features. A users.txt file provides a list of default or known usernames to assist in the exploitation process. The README.md gives usage instructions and references for each exploit. The scripts are operational and automate the full exploitation process, including credential extraction, webshell upload, remote command execution, and file delivery. The main attack vector is network-based, targeting exposed Exchange web services (ECP, OWA, Autodiscover, EWS, and PowerShell endpoints).