Overview
Imported from the upstream repository GossiTheDog/scanning. Check for Exchange Server CVE-2021-34473 by trying to access OWA as NT AUTHORITY\SYSTEM Known issues - requires a valid SSL certificate if using SSL/TLS
Unofficial safe Default
http-vuln-exchange-proxyshell
Check for Exchange Server CVE-2021-34473 by trying to access OWA as NT AUTHORITY\SYSTEM Known issues - requires a valid SSL certificate if using SSL/TLS
Ports
Any
Protocols
n/a
Attribution
Kevin Beaumont (upstream: GossiTheDog/scanning)
Usage
No example usage is currently available for this script entry.
Example usage has not been added for this script yet.
Script Source Toggle
The full script source is stored with this entry and is hidden by default to keep the page easier to scan.
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local strbuf = require "strbuf"
description = [[
Check for Exchange Server CVE-2021-34473
by trying to access OWA as NT AUTHORITY\SYSTEM
Known issues - requires a valid SSL certificate if using SSL/TLS
]]
---
--@output
--PORT STATE SERVICE
-- 443/tcp open https
-- |_http-vuln-exchange-proxyshell: ** Vulnerable to ProxyShell SSRPF **
author = "Kevin Beaumont"
license = "GPLv3"
categories = {"default", "discovery", "safe", "exploit"}
portrule = shortport.http
local last_len = 0
action = function(host, port)
local dis_count, noun
options = {redirect_ok = false}
local answer = http.get(host, port, "/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com", options)
if answer.status == 400 then
return "Not vulnerable to ProxyShell SSRF"
elseif answer.status == 302 then
return "** Vulnerable to ProxyShell SSRF **"
else
return "Unknown error code returned - " .. answer.status .. " - maybe not an Exchange server"
end
local v_level = nmap.verbosity() + (nmap.debugging()*2)
local output = strbuf.new()
local detail = 15
end