The exploit for the Exchange vulnerabilities is now publicly available and, as was to be expected, is spreading even further. Initially, the exploit was blocked on GitHub, which naturally resulted in the exploit being published on various sites. The exploit is now available again on GitHub, but on other accounts (or via a Tor link).
If anyone would like to take a look, you can find the exploit here:
Windows Defender recognizes the exploit code with the current signatures, which of course doesn't help much, because the exploit is executed remotely:
I took a look at the exploit, it's only 169 lines of Python code. I immediately noticed a small but subtle vulnerability:
So if you have not installed your Exchange Server under the default path "C:\Program Files\Microsoft\Exchange Server", but on a different drive, for example, you can sit back and pat yourself on the back: Well done!
At least this exploit would try to create the webshell in a directory that does not exist if Exchange was installed on a different drive or path. However, this only applies to this PoC exploit code and will only stop someone trying to take over this example directly.
This exploit is not directly executable even without further customization. I have tested the exploit with Exchange 2019 and there are several issues. Up to a certain point, this is all still quite easy to customize, but at least in my Exchange 2019 test environment, the "msExchCanary" is not returned after the ProxyLogon:
Incidentally, this could be an explanation for the many proxy logons in the IIS logs, although no webshell or similar can be found. I have not yet been able to test other Exchange versions. Apparently, however, not all attackers have adapted the exploit well enough. However, this does not mean that it will not succeed, as ransomware is currently also being installed via the known vulnerabilities, which encrypts data in the network. Alongside a web shell, this is therefore the second SuperGAU for companies.
I therefore strongly recommend disconnecting unpatched Exchange servers directly from the Internet (block port 443 on the firewall) and updating the servers as quickly as possible. This will not disrupt mail reception, only users who use ActiveSync, OWA and/or OutlookAnywhere (RPCoverHTTPs, MAPIoverHTTPs) will no longer be able to access Exchange. However, access could be granted via VPN if this is absolutely necessary. I can well imagine that smaller system houses in particular are faced with the huge task of updating their customers' systems as quickly as possible, but simply cannot do this as quickly as would be necessary due to the resources and effort involved. Therefore my recommendation: First disconnect everyone from the network, then update, then check and, if necessary, reinstall and only then allow access via port 443 again.
According to the BSI, around 25,000 Exchange servers in Germany were still vulnerable yesterday:
So before the next ransomware plague or confidential data becomes public, these systems should be taken offline and updated as quickly as possible. It is also important to check whether there is a reporting obligation under the GDPR; further information can be found here:
My recommendation, if there are signs with the available test scripts and the updates were not yet installed at the time, then it is better to reinstall them: