Exploiting Exchange PowerShell... Note

Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE

The article discusses a chain of three vulnerabilities that led to remote code execution in Exchange, including an arbitrary file write, read, and local DLL loading vulnerabilities. The author found a gadget in the Microsoft.Exchange.DxStore.Common.DxSerializationUtil+SharedTypeResolver class, which loads a DLL from an attacker-controlled location. However, the gadget is limited by several restrictions, such as file extension checks, file removal after extraction, and the need to predict the extraction path. The author bypassed these restrictions by using argument injection in the expand utility, creating a subdirectory for the malicious file, and leaking the GUID from a log file. The final payload involved delivering three CAB files, including one for FUSE.Paxos.dll, one for Ijwhost.dll, and one containing a corrupted file for leaking the GUID. The author also prepared a tricky SMB share structure to pass the File.Exists check.