Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE
As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of 4 blog posts is meant to supplement the talk and provide additional technical details.
· CVE-2023-36744 – Arbitrary File Write vulnerability · CVE-2023-36777 – Arbitrary File Read vulnerability · CVE-2023-36745 – Local DLL Loading vulnerability
In the sections that follow, I’m going to describe each of these in detail and show how I chained them to eventually achieve RCE.
You can also watch the talk here: “Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting”. This blog post covers the part from 21:00 to 26:25.
In this blog post, I will describe the chain of 3 vulnerabilities that led to remote code execution in Exchange. It is probably my favorite chain so far, so I will spend some time on it.
