Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting

Collection of all materials concerning my Exchange PowerShell Remoting research. It includes OffensiveCon 2024 video and 4 blog posts, which include all the technical details.

Chain of 3 gadgets (Arbitrary File Write + Arbitrary File Read + Local DLL Loading) to achieve the RCE on Exchange is fully described in the 3rd blog post.

• OffensiveCon 2024 - Talk
• OffensiveCon 2024 - Slides
• Blog Part 1 - EXPLOITING EXCHANGE POWERSHELL AFTER PROXYNOTSHELL: PART 1 - MULTIVALUEDPROPERTY
• Blog Part 2 - EXPLOITING EXCHANGE POWERSHELL AFTER PROXYNOTSHELL: PART 2 - APPROVEDAPPLICATIONCOLLECTION
• Blog Part 3 - EXPLOITING EXCHANGE POWERSHELL AFTER PROXYNOTSHELL: PART 3 – DLL LOADING CHAIN FOR RCE
• Blog Part 4 - EXPLOITING EXCHANGE POWERSHELL AFTER PROXYNOTSHELL: PART 4 – NO ARGUMENT CONSTRUCTOR