来源

关联漏洞

描述

Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.

介绍

# CVE-2023-23397-PoW
Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.
For educational and research puproses only.

## CVE-2023-23397 preview
This CVE aimed to retrieve NetNTLM hash logged in user from Microsoft Outlook client version 2016 except last patched version.

## Steps to reproduce and successful exploitation
- Download any sound file to smb machine which will be deployed as SMB share.
- Start smb share.
- Create an applointment in MS Outlook. In home menu New Item -> Appointment. Below Time Zone icon placed ahcor hyperlink with sound reminder. Click on it, add sound file from smb share. Add recipients with Invite attendees button.
- Send message
- First hash will be received from user who create an appointment and added sound file from share. Next hashes will be from users who **OPEN** invitation.

## About exploit
### How to run

```python3 exploit.py -p 192.168.0.5 -f recipients.txt```

Help menu with description. 

```python3 exploit.py -h```

Exploit was written for mass delivery test and works with chance 50/50. This is because Python library independentsoft.msg for creating appointment and objects for Outlook attaches file as **message** and MS Outlook recognizes it not as native. That's why retrieving hash not always completing successfully.

## Limitations

During test I faced with some technical hicaps and limitations. The are:
- limitations for mass email delivery
- network limitations
- weak connection
- self-signed certificate or security limitations for certificate validation 

文件快照

 [4.0K]  /data/pocs/8c412788744f04063f18c1c0698a4ea064fc7455
├── [3.1K]  exploit.py
└── [1.5K]  README.md

0 directories, 2 files

备注