Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/theunknownsoul/cve-2023-23397-pow

Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.
https://github.com/theunknownsoul/cve-2023-23397-pow

exploitation hacking msoutlook netntlm smb

Last synced: 11 days ago
JSON representation

Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.

Host: GitHub
URL: https://github.com/theunknownsoul/cve-2023-23397-pow
Owner: TheUnknownSoul
Created: 2024-03-20T09:49:01.000Z (8 months ago)
Default Branch: master
Last Pushed: 2024-03-20T10:39:04.000Z (8 months ago)
Last Synced: 2024-03-21T11:09:20.003Z (8 months ago)
Topics: exploitation, hacking, msoutlook, netntlm, smb
Language: Python
Homepage:
Size: 5.86 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# CVE-2023-23397-PoW
Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.
For educational and research puproses only.

## CVE-2023-23397 preview
This CVE aimed to retrieve NetNTLM hash logged in user from Microsoft Outlook client version 2016 except last patched version.

## Steps to reproduce and successful exploitation
- Download any sound file to smb machine which will be deployed as SMB share.
- Start smb share.
- Create an applointment in MS Outlook. In home menu New Item -> Appointment. Below Time Zone icon placed ahcor hyperlink with sound reminder. Click on it, add sound file from smb share. Add recipients with Invite attendees button.
- Send message
- First hash will be received from user who create an appointment and added sound file from share. Next hashes will be from users who **OPEN** invitation.

## About exploit
### How to run

```python3 exploit.py -p 192.168.0.5 -f recipients.txt```

Help menu with description.

```python3 exploit.py -h```

Exploit was written for mass delivery test and works with chance 50/50. This is because Python library independentsoft.msg for creating appointment and objects for Outlook attaches file as **message** and MS Outlook recognizes it not as native. That's why retrieving hash not always completing successfully.

## Limitations

During test I faced with some technical hicaps and limitations. The are:
- limitations for mass email delivery
- network limitations
- weak connection
- self-signed certificate or security limitations for certificate validation