Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application. For educational and research puproses only.
This CVE aimed to retrieve NetNTLM hash logged in user from Microsoft Outlook client version 2016 except last patched version.
- Download any sound file to smb machine which will be deployed as SMB share.
- Start smb share.
- Create an applointment in MS Outlook. In home menu New Item -> Appointment. Below Time Zone icon placed ahcor hyperlink with sound reminder. Click on it, add sound file from smb share. Add recipients with Invite attendees button.
- Send message
- First hash will be received from user who create an appointment and added sound file from share. Next hashes will be from users who OPEN invitation.
python3 exploit.py -p 192.168.0.5 -f recipients.txt
Help menu with description.
python3 exploit.py -h
Exploit was written for mass delivery test and works with chance 50/50. This is because Python library independentsoft.msg for creating appointment and objects for Outlook attaches file as message and MS Outlook recognizes it not as native. That's why retrieving hash not always completing successfully.
During test I faced with some technical hicaps and limitations. The are:
- limitations for mass email delivery
- network limitations
- weak connection
- self-signed certificate or security limitations for certificate validation