Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.# CVE-2023-23397-PoW
Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.
For educational and research puproses only.
## CVE-2023-23397 preview
This CVE aimed to retrieve NetNTLM hash logged in user from Microsoft Outlook client version 2016 except last patched version.
## Steps to reproduce and successful exploitation
- Download any sound file to smb machine which will be deployed as SMB share.
- Start smb share.
- Create an applointment in MS Outlook. In home menu New Item -> Appointment. Below Time Zone icon placed ahcor hyperlink with sound reminder. Click on it, add sound file from smb share. Add recipients with Invite attendees button.
- Send message
- First hash will be received from user who create an appointment and added sound file from share. Next hashes will be from users who **OPEN** invitation.
## About exploit
### How to run
```python3 exploit.py -p 192.168.0.5 -f recipients.txt```
Help menu with description.
```python3 exploit.py -h```
Exploit was written for mass delivery test and works with chance 50/50. This is because Python library independentsoft.msg for creating appointment and objects for Outlook attaches file as **message** and MS Outlook recognizes it not as native. That's why retrieving hash not always completing successfully.
## Limitations
During test I faced with some technical hicaps and limitations. The are:
- limitations for mass email delivery
- network limitations
- weak connection
- self-signed certificate or security limitations for certificate validation
[4.0K] /data/pocs/8c412788744f04063f18c1c0698a4ea064fc7455
├── [3.1K] exploit.py
└── [1.5K] README.md
0 directories, 2 files