Microsoft Outlook Net-NTLMv2 Hash Leak via Reminder Sound UNC Path

This repository contains two proof-of-concept (POC) exploits for CVE-2023-23397, a vulnerability in Microsoft Outlook that can be abused to leak NTLM hashes via specially crafted meeting requests or emails with reminders. The repository includes a PowerShell script (poc.ps1) and a Python script (poc.py), both of which use the Outlook COM interface to create and send items with a reminder that references a remote SMB share (e.g., \\10.141.69.190\foobar). When the reminder is triggered, Outlook attempts to access the SMB share, causing the system to send NTLM authentication data to the attacker's server. The exploit requires access to a compromised Outlook account and is intended to be run from a Windows environment. The README provides a brief overview and usage context. No detection scripts or fake code are present; both scripts are functional POCs demonstrating the vulnerability.

This repository demonstrates exploitation of CVE-2023-23397, a critical zero-click NTLM relay vulnerability in Microsoft Outlook for Windows. The main exploit is a PowerShell script (Outlook.ps1) that creates and sends a calendar invite with a reminder sound set to a remote UNC path (e.g., \\192.168.1.7\nonexistent\sound.wav). When the reminder triggers, Outlook attempts to access the remote file, causing the victim's system to send NTLMv2 authentication hashes to the attacker's SMB server. The README provides detailed background, setup instructions, detection and mitigation guidance, and a full walkthrough of the exploit process. The repository is structured with a single exploit script, a README, license, and .gitattributes file. The exploit is a proof-of-concept and does not include advanced payloads or automation beyond the calendar invite creation. The main fingerprintable endpoint is the attacker-controlled SMB path specified in the script.

This repository provides a proof-of-concept exploit for CVE-2023-23397, a critical elevation of privilege vulnerability in Microsoft Outlook for Windows. The main file, Exploit.py, is a Python script that uses the pywin32 library to automate Outlook and generate a malicious meeting request. The exploit sets the ReminderSoundFile property of the meeting request to a UNC path (e.g., \\attacker_ip\share), which, when processed by the victim's Outlook client, causes the client to automatically attempt an SMB connection to the attacker's server. This results in the victim's NTLM hash being sent to the attacker, enabling credential theft and potential lateral movement. The script allows the user to either save the malicious email as a .msg file or send it directly via Outlook. The repository includes a README with detailed vulnerability information, usage instructions, and mitigation advice. No hardcoded endpoints are present; the attacker IP/hostname is provided interactively at runtime. The exploit is intended for educational and testing purposes only.

This repository contains a PowerShell proof-of-concept exploit for CVE-2023-23397, a vulnerability in Microsoft Outlook. The main file, POC.ps1, creates and sends a meeting invite to a specified email address. The invite's reminder sound is set to a UNC path, which should be controlled by the attacker. When the recipient's Outlook client processes the reminder, it attempts to access the UNC path, causing the client to authenticate and potentially leak NTLM credentials to the attacker. The README provides brief instructions, indicating that the user should modify the script to set the target email and the attacker's UNC path. The exploit is a POC and does not include credential harvesting or server-side components. The main attack vector is via email, targeting Outlook users on Windows.

This repository contains a PowerShell proof-of-concept exploit for CVE-2023-23397, a Microsoft Outlook vulnerability that allows attackers to trigger the target's Outlook client to connect to a remote SMB or WebDAV server by setting the ReminderSoundFile property in a meeting invite to a UNC path. The main script (CVE-2023-23397.ps1) creates and sends a meeting invite with this property set, causing Outlook to attempt to load a sound file from the specified remote location when the reminder triggers. This can result in the target's Net-NTLMv2 hash being sent to the attacker's server, enabling credential relay or offline cracking attacks. The repository includes a README explaining the vulnerability and usage. The exploit is a functional PoC and does not include weaponized or automated payload delivery beyond the meeting invite creation.

This repository contains a proof-of-concept (PoC) exploit for CVE-2023-23397, a critical vulnerability in Microsoft Outlook for Windows. The main script, 'lol.py', is a Python program that uses the pywin32 library to automate Outlook and generate a malicious email. The exploit leverages the PidLidReminderFileParameter property to set a custom notification sound file as a UNC path (e.g., \\<attacker_ip>), which causes the target's Outlook client to connect to an attacker-controlled SMB server. This connection results in the leakage of the target's Net-NTLMv2 hash, which can be used for further attacks. The script can either save the malicious email as a .msg file or send it directly to a target email address. The repository also includes a README with detailed usage instructions and a high-level explanation of the vulnerability. No hardcoded endpoints are present; the attacker IP is provided as a command-line argument. The exploit is a PoC and does not include advanced payloads or automation for hash capture.

This repository provides a PowerShell proof-of-concept exploit for CVE-2023-23397, a critical vulnerability in Microsoft Outlook for Windows. The exploit leverages Outlook's handling of calendar appointment reminders with custom sound files. By crafting a calendar invite with the reminder sound file set to a remote UNC path (SMB or WebDAV), the script causes the victim's Outlook client to connect to an attacker-controlled server, leaking the victim's Net-NTLMv2 hash. The repository includes: - 'CVE-2023-23397.ps1': The main exploit script, containing two functions: 'Send-CalendarNTLMLeak' (sends a malicious invite to a victim) and 'Save-CalendarNTLMLeak' (creates a malicious appointment for local testing). - 'Readme.md': Detailed documentation on the vulnerability, exploitation steps, detection, and mitigation. - 'sigma_rule_for_detection.yml' and 'yara_rule_for_detection.yar': Detection rules for identifying exploitation attempts in logs and on disk. The exploit is a POC and requires the attacker to have Outlook installed and the ability to send emails. The main attack vector is network-based, targeting Windows clients via malicious calendar invites. The repository also provides detection and mitigation guidance for defenders.

This repository contains a Python exploit script (cve-2023-23397.py) targeting CVE-2023-23397, a critical Microsoft Outlook vulnerability. The exploit crafts and sends a TNEF-encoded email with a malicious reminder property that references an attacker-controlled SMB path. When the victim's Outlook client processes the email, it automatically attempts to access the SMB share, causing the client to send NetNTLM authentication data to the attacker. The script supports various options for customizing the email (sender, recipient, subject, body, HTML, DKIM signing, etc.) and can send to multiple recipients via SMTP, optionally using STARTTLS and authentication. The README provides detailed usage instructions and examples. The main attack vector is email delivery, and the primary fingerprintable endpoint is the SMB path used for hash exfiltration. The exploit is operational and can be used for credential theft or relay attacks against vulnerable Outlook clients.

This repository provides a proof-of-concept exploit for CVE-2023-23397, a vulnerability in Microsoft Outlook 2016 (except the last patched version) that allows an attacker to retrieve NetNTLM hashes from users. The exploit consists of a Python script (exploit.py) and a README.md with usage instructions. The script automates sending malicious Outlook appointment invitations to a list of recipients. Each invitation includes a sound reminder referencing a file on an attacker-controlled SMB share. When a recipient opens the invitation, Outlook attempts to access the SMB share, causing the client to authenticate and leak the NetNTLM hash to the attacker. The script requires configuration of SMTP server credentials and a file containing recipient email addresses. The README provides detailed steps for setting up the SMB share and using the exploit. The exploit is a proof-of-concept and may not work reliably due to limitations in the Python library used for crafting Outlook appointments and other network or configuration issues.

This repository provides a PowerShell proof-of-concept (POC) exploit for CVE-2023-23397, a vulnerability in Microsoft Outlook that allows for NTLM credential theft via calendar invites. The main script, CVE-2023-23397.ps1, defines two functions: Send-CalendarNTLMLeak and Save-CalendarNTLMLeak. Both functions create Outlook calendar items with the ReminderSoundFile property set to a remote SMB path. When the calendar invite is processed, Outlook attempts to access the specified file, causing the system to initiate an NTLM authentication attempt to the remote SMB share. This can be exploited by an attacker to capture NTLM hashes for offline cracking or relay attacks. The README.md provides usage instructions and example commands. The exploit requires a Windows environment with Outlook installed and configured. No detection or mitigation functionality is present; the repository is focused solely on demonstrating the exploit.

This repository is a Python proof-of-concept exploit for CVE-2023-23397, a critical vulnerability in Microsoft Outlook (Office/365) on Windows. The exploit leverages Outlook's handling of calendar invites with a ReminderSoundFile set to a UNC path (e.g., \\<attacker_ip>), causing the target's Outlook client to connect to an attacker-controlled SMB server and leak NTLM hashes. The main script, Exploit.py, generates a malicious calendar invite and either saves it as a .msg file or sends it directly to a target email address. The attacker must run an SMB server to capture the hashes. The repository contains three files: the exploit script (Exploit.py), a README with usage instructions, and a GPL license. The exploit is a functional proof-of-concept and does not include advanced payloads or automation for hash cracking.

This repository contains a proof-of-concept (PoC) exploit for CVE-2023-23397, a zero-click vulnerability in Microsoft Outlook (Windows thick client). The exploit leverages Outlook's ability to set a custom reminder sound for calendar appointments. By crafting a .msg appointment file with the reminder sound set to a UNC path (e.g., \\attacker_ip\share), and sending it via email to a victim, the exploit causes the victim's Outlook client to automatically connect to the attacker's SMB share upon receiving the email. This results in the victim's NetNTLMv2 hash being sent to the attacker, which can be used for further attacks. The repository consists of a Python script (CVE-2023-23397.py) that generates the malicious .msg file and sends it via SMTP, and a README.md that explains the vulnerability, usage, and provides references. The exploit requires the attacker to run an SMB server (e.g., with smbserver.py or responder) to capture the hashes. No payload is delivered beyond the credential leak, and the exploit is a functional PoC rather than a weaponized tool.