## https://sploitus.com/exploit?id=6AAE9488-AB72-5FA8-B0FA-637D1D3EAB5B
# CVE-2023-23397-PoW
Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.
For educational and research puproses only.
## CVE-2023-23397 preview
This CVE aimed to retrieve NetNTLM hash logged in user from Microsoft Outlook client version 2016 except last patched version.
## Steps to reproduce and successful exploitation
- Download any sound file to smb machine which will be deployed as SMB share.
- Start smb share.
- Create an applointment in MS Outlook. In home menu New Item -> Appointment. Below Time Zone icon placed ahcor hyperlink with sound reminder. Click on it, add sound file from smb share. Add recipients with Invite attendees button.
- Send message
- First hash will be received from user who create an appointment and added sound file from share. Next hashes will be from users who **OPEN** invitation.
## About exploit
### How to run
```python3 exploit.py -p 192.168.0.5 -f recipients.txt```
Help menu with description.
```python3 exploit.py -h```
Exploit was written for mass delivery test and works with chance 50/50. This is because Python library independentsoft.msg for creating appointment and objects for Outlook attaches file as **message** and MS Outlook recognizes it not as native. That's why retrieving hash not always completing successfully.
## Limitations
During test I faced with some technical hicaps and limitations. The are:
- limitations for mass email delivery
- network limitations
- weak connection
- self-signed certificate or security limitations for certificate validation