CVE-2023-23397

CVE-2023-23397 Remediation Script (Powershell)

CVE-2023-23397 CVE-2023-23397 Remediation Script (Powershell) There are 3 PowerShell scripts If your patch management software uses an evaluation and a remediation script, use the respective files/scripts Alternatively, if you wish to just push out the update without the above, the All In One script will evaluate the current version of Microsoft Office and if it is not one of

Proof of Concept for CVE-2023-23397 in Python

CVE-2023-23397 (Outlook Privilege Escalation) Proof of Concept for CVE-2023-23397 in Python Quick and easy "proof of concept" in Python for the Outlook CVE that affects Microsoft Office/365 products Usage Install pywin by running pip install pywin32 Start a SMB server on the attacker machine, such as Metasploit's SMB module Run python Exploitpy <save_or

Exploit for the CVE-2023-23397

CVE-2023-23397_EXPLOIT_0DAY Exploit for the CVE-2023-23397 Credit to domchell EML/MSG Checker for the exploit: #!/usr/bin/env python3 from extract_msg import AppointmentMeeting from helpers import Status from task import Task from report import Report from base import BaseWorker class OutlookMSG(BaseWorker): def analyse(self, task: Task, report: Report, manual_trigger:

securityxplodedcom/memory-execution-of-executablephp wwwelasticco/blog/process-ghosting-a-new-executable-image-tampering-attack ponderthebitscom/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ j00ruvexilliumorg/syscalls/nt/64/ blogcompass-securitycom/2022/11/relaying-to-ad-certificate-services-ov

PoC for CVE-2023-23397

CVE-2023-23397-PoC-PowerShell POC for CVE-2023-23397 Критическая уязвимость в наборе приложений Microsoft Outlook 365 активно используется в дикой природе и требует срочного исправления Ошибка CVE-2023-23397 с рейтингом CVSS 98, позволяет удаленно�

A collection of Message Filters for Cisco Secure Email Gateway (fka Email Security Appliance) focused on document-based threats.

cisco-email-filters A collection of Message Filters for Cisco Secure Email Gateway (fka Email Security Appliance) focused on hunting document-based threats It's a result of the author's research and already known and published methods of detecting and identifying specific files and threats These filters are not a replacement for any AV or AMP engine but they can enh

CVE-2023-23397 PoC

CVE-2023-23397 Proof of Concept This is a proof of concept (PoC) exploit for CVE-2023-23397, a vulnerability in the Windows Microsoft Outlook client Prerequisites Python 3 pywin32 package How to use Windows Install the required pywin32 package by running pip install pywin32 Run the script with the following command: python Exploitpy <save_or_send> <ta

Simple PoC of the CVE-2023-23397 vulnerability with the payload sent by email.

CVE-2023-23397 Simple and dirty PoC of the CVE-2023-23397 vulnerability impacting the Outlook thick client Description Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder Indeed, an attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero c

Security Notes for the Wild

Welcome to Cyber Secure Labs Public Site for sharing security writes Write-up by: Cybersec Post Exploitation Toolkit: Working with Powershell Empire - Post Exploitation - Pub Date 09/12/2021 Active Directory LAB: Setup Active Directory Vulnerable LAB Setup - MSSQL Setup - Pub Date 02/11/2022 Active Directory LAB: ATTACKS Active Directory LAB Offensive - Print Nightmare - Pub Da

digging into using office/Word .xml files and "recent" docx/xlsx/etc.

NetNTLMv2-and-Office-Docs-Research Was talking with some friends on discord, and the conversation started with a couple links and seeing whether some combo of these 2 would still work in 2023: blogdidierstevenscom/2017/11/13/webdav-traffic-to-malicious-sites/ and bohopscom/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/ It turns out that i

CVE-2023-23397-PoC C# send only version of CVE-2023-23397-POC-Powershell by Oddvar Moe (@oddvarmoe) Sends email from the address associated with Outlook account \CVE_2023_23397exe --help CVE_2023_23397 1000 Copyright c 2023 -t, --to Required Recipient email address -p, --path Required UNC Path -s, --subject Message subject ("Testing New E

CVE-2023-23397-POC-Powershell Script functions to either send or save calendar NTLM leakage using the ReminderSoundFile option Run script to load the functions in Powershell, then you can use the examples below as a starting point for using the functions Requires to be run on a Windows machine with Outlook installed since it uses the Outlook COM object to send emails Note th

Generates meeting requests taking advantage of CVE-2023-23397. This requires the outlook thick client to send.

CVE-2023-23397 MS Outlook Vulnerability Exploitation CVE-2023-23397 is a vulnerability in Microsoft Outlook that allows an attacker to potentially exfiltrate user authentication details The vulnerability stems from the ability of an attacker to specify a Universal Naming Convention (UNC) path in the "ReminderSoundFile" property within an email or meeting invite When

Another package to analyse emails to find potential threats.

Enail Hunter Copyright (C) 2023 F Brezo (@febrezo) Description Another package to analyse emails to find potential threats It has been originally developed as a PoC for fun to do some work on MSG parsing and identify potential indicators of compromise of CVE-2023-23397 in those files Note that if you are looking for fast detection you might be interested on trying specifi

To exploit this vulnerability, an attacker must create a malicious calendar invitation that includes a reference to a sound file pointing to a file in a network share in the attacker's machine At a low level, an Outlook email stores the reference to the sound file in an internal parameter called "PidLidReminderFileParameter" To ensure that the audio we embed in

CVE-2023-23397 - Microsoft Outlook Vulnerability

CVE-2023-23397 - Microsoft Outlook Vulnerability For educational purposes only!

Exploit POC for CVE-2023-23397

CVE-2023-23397-POC Exploit POC for CVE-2023-23397 Appointmentcs : the modified file from githubcom/Sicos1977/MsgKit/blob/master/MsgKit/Appointmentcs Exploitcs : the code i used to replicate creating the malicious appointment i modified the code picture in MDSEC article here : wwwmdseccouk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of

CVE-2023-23397-POC-Using-Interop-Outlook Easy implementation for (CVE-2023-23397) exploit POC using MicrosoftOfficeInteropOutlook

Patch for MS Outlook Critical Vulnerability - CVSS 9.8

CVE-2023-23397 Patch for MS Outlook Critical Vulnerability - CVSS 98 3 PowerShell scripts are included in the Patch folder If your patch management software uses an evaluation and a remediation script, use the respective files/scripts The All In One script will evaluate the current version of Microsoft Office and if it is not one of the versions listed in the script, it

Yara rule compatible with ClamAV based on expl_outlook_cve_2023_23397yar

expl_outlook_cve_2023_23397_securiteinfoyar Yara rule compatible with ClamAV based on expl_outlook_cve_2023_23397yar Original rule can be found here : githubcom/Neo23x0/signature-base/blob/master/yara/expl_outlook_cve_2023_23397yar Can detect this PoC exploit : githubcom/grn-bogo/CVE-2023-23397

CVE-2023-23397 Description Outlook suffers from a lack of control over the user input that allows to configure the sound of a meeting and appointment reminder An attacker is able to force a victim to make a connection to its server without any manipulation from the user (zero click vulnerability) An attacker exploiting this vulnerability retrieves a NetNTLMv2 digest based on

CVE-2023-23397 powershell patch script for Windows 10 and 11

CVE-2023-23397 Windows Update Patch CVE-2023-23397 powershell patch script for Windows 10 and 11 This version of the script allows you to check if your device has the most reach sent patches for the latest Microsoft exploit if the security updates are not found using the Powershell Command Get-hotfix it will download the latest windows update and and silently install them with

An exploitation demo of Outlook Elevation of Privilege Vulnerability

CVE-2023-23397-Report An exploitation demo of Outlook Elevation of Privilege Vulnerability CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server on an untrusted network No user interaction is required The

CVE-2023-23397 A proof of concept for CVE-2023-23397 for security testing Modify lines 11 and 12 with the attacker UNC path and target email address

CVE-2023-23397漏洞的简单PoC，有效载荷通过电子邮件发送。

CVE-2023-23397-POC CVE-2023-23397漏洞的简单PoC，有效载荷通过电子邮件发送。

PoCs

exploits - PoCs CVE-2023-23397

PoCs

exploits - PoCs CVE-2023-23397

Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting

KustQueryLanguage_kql Cyber Defence related kusto queries for use in Azure Sentinel and Defender advanced hunting Use at your own risk Some queries have been tested and verified within the lab Others have resulted from research into threat reports or those shared by researchers with the community MITRE ATT&CK Mapping Initial Access Technique Description Link Tag

👋 Hi there, I'm Bhavkaran Singh Chahal - aka bhavsec Information security enthusiast with strong interest in penetration testing and offensive security Strong background in security tools, emerging technologies, processes and best practices An author of ReconSpider an Open Source Intelligence (OSINT) security tool Reported Security Vulnerabilities in Netherland

Python script for sending e-mails with CVE-2023-23397 payload using SMTP

CVE-2023-23397 This script allows to create TNEF-encoded Outlook e-mails with CVE-2023-23397 exploit payload and send them via pure SMTP - no need in COM objects or EWS I could not get IPMScheduleMeetingRequest message class to work properly (it generates both meeting and the reminder but does not respect PidLidReminderOverride property for some reason), so instead the scri

Simple PoC in PowerShell for CVE-2023-23397

A Simple PoC in PowerShell for CVE-2023-23397 CVE-2023-23397 is a vulnerability in MS Outlook that allows an attacker to potentially exfil user authentication details The vulnerability relates to the the ability for an attacker to specify a UNC path in the "ReminderSoundFile" property within an email/meeting invite - when the reminder triggers in Outlook, the user�

Matt's code compendium Me and my code I've been an IT pro for higher education since 2007 This is an index of some projects I've done, mostly Powershell-based, which I felt are worth sharing for other IT pros The majority of my scripting work is done for the purposes of system administration and endpoint management for Engineering IT Shared Services, in the Gra

C implementation of Outlook 0-click vulnerability

CVE-2023-23397-POC C implementation of Outlook 0-click vulnerability

Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.

CVE-2023-23397-PoW Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application

This script exploits CVE-2023-23397, a Zero-Day vulnerability in Microsoft Outlook, allowing the generation of malicious emails for testing and educational purposes.

[CVE-2023-23397] Vulnerability Details 🚨💻 Microsoft has recently addressed a set of critical security vulnerabilities, including this zero-day exploits: CVE-2023-23397 The Common Vulnerability Scoring System (CVSS) assigned score of 98 to this exploit CVE-2023-23397: Elevation of Privilege in Microsoft Outlook 📧🔓 A significant elevation of privilege (EoP) vulnera

Repository in which you will find all the queries (in pseudocode) shown in the conference "Fancy Bears and Where To Find Them" presented by Ana Junquera Méndez in RootedCON 2023

Fancy Bear related queries These queries are shown here in pseudocode, before using them in any EDR you should translate them to the correct language Initial Access query Scripting processes executed from Outlook (T1566) parent_process = "OUTLOOKEXE" and child_process in ("wscriptexe", "powershellexe", "cmdexe", "cscriptexe&quo

Lantern Shark is a static file analyzer written in HTML and Javascript.

Lantern Shark Lantern Shark is a file analyzer written in HTML and JavaScript It can extract metadata and embedded script code from multiple file types It also attempts to identify suspicious and malicious attributes of various file types A live demo of this project can be viewed here Additional Features Deobfuscation of extracted scripts via inserted comments Look for th