init

Lets try to exploit the yet-another-windows-vulnerability known as CVE-2023-38146 aka ThemeBleed. To do that we need to create the theme file which will consist of “path” from where the payloads will be delivered.

Please note that as per my testing, the command execution only happens if both the SMB server and the theme file is in the same machine. Pulling dll(s) from remote system appears not to work.

In the attacker machine, you will need to disable the SMB by disabling the Server service from the services.msc. Keep that service in disabled state.

Download the repo and use the below command the generate the theme file:

.\ThemeBleed.exe make_theme localhost exp.theme

After generating you will have to run the code in server mode.

Now lets run the exp.theme file to the victim machine (windows 11) and run the exploit.

As we can see that the Calc.exehas been executed.

privilege ?

Windows permission systems is a mystical cloud generated by the Genie of Aladdin. So there is no way of telling what kind of permissions the calc.exe will have rather lets try to doe something else. From the Process Explorer we can see the following information.

As this is no fun, we will try to execute our command which is cmd.exe by modifying the dllfile which are provided when the exploit has executed.

Now I have created my own dll and and instead of running calc.exe I tried to run the cmd.exe. After couple of tires I was able to run the calc.exe and a message box showing a prompt. In the below screenshot you also will be able to view the permission level of the cmd.exeprocess running in.

future works

Currently I was not able to deliver the payload from a remote system and planning to check why my dll works when running from localhost but not when it is running from the remote system. The authors original dllhowever works both in localhost as well as in remote systems.

reference

https://github.com/gabe-k/themebleed https://exploits.forsale/themebleed/