来源

关联漏洞

描述

A proof of concept using python for the CVE-2023-38146 "ThemeBleed"

介绍

A huge thanks to gabe_k for the initial PoC in C#, and actually finding this CVE, this is a remake of his code in python, reusing his stage files.
To see the initial PoC view his page for it here: <https://github.com/gabe-k/themebleed>
# ThemeBleedPy
A proof of concept using python for the CVE-2023-38146 "ThemeBleed".
# Requirements:
This program uses [Impackets SMB server](https://github.com/fortra/impacket) and overrides the smb2Create function and therefore required Impackets functionalities.
```
  Usage:
    Replace {IP-ADDRESS} in the exploit.theme file
    python3 ThemeBleedServer.py - Run the SMB server
    Use the .theme file on a vulnerable windows 11 machine
    As in Gabe's Exploit you need to create a new stage 3 file that is a dll that exports VerifyThemeVersion, the current file only opens Calc.
```

# How it works:
Themebleed starts with a .THEME file that requests for an msstyles file off of the internet.
If the file has a "999" version number is used it will call the ReviseVersionIfNecessary function, which unsafely loads a .dll file, allowing an attacker to load an unchecked library file.
# Why Another PoC?
I put this together because I couldn't get the C# code to compile in linux, probably due to my own ignorance of how it works, I know how to code python though.
# Notable Lines:
Lines 44-53 in ThemeBleedServer.py/overrideSmb2Create - This is where the path change happens <br />
Lines 191-End in ThemeBleedServer.py - Server Creation <br />
Line 13 in exploit.theme - For IP change.

文件快照

 [4.0K]  /data/pocs/6db73fa2f0dc4ac9764039f453f3c37cb6e3985e
├── [ 375]  exploit.theme
├── [1.5K]  README.md
├── [1.4M]  stage_1
├── [1.4M]  stage_2
├── [ 86K]  stage_3
└── [9.3K]  ThemeBleedServer.py

0 directories, 6 files

备注