CVE-2023-38146 PoC — Windows Themes Remote Code Execution Vulnerability

Source

Associated Vulnerability

Description

Proof-of-Concept for CVE-2023-38146 ("ThemeBleed")

Readme

# ThemeBleed
Proof-of-Concept for CVE-2023-38146 ("ThemeBleed")
```
Usage: ThemeBleed.exe <command>

Commands:
        server                                   - Runs the server
        make_theme <host> <output path>          - Generates a .theme file referencing the specified host
        make_themepack <host> <output_path>      - Generates a .themepack file referencing the specified host
```

## Data files
The binaries in data correspond to the 3 files returned to the target by the PoC.
- `stage_1` - An `msstyles` file with the `PACKTHEM_VERSION` set to 999.
- `stage_2` - A valid unmodified `msstyles` file to pass the signature check.
- `stage_3` - The DLL that will be loaded and executed. The provided example simply launches `calc.exe`.

To make your own payload, create a DLL with an export named `VerifyThemeVersion` containing your code, and replace `stage_3` with your newly created DLL.

File Snapshot

 [4.0K]  /data/pocs/a25129cb030dc25a51f1ec2018f34980154c90fb
├── [4.0K]  data
│   ├── [1.4M]  stage_1
│   ├── [1.4M]  stage_2
│   └── [ 89K]  stage_3
├── [ 906]  README.md
├── [4.0K]  SMBFilterDemo
│   ├── [ 189]  App.config
│   ├── [ 32K]  NTFilteredFileSystem.cs
│   ├── [ 218]  packages.config
│   ├── [5.2K]  Program.cs
│   ├── [4.0K]  Properties
│   │   └── [1.4K]  AssemblyInfo.cs
│   └── [2.8K]  ThemeBleed.csproj
└── [1.1K]  ThemeBleed.sln

3 directories, 11 files

Remarks