A huge thanks to gabe_k for the initial PoC in C#, and actually finding this CVE, this is a remake of his code in python, reusing his stage files. To see the initial PoC view his page for it here: https://github.com/gabe-k/themebleed
A proof of concept using python for the CVE-2023-38146 "ThemeBleed".
This program uses Impackets SMB server and overrides the smb2Create function and therefore required Impackets functionalities.
Usage:
Replace {IP-ADDRESS} in the exploit.theme file
python3 ThemeBleedServer.py - Run the SMB server
Use the .theme file on a vulnerable windows 11 machine
As in Gabe's Exploit you need to create a new stage 3 file that is a dll that exports VerifyThemeVersion, the current file only opens Calc.
Themebleed starts with a .THEME file that requests for an msstyles file off of the internet. If the file has a "999" version number is used it will call the ReviseVersionIfNecessary function, which unsafely loads a .dll file, allowing an attacker to load an unchecked library file.
I put this together because I couldn't get the C# code to compile in linux, probably due to my own ignorance of how it works, I know how to code python though.
Lines 44-53 in ThemeBleedServer.py/overrideSmb2Create - This is where the path change happens
Lines 191-End in ThemeBleedServer.py - Server Creation
Line 13 in exploit.theme - For IP change.