Update the theme hijack exploit

[zeroSteiner]

This fixes the issues with exploiting the TOCTOU issue.

I fixed the over arching issue by addressing them as two smaller issues.

First it was necessary to identify, when the payload DLL vs the signed DLL should be sent. This was achieved by implementing the hooks provided in rapid7/ruby_smb#256. This allows the callback hook to be invoked when a create request is received so that it can be inspected. I know the original vulnerability mentioned using the share access == 5, but on further inspection I think checking the desired_access.execute is a more intuitive and equally reliable indicator. This solves the problem of when one DLL should be used vs another which brings us to the second problem.

The second problem was how to switch the content of a DLL file after the TreeConnect request is received. VirtualDynamicFiles are generated and converted to VirtualStaticFiles when the TreeConnect request is received (in english this is when the share is opened). This takes place so the file object can be stat'ed to obtain information necessary for a directory listing, prior to the file being opened. In instead opted to inline a subclass of the VirtualStaticFile that maintains a separate content on a per-thread basis. Client connections are handled in a dedicated thread, so keeping things isolated to their threads should address any issues that could occur if multiple client systems opened the exploit file at the same time. The exploit tracks an instance of the Thread-Localized version of the virtual static file, and uses the previously mentioned hooks to set the content as desired.