33 lines
No EOL
1.7 KiB
Text
33 lines
No EOL
1.7 KiB
Text
Application:Notepad++
|
||
Version:6.5.2 UNICODE
|
||
Get the application from: http://notepad-plus-plus.org/download/v6.5.2.html
|
||
|
||
Plugin:CCompletion
|
||
Version: Version 1.19 ( Unicode )
|
||
Get the plugin from: http://sourceforge.net/apps/mediawiki/notepad-plus/index.php?title=Plugin_Central
|
||
|
||
Vulnerability:Stack buffer overflow
|
||
Vulnerability Impact: Local Code Execution
|
||
|
||
Triggering details:
|
||
1. Install Notepad++ (6.5.2) with the plugin CCompletion(Version 1.19 UNICODE)
|
||
2. Open Notepad++
|
||
3. Input large number of characters (any character is ok), at least 554 characters.
|
||
4. Select all the text in the editor
|
||
5. Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11, then the Notepad++ will be crashed
|
||
|
||
Cause of the Vulnerability
|
||
The notepad++ sends text the user selected to the plugin of CCompletion, but the plugin copys the text by using lstrcpyW in the module kernel32. So the stack buffer is over flow.
|
||
|
||
Exploit POC
|
||
I constructed an exploit for this vulnerability. It will show a message box with the caption “HA” and the text “Back Door Opend.”
|
||
1. This exploit does not process the mitigation of DEP, so if you want to test it please disable the DEP feature on your system or just for the application.
|
||
2. This exploit uses the “JMP ESP” insturction in module Notepad++.exe, because it is a non-ASLR module.So the expolit is independent of Windows system version.
|
||
|
||
The expolit is in the file attatchment named shellcode.txt
|
||
|
||
1. Open shellcode.txt with Notepad++
|
||
2. Select all the content in the editor
|
||
3. Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11
|
||
|
||
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31895.7z |