Notepad++ < 7.7 (x64) - Denial of Service

• Exploit Database
• 11 阅读

• 作者： Bogdan Kurinnoy
  日期： 2019-09-16
• 类别：

  • dos
  平台：

  • windows_x86-64
• 来源：https://www.exploit-db.com/exploits/47393/

• # Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file.
  # Google Dork: N/A
  # Date: 2019-09-14
  # Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
  # Vendor Homepage: https://notepad-plus-plus.org/
  # Version: < 7.7
  # Tested on: Windows x64
  # CVE : CVE-2019-16294
  
  # Description:
  
  SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. 
  
  Open aaaaa.ml via affected notepad++ 
  
  POC files:
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47393.zip
  
  Result:
  
  (230.c64): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll -
  rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa
  rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff
  rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81
  r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9
  r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000
  r14=0000000000000001 r15=0000000000000002
  iopl=0 nv up ei pl zr na po nc
  cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
  SciLexer!Scintilla_DirectFunction+0x950dd:
  00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=????