扫码分享
验证:
体验盒子Application:Notepad++
Version:6.5.2 UNICODE
Get the application from: http://notepad-plus-plus.org/download/v6.5.2.html
Plugin:CCompletion
Version: Version 1.19 ( Unicode )
Get the plugin from: http://sourceforge.net/apps/mediawiki/notepad-plus/index.php?title=Plugin_Central
Vulnerability:Stack buffer overflow
Vulnerability Impact: Local Code Execution
Triggering details:
1. Install Notepad++ (6.5.2) with the plugin CCompletion(Version 1.19 UNICODE)
2. Open Notepad++
3. Input large number of characters (any character is ok), at least 554 characters.
4. Select all the text in the editor
5. Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11, then the Notepad++ will be crashed
Cause of the Vulnerability
The notepad++ sends text the user selected to the plugin of CCompletion, but the plugin copys the text by using lstrcpyW in the module kernel32. So the stack buffer is over flow.
Exploit POC
I constructed an exploit for this vulnerability. It will show a message box with the caption “HA” and the text “Back Door Opend.”
1. This exploit does not process the mitigation of DEP, so if you want to test it please disable the DEP feature on your system or just for the application.
2. This exploit uses the “JMP ESP” insturction in module Notepad++.exe, because it is a non-ASLR module.So the expolit is independent of Windows system version.
The expolit is in the file attatchment named shellcode.txt
1. Open shellcode.txt with Notepad++
2. Select all the content in the editor
3. Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31895.7z
体验盒子
