Notepad++ Plugin Notepad 1.5 – Local Overflow

• Exploit Database
• 12 阅读

• 作者： Junwen Sun
  日期： 2013-12-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/30007/

• # Exploit Title: Notepad++ - Notepad# plugin local exploit
  # Google Dork:
  # Date: 2013-12-01
  # Exploit Author: Sun Junwen
  # Vendor Homepage: http://notepad-plus-plus.org/
  # Software Link: http://notepad-plus-plus.org/download/
  # Version: Notepad ++ 6.3.2 with Notepad# plugin (1.5) and Explorer plugin
  (1.8.2)
  # Tested on: Windows XP SP3 EN
  # CVE :
  
  1. Poc
  With Notepad# plugin (1.5) and Explorer plugin (1.8.2) installed in Notepad
  ++ 6.3.2, open the html file in attachement, click Enter in the last
  </script> tag, Npp will crash and calc.exe will open. Without Explorer
  plugin, these still can be exploit. Explorer plugin makes this easier.
  
  2. Root cause
  NotepadSharp plugin has several stack buffer overflow bug.
  In its PluginDefinition.cpp file, there are some char buffer whose length
  are 9999. They are all defined on stack.
  So if some strcpy/memcpy copy more than 9999 chars to these buffers, it
  leads to a stack overflow.
  
  3. Tested on
  Windows XP SP3 EN
  Notepad ++ 6.3.2
  Notepad# plugin (1.5) and Explorer plugin (1.8.2)
  
  Sun Junwen
  Trendmicro, CDC
  
  
  
  Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30007.zip