header-logo
Suggest Exploit
vendor:
Notepad++
by:
Anonymous
7,8
CVSS
HIGH
Stack buffer overflow
119
CWE
Product Name: Notepad++
Affected Version From: 6.5.2
Affected Version To: 6.5.2
Patch Exists: YES
Related CWE: N/A
CPE: notepad-plus-plus:6.5.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2013

Stack buffer overflow in Notepad++

A stack buffer overflow vulnerability exists in Notepad++ when the plugin CCompletion is installed. An attacker can exploit this vulnerability by inputting a large number of characters into the editor, selecting all the text, and then clicking Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11, which will cause the Notepad++ to crash. This is due to the plugin copying the text using lstrcpyW in the module kernel32, resulting in a stack buffer overflow. An exploit for this vulnerability is available in the file attachment named shellcode.txt, which will show a message box with the caption “HA” and the text “Back Door Opend.”

Mitigation:

Disable DEP on the system or application, or update to a version of Notepad++ that is not vulnerable.
Source

Exploit-DB raw data:

Application:Notepad++
Version:6.5.2 UNICODE
Get the application from: http://notepad-plus-plus.org/download/v6.5.2.html

Plugin:CCompletion
Version: Version 1.19 ( Unicode )
Get the plugin from: http://sourceforge.net/apps/mediawiki/notepad-plus/index.php?title=Plugin_Central

Vulnerability:Stack buffer overflow
Vulnerability Impact: Local Code Execution

Triggering details:
1.	Install Notepad++ (6.5.2) with the plugin CCompletion(Version 1.19 UNICODE)
2.	Open Notepad++
3.	Input large number of characters (any character is ok), at least 554 characters.
4.	Select all the text in the editor
5.	Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11, then the Notepad++ will be crashed 

Cause of the Vulnerability
The notepad++ sends text the user selected to the plugin of CCompletion, but the plugin copys the text by using lstrcpyW in the module kernel32. So the stack buffer is over flow.

Exploit POC
I constructed an exploit for this vulnerability. It will show a message box with the caption “HA” and the text “Back Door Opend.”
1.	This exploit does not process the mitigation of DEP, so if you want to test it please disable the DEP feature on your system or just for the application.
2.	This exploit uses the “JMP ESP” insturction in module Notepad++.exe, because it is a non-ASLR module.So the expolit is independent of Windows system version.

The expolit is in the file attatchment named shellcode.txt

1.	Open shellcode.txt with Notepad++
2.	Select all the content in the editor
3.	Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11

Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31895.7z

Navigation

Suggest Exploit

Services By CQR