Notepad++ Plugin Notepad# 1.5 - Local Exploit

90_ · 发表于 2013-12-4 10:26:10

# Exploit Title: Notepad++ - Notepad# plugin local exploit
# Google Dork:
# Date: 2013-12-01
# Exploit Author: Sun Junwen
# Version: Notepad ++ 6.3.2 with Notepad# plugin (1.5) and Explorer plugin
(1.8.2)
# Tested on: Windows XP SP3 EN
# CVE :

1. Poc
With Notepad# plugin (1.5) and Explorer plugin (1.8.2) installed in Notepad
++ 6.3.2, open the html file in attachement, click Enter in the last
</script> tag, Npp will crash and calc.exe will open. Without Explorer
plugin, these still can be exploit. Explorer plugin makes this easier.

2. Root cause
NotepadSharp plugin has several stack buffer overflow bug.
In its PluginDefinition.cpp file, there are some char buffer whose length
are 9999. They are all defined on stack.
So if some strcpy/memcpy copy more than 9999 chars to these buffers, it
leads to a stack overflow.

3. Tested on
Windows XP SP3 EN
Notepad ++ 6.3.2
Notepad# plugin (1.5) and Explorer plugin (1.8.2)

Sun Junwen
Trendmicro, CDC

Exploit:

30007.zip (2.85 KB, 下载次数: 2, 售价: 3 i币)

xyhacker · 发表于 2013-12-4 10:48:03

如何使用, 不知道有方法么,

蓝颜 · 发表于 2013-12-4 10:57:27

下载了

a13775647904 · 发表于 2013-12-4 11:48:21

最新的那个xp+03 ，需要本地登录凭证的？

野驴~ · 发表于 2013-12-4 18:36:36

我去，我用的久这个版本

契约 · 发表于 2013-12-4 19:00:08

看不懂英文，这个EXP用来干什么的？

wangod · 发表于 2013-12-4 19:10:03

我一直用这个，不过现在是6.5.0。0的版本

C4r1st · 发表于 2013-12-4 21:43:40

野驴~ 发表于 2013-12-4 18:36
我去，我用的久这个版本

哈哈，溢出你

Notepad++ Plugin Notepad# 1.5 - Local Exploit

点评

指导单位

旗下站点

联系我们