Notepad++ CCompletion Plugin 1.19 - Stack Buffer Overflow

2014-02-25T00:00:00
ID EDB-ID:31895
Type exploitdb
Reporter tishion
Modified 2014-02-25T00:00:00

Description

Notepad++ CCompletion Plugin 1.19 - Stack Buffer Overflow. Local exploit for windows platform

                                        
                                            Application:Notepad++
Version:6.5.2 UNICODE
Get the application from: http://notepad-plus-plus.org/download/v6.5.2.html

Plugin:CCompletion
Version: Version 1.19 ( Unicode )
Get the plugin from: http://sourceforge.net/apps/mediawiki/notepad-plus/index.php?title=Plugin_Central

Vulnerability:Stack buffer overflow
Vulnerability Impact: Local Code Execution

Triggering details:
1.	Install Notepad++ (6.5.2) with the plugin CCompletion(Version 1.19 UNICODE)
2.	Open Notepad++
3.	Input large number of characters (any character is ok), at least 554 characters.
4.	Select all the text in the editor
5.	Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11, then the Notepad++ will be crashed 

Cause of the Vulnerability
The notepad++ sends text the user selected to the plugin of CCompletion, but the plugin copys the text by using lstrcpyW in the module kernel32. So the stack buffer is over flow.

Exploit POC
I constructed an exploit for this vulnerability. It will show a message box with the caption “HA” and the text “Back Door Opend.”
1.	This exploit does not process the mitigation of DEP, so if you want to test it please disable the DEP feature on your system or just for the application.
2.	This exploit uses the “JMP ESP” insturction in module Notepad++.exe, because it is a non-ASLR module.So the expolit is independent of Windows system version.

The expolit is in the file attatchment named shellcode.txt

1.	Open shellcode.txt with Notepad++
2.	Select all the content in the editor
3.	Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11

Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/31895.7z