Notepad++ CCompletion Plugin 1.19 - Local Stack Buffer Overflow

EDB-ID:

31895

Author:

tishion

Type:

local

Platform:

Windows

Published:

2014-02-25

Application:Notepad++
Version:6.5.2 UNICODE
Get the application from: http://notepad-plus-plus.org/download/v6.5.2.html

Plugin:CCompletion
Version: Version 1.19 ( Unicode )
Get the plugin from: http://sourceforge.net/apps/mediawiki/notepad-plus/index.php?title=Plugin_Central

Vulnerability:Stack buffer overflow
Vulnerability Impact: Local Code Execution

Triggering details:
1.	Install Notepad++ (6.5.2) with the plugin CCompletion(Version 1.19 UNICODE)
2.	Open Notepad++
3.	Input large number of characters (any character is ok), at least 554 characters.
4.	Select all the text in the editor
5.	Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11, then the Notepad++ will be crashed 

Cause of the Vulnerability
The notepad++ sends text the user selected to the plugin of CCompletion, but the plugin copys the text by using lstrcpyW in the module kernel32. So the stack buffer is over flow.

Exploit POC
I constructed an exploit for this vulnerability. It will show a message box with the caption “HA” and the text “Back Door Opend.”
1.	This exploit does not process the mitigation of DEP, so if you want to test it please disable the DEP feature on your system or just for the application.
2.	This exploit uses the “JMP ESP” insturction in module Notepad++.exe, because it is a non-ASLR module.So the expolit is independent of Windows system version.

The expolit is in the file attatchment named shellcode.txt

1.	Open shellcode.txt with Notepad++
2.	Select all the content in the editor
3.	Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11

Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/31895.7z