Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection

Discovered by: Ahmet Ümit BAYRAM

Discovered Date: 12.09.2023

Vendor Homepage: http://www.7stickynotes.com

Software Link:

http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe

Tested Version: 1.9 (latest)

Tested on: Windows 2019 Server 64bit

# # Steps to Reproduce # #

Open the program.

Click on “New Note”.

Navigate to the “Alarms” tab.

Click on either of the two buttons.

From the “For” field, select “1” and “seconds” (to obtain the shell

within 1 second).

From the “Action” dropdown, select “command”.

In the activated box, enter the reverse shell command and click the “Set”

button to set the alarm.

Finally, click on the checkmark to save the alarm.

Reverse shell obtained!