Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACDSee Free - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x00000000000024ed (Hash=0xec22af54.0x9a44352d)

Version 1.1.21

The bug

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000083_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000   ACDSee Free.exe
ModLoad: 77660000 777f0000   ntdll.dll
Page heap: pid 0x1278: page heap enabled with flags 0x3.
ModLoad: 713d0000 71434000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1278: page heap enabled with flags 0x3.
ModLoad: 77490000 77570000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 772a0000 77484000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 742f0000 7447d000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73580000 73784000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 76400000 764bf000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75e10000 7606c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 73f40000 7405d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 762d0000 76390000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 73f20000 73f40000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73f10000 73f1a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76240000 76298000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 74480000 744c4000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 762a0000 762c2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76510000 76674000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 74270000 742ed000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 058f0000 05a7d000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 76070000 76087000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 10000000 100a8000   Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 00020000 00037000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 713c0000 713c6000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 70e30000 713b1000   Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 76090000 76108000   C:\Windows\SysWOW64\ADVAPI32.dll
ModLoad: 74970000 75cba000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 764c0000 76505000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 76110000 7620c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 74930000 74969000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74130000 741b8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 76c90000 7724a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74260000 7426f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74910000 74928000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 77250000 77295000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76690000 76698000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 741c0000 74256000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76390000 763f7000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 766a0000 76836000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 76680000 7668e000   C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 76210000 76229000   C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 76b50000 76c26000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 70d70000 70e2e000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 70980000 70d65000   C:\Windows\SysWOW64\msi.dll
ModLoad: 70500000 7053d000   C:\Windows\SysWOW64\STI.dll
ModLoad: 70470000 704fe000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 70540000 70972000   Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 6fef0000 70344000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 70400000 70469000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 26340000 263c8000   Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 70350000 703f3000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 72c80000 72c88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 6fee0000 6feee000   C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 6fe50000 6fede000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 734b0000 734c9000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 6fe20000 6fe41000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 6fe10000 6fe1c000   C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 74060000 74086000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 73400000 7347c000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 73120000 73143000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000   C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000   C:\Windows\SysWOW64\security.dll
ModLoad: 72c90000 72c9a000   C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 6fdf0000 6fe03000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 6fdc0000 6fdef000   C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 09800000 09c28000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 09800000 09c28000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(1278.1ba8): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09c30000 09f26000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09c30000 09f26000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 75cc0000 75e03000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 730a0000 7311d000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 72e40000 7309d000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 72db0000 72e3b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 72ca0000 72cc9000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 72cd0000 72da6000   C:\Windows\SysWOW64\wintypes.dll
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
(1278.1bd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0a9dd003 ebx=fff7d5f1 ecx=00000000 edx=060c007a esi=0a9c8f60 edi=fff7d5f1
eip=09c892cd esp=088cfdbc ebp=7fffffff iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
IDE_ACDStd!JPEGTransW+0x24ed:
09c892cd 8858fd          mov     byte ptr [eax-3],bl        ds:002b:0a9dd000=??
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 088cfdc8 09c89bd9 00000002 0968fbb0 09ca4c4f IDE_ACDStd!JPEGTransW+0x24ed
01 088cfdd4 09ca4c4f 088cfe4c 0043db77 0a9c8f60 IDE_ACDStd!JPEGTransW+0x2df9
02 088cfddc 0043db77 0a9c8f60 088cfe4c 60a8b21c IDE_ACDStd!IDP_PageDecodeStep+0x1f
03 088cfe70 004e9d03 00000000 088cfec4 097be06c ACDSee_Free+0x3db77
04 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xe9d03
0:003> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x00000000000024ed (Hash=0xec22af54.0x9a44352d)

User mode write access violations that are not near NULL are exploitable.