Skip to content

Latest commit

 

History

History
152 lines (144 loc) · 9.86 KB

0x0000000000002d7d.md

File metadata and controls

152 lines (144 loc) · 9.86 KB
Raw

FastStone Image Viewer - User Mode Write AV starting at image00400000+0x0000000000002d7d (Hash=0x3eda38dc.0xbb0b339f)

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\FSViewer70\FSViewer.exe" "z:\s\apr\blackhat\crashes_reproduce\fsview\crashes_20190319111502\id_000051_00.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*;srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is: srv*
ModLoad: 00400000 00a90000   image00400000
ModLoad: 77a20000 77bb0000   ntdll.dll
Page heap: pid 0x1338: page heap enabled with flags 0x3.
ModLoad: 71c10000 71c74000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1338: page heap enabled with flags 0x3.
ModLoad: 772d0000 773b0000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76d00000 76ee4000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 76a70000 76bfd000   C:\Windows\SysWOW64\user32.dll
ModLoad: 74300000 74317000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 75ac0000 75ae2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76ef0000 77054000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 77410000 7748d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74320000 7443d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 758c0000 75938000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 77060000 7711f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75b40000 75b84000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 75cf0000 75db0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 742e0000 74300000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 742d0000 742da000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 77670000 776c8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 77140000 771d6000   C:\Windows\SysWOW64\oleaut32.dll
ModLoad: 75dc0000 7601c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 757c0000 758bc000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 734c0000 734c8000   C:\Windows\SysWOW64\version.dll
ModLoad: 71c00000 71c06000   C:\Windows\SysWOW64\msimg32.dll
ModLoad: 75790000 757b6000   C:\Windows\SysWOW64\imm32.dll
ModLoad: 73860000 73a64000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\comctl32.dll
ModLoad: 74440000 7578a000   C:\Windows\SysWOW64\shell32.dll
ModLoad: 77230000 77269000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 71b90000 71bfd000   C:\Windows\SysWOW64\winspool.drv
ModLoad: 77870000 7787f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77490000 77518000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 73aa0000 73ab9000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 71a10000 71b90000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 719e0000 71a10000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 76450000 76a0a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 771e0000 77225000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 77880000 77898000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 75af0000 75b35000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77120000 77128000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 75bb0000 75c86000   C:\Windows\SysWOW64\comdlg32.dll
ModLoad: 719b0000 719d3000   C:\Windows\SysWOW64\MsVfW32.dll
ModLoad: 71990000 719ac000   C:\Windows\SysWOW64\avifil32.dll
ModLoad: 71970000 71989000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 71940000 71964000   C:\Windows\SysWOW64\winmm.dll
ModLoad: 001d0000 001f4000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 71790000 71934000   C:\Windows\SysWOW64\quartz.dll
ModLoad: 71760000 71783000   C:\Windows\SysWOW64\winmmbase.dll
ModLoad: 001d0000 001f3000   C:\Windows\SysWOW64\winmmbase.dll
ModLoad: 737c0000 7383c000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 77520000 77663000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 734e0000 73503000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 71740000 71759000   C:\Windows\SysWOW64\olepro32.dll
ModLoad: 76c70000 76cf3000   C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 715c0000 71731000   C:\Windows\SysWOW64\windowscodecs.dll
ModLoad: 71550000 715b1000   Z:\s\apr\blackhat\tools\FSViewer70\fsplugin06.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 71540000 71547000   C:\Windows\SysWOW64\DCIMAN32.DLL
ModLoad: 732c0000 7330f000   C:\Windows\SysWOW64\dataexchange.dll
ModLoad: 72f20000 7305c000   C:\Windows\SysWOW64\dcomp.dll
ModLoad: 73060000 732b2000   C:\Windows\SysWOW64\d3d11.dll
ModLoad: 72e80000 72f18000   C:\Windows\SysWOW64\dxgi.dll
ModLoad: 72d10000 72e75000   C:\Windows\SysWOW64\twinapi.appcore.dll
ModLoad: 72ce0000 72d01000   C:\Windows\SysWOW64\RMCLIENT.dll
ModLoad: 71210000 71538000   C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll
ModLoad: 711c0000 7120a000   C:\Windows\SysWOW64\thumbcache.dll
ModLoad: 734d0000 734da000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 711a0000 711b5000   C:\Windows\SysWOW64\samcli.dll
ModLoad: 71180000 71199000   C:\Windows\SysWOW64\SAMLIB.dll
ModLoad: 71170000 7117b000   C:\Windows\SysWOW64\netutils.dll
ModLoad: 73840000 73858000   C:\Windows\SysWOW64\MPR.dll
ModLoad: 71140000 7116a000   C:\Windows\SysWOW64\vmhgfs.dll
ModLoad: 71130000 71139000   C:\Windows\SysWOW64\drprov.dll
ModLoad: 710e0000 71122000   C:\Windows\SysWOW64\WINSTA.dll
ModLoad: 710c0000 710d2000   C:\Windows\SysWOW64\ntlanman.dll
ModLoad: 710a0000 710b9000   C:\Windows\SysWOW64\davclnt.dll
ModLoad: 71090000 7109a000   C:\Windows\SysWOW64\DAVHLPR.dll
ModLoad: 71080000 71090000   C:\Windows\SysWOW64\wkscli.dll
ModLoad: 71070000 7107f000   C:\Windows\SysWOW64\cscapi.dll
(1338.fe4): Unknown exception - code 000006ba (first chance)
ModLoad: 6ad80000 6adfe000   Z:\s\apr\blackhat\tools\FSViewer70\fsplugin05.dll
ModLoad: 70fe0000 71065000   C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll
(1338.fe4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image00400000
eax=0000001c ebx=148dfffc ecx=00000007 edx=14c80ff8 esi=0b9365e8 edi=14c81010
eip=00402d7d esp=0019f920 ebp=0019f980 iopl=0         nv dn ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210602
image00400000+0x2d7d:
00402d7d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019f980 005f0b60 00000000 0019f9ec 00000000 image00400000+0x2d7d
01 0019f9f8 005ef0ac 0019fa58 005ef2dd 0019fa50 image00400000+0x1f0b60
02 0019fa50 005ee9a3 0019fa78 005ee9ad 0019fa70 image00400000+0x1ef0ac
03 0019fa70 008c7ce0 0019faa4 008c7d11 0019fa98 image00400000+0x1ee9a3
04 0019fa98 008ca1a1 0019fba8 0019fab0 008ca1f7 image00400000+0x4c7ce0
05 0019fba8 00902c54 00000001 00000000 00000001 image00400000+0x4ca1a1
06 0019fc40 0077fcfa 0019fc54 0077fd41 0019fcec image00400000+0x502c54
07 0019fcec 0077b96c 0019fd00 0077b976 0019fda8 image00400000+0x37fcfa
08 0019fda8 004736cf 0019fde8 004736d9 0019fdcc image00400000+0x37b96c
09 0019fdcc 004733bb 07fa8130 07f25730 004041f2 image00400000+0x736cf
0a 0019ff10 0047abe4 0019ff3c 0047abee 0019ff34 image00400000+0x733bb
0b 0019ff34 0093ba8f 0019ff48 0093baaa 0019ff80 image00400000+0x7abe4
0c 0019ff80 772e8494 003bd000 772e8470 de2c0345 image00400000+0x53ba8f
0d 0019ff94 77a841c8 003bd000 d56a68c9 00000000 KERNEL32!BaseThreadInitThunk+0x24
0e 0019ffdc 77a84198 ffffffff 77a9f342 00000000 ntdll!__RtlUserThreadStart+0x2f
0f 0019ffec 00000000 0093b1bc 003bd000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x0000000000002d7d (Hash=0x3eda38dc.0xbb0b339f)

User mode write access violations that are not near NULL are exploitable.