Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

FastStone Image Viewer - User Mode Write AV starting at image00400000+0x0000000000002d7d (Hash=0x3eda38dc.0xbb0b339f)

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\FSViewer70\FSViewer.exe" "z:\s\apr\blackhat\crashes_reproduce\fsview\crashes_20190319111502\id_000051_00.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*;srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is: srv*
ModLoad: 00400000 00a90000   image00400000
ModLoad: 77a20000 77bb0000   ntdll.dll
Page heap: pid 0x1338: page heap enabled with flags 0x3.
ModLoad: 71c10000 71c74000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1338: page heap enabled with flags 0x3.
ModLoad: 772d0000 773b0000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76d00000 76ee4000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 76a70000 76bfd000   C:\Windows\SysWOW64\user32.dll
ModLoad: 74300000 74317000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 75ac0000 75ae2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76ef0000 77054000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 77410000 7748d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74320000 7443d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 758c0000 75938000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 77060000 7711f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75b40000 75b84000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 75cf0000 75db0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 742e0000 74300000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 742d0000 742da000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 77670000 776c8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 77140000 771d6000   C:\Windows\SysWOW64\oleaut32.dll
ModLoad: 75dc0000 7601c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 757c0000 758bc000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 734c0000 734c8000   C:\Windows\SysWOW64\version.dll
ModLoad: 71c00000 71c06000   C:\Windows\SysWOW64\msimg32.dll
ModLoad: 75790000 757b6000   C:\Windows\SysWOW64\imm32.dll
ModLoad: 73860000 73a64000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\comctl32.dll
ModLoad: 74440000 7578a000   C:\Windows\SysWOW64\shell32.dll
ModLoad: 77230000 77269000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 71b90000 71bfd000   C:\Windows\SysWOW64\winspool.drv
ModLoad: 77870000 7787f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77490000 77518000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 73aa0000 73ab9000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 71a10000 71b90000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 719e0000 71a10000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 76450000 76a0a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 771e0000 77225000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 77880000 77898000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 75af0000 75b35000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77120000 77128000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 75bb0000 75c86000   C:\Windows\SysWOW64\comdlg32.dll
ModLoad: 719b0000 719d3000   C:\Windows\SysWOW64\MsVfW32.dll
ModLoad: 71990000 719ac000   C:\Windows\SysWOW64\avifil32.dll
ModLoad: 71970000 71989000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 71940000 71964000   C:\Windows\SysWOW64\winmm.dll
ModLoad: 001d0000 001f4000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 71790000 71934000   C:\Windows\SysWOW64\quartz.dll
ModLoad: 71760000 71783000   C:\Windows\SysWOW64\winmmbase.dll
ModLoad: 001d0000 001f3000   C:\Windows\SysWOW64\winmmbase.dll
ModLoad: 737c0000 7383c000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 77520000 77663000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 734e0000 73503000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 71740000 71759000   C:\Windows\SysWOW64\olepro32.dll
ModLoad: 76c70000 76cf3000   C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 715c0000 71731000   C:\Windows\SysWOW64\windowscodecs.dll
ModLoad: 71550000 715b1000   Z:\s\apr\blackhat\tools\FSViewer70\fsplugin06.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 71540000 71547000   C:\Windows\SysWOW64\DCIMAN32.DLL
ModLoad: 732c0000 7330f000   C:\Windows\SysWOW64\dataexchange.dll
ModLoad: 72f20000 7305c000   C:\Windows\SysWOW64\dcomp.dll
ModLoad: 73060000 732b2000   C:\Windows\SysWOW64\d3d11.dll
ModLoad: 72e80000 72f18000   C:\Windows\SysWOW64\dxgi.dll
ModLoad: 72d10000 72e75000   C:\Windows\SysWOW64\twinapi.appcore.dll
ModLoad: 72ce0000 72d01000   C:\Windows\SysWOW64\RMCLIENT.dll
ModLoad: 71210000 71538000   C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll
ModLoad: 711c0000 7120a000   C:\Windows\SysWOW64\thumbcache.dll
ModLoad: 734d0000 734da000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 711a0000 711b5000   C:\Windows\SysWOW64\samcli.dll
ModLoad: 71180000 71199000   C:\Windows\SysWOW64\SAMLIB.dll
ModLoad: 71170000 7117b000   C:\Windows\SysWOW64\netutils.dll
ModLoad: 73840000 73858000   C:\Windows\SysWOW64\MPR.dll
ModLoad: 71140000 7116a000   C:\Windows\SysWOW64\vmhgfs.dll
ModLoad: 71130000 71139000   C:\Windows\SysWOW64\drprov.dll
ModLoad: 710e0000 71122000   C:\Windows\SysWOW64\WINSTA.dll
ModLoad: 710c0000 710d2000   C:\Windows\SysWOW64\ntlanman.dll
ModLoad: 710a0000 710b9000   C:\Windows\SysWOW64\davclnt.dll
ModLoad: 71090000 7109a000   C:\Windows\SysWOW64\DAVHLPR.dll
ModLoad: 71080000 71090000   C:\Windows\SysWOW64\wkscli.dll
ModLoad: 71070000 7107f000   C:\Windows\SysWOW64\cscapi.dll
(1338.fe4): Unknown exception - code 000006ba (first chance)
ModLoad: 6ad80000 6adfe000   Z:\s\apr\blackhat\tools\FSViewer70\fsplugin05.dll
ModLoad: 70fe0000 71065000   C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll
(1338.fe4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image00400000
eax=0000001c ebx=148dfffc ecx=00000007 edx=14c80ff8 esi=0b9365e8 edi=14c81010
eip=00402d7d esp=0019f920 ebp=0019f980 iopl=0         nv dn ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210602
image00400000+0x2d7d:
00402d7d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019f980 005f0b60 00000000 0019f9ec 00000000 image00400000+0x2d7d
01 0019f9f8 005ef0ac 0019fa58 005ef2dd 0019fa50 image00400000+0x1f0b60
02 0019fa50 005ee9a3 0019fa78 005ee9ad 0019fa70 image00400000+0x1ef0ac
03 0019fa70 008c7ce0 0019faa4 008c7d11 0019fa98 image00400000+0x1ee9a3
04 0019fa98 008ca1a1 0019fba8 0019fab0 008ca1f7 image00400000+0x4c7ce0
05 0019fba8 00902c54 00000001 00000000 00000001 image00400000+0x4ca1a1
06 0019fc40 0077fcfa 0019fc54 0077fd41 0019fcec image00400000+0x502c54
07 0019fcec 0077b96c 0019fd00 0077b976 0019fda8 image00400000+0x37fcfa
08 0019fda8 004736cf 0019fde8 004736d9 0019fdcc image00400000+0x37b96c
09 0019fdcc 004733bb 07fa8130 07f25730 004041f2 image00400000+0x736cf
0a 0019ff10 0047abe4 0019ff3c 0047abee 0019ff34 image00400000+0x733bb
0b 0019ff34 0093ba8f 0019ff48 0093baaa 0019ff80 image00400000+0x7abe4
0c 0019ff80 772e8494 003bd000 772e8470 de2c0345 image00400000+0x53ba8f
0d 0019ff94 77a841c8 003bd000 d56a68c9 00000000 KERNEL32!BaseThreadInitThunk+0x24
0e 0019ffdc 77a84198 ffffffff 77a9f342 00000000 ntdll!__RtlUserThreadStart+0x2f
0f 0019ffec 00000000 0093b1bc 003bd000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x0000000000002d7d (Hash=0x3eda38dc.0xbb0b339f)

User mode write access violations that are not near NULL are exploitable.