Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

IrfanView 4.52 - Exploitable - User Mode Write AV starting at image00400000+0x0000000000013a98 (Hash=0xb2c478d3.0x1c175e82)

The bug

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "z:\s\apr\blackhat\tools\irfan\i_view32.exe" "z:\s\apr\blackhat\crashes_reproduce\irfan\s3\crashes_20190326220014\id_000021_00.tif"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 005d7000   image00400000
ModLoad: 77a20000 77bb0000   ntdll.dll
Page heap: pid 0x158: page heap enabled with flags 0x3.
ModLoad: 71790000 717f4000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x158: page heap enabled with flags 0x3.
ModLoad: 772d0000 773b0000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76d00000 76ee4000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 76a70000 76bfd000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 74300000 74317000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 75ac0000 75ae2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76ef0000 77054000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 77410000 7748d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74320000 7443d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74440000 7578a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 73860000 73a64000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 77060000 7711f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75dc0000 7601c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 77230000 77269000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77490000 77518000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 75cf0000 75db0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 056e0000 057a0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 742e0000 74300000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 77670000 776c8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 742d0000 742da000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 75b40000 75b84000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76450000 76a0a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 758c0000 75938000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 771e0000 77225000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 77870000 7787f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77880000 77898000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 75af0000 75b35000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77120000 77128000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 75790000 757b6000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 737c0000 7383c000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 77520000 77663000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 77140000 771d6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 734e0000 73503000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 73440000 734bd000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 733b0000 7343b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 73150000 733ad000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 73040000 73069000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 73070000 73146000   C:\Windows\SysWOW64\wintypes.dll
(158.1698): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0afae000 ebx=0af9c800 ecx=0e0e1000 edx=000002bc esi=00000001 edi=00000000
eip=00413a98 esp=0019dfa4 ebp=0000117f iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
image00400000+0x13a98:
00413a98 8818            mov     byte ptr [eax],bl          ds:002b:0afae000=??
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019dfb0 00414c94 0af9c800 0e0e0ff0 000002cc image00400000+0x13a98
01 0019dfb4 0af9c800 0e0e0ff0 000002cc 00000001 image00400000+0x14c94
02 0019dfb8 0e0e0ff0 000002cc 00000001 0000117f 0xaf9c800
03 0019dfbc 00000000 00000001 0000117f 00000000 0xe0e0ff0
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x0000000000013a98 (Hash=0xb2c478d3.0x1c175e82)

User mode write access violations that are not near NULL are exploitable.