Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "z:\s\apr\blackhat\tools\irfan\i_view32.exe" "z:\s\apr\blackhat\crashes_reproduce\irfan\s3\crashes_20190326220014\id_000021_00.tif"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 005d7000 image00400000
ModLoad: 77a20000 77bb0000 ntdll.dll
Page heap: pid 0x158: page heap enabled with flags 0x3.
ModLoad: 71790000 717f4000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x158: page heap enabled with flags 0x3.
ModLoad: 772d0000 773b0000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76d00000 76ee4000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 76a70000 76bfd000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 74300000 74317000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 75ac0000 75ae2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76ef0000 77054000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 77410000 7748d000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74320000 7443d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74440000 7578a000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 73860000 73a64000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 77060000 7711f000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75dc0000 7601c000 C:\Windows\SysWOW64\combase.dll
ModLoad: 77230000 77269000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77490000 77518000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 75cf0000 75db0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 056e0000 057a0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 742e0000 74300000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 77670000 776c8000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 742d0000 742da000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 75b40000 75b84000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 76450000 76a0a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 758c0000 75938000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 771e0000 77225000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 77870000 7787f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77880000 77898000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 75af0000 75b35000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77120000 77128000 C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 75790000 757b6000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 737c0000 7383c000 C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 77520000 77663000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 77140000 771d6000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 734e0000 73503000 C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 73440000 734bd000 C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 733b0000 7343b000 C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 73150000 733ad000 C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 73040000 73069000 C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 73070000 73146000 C:\Windows\SysWOW64\wintypes.dll
(158.1698): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0afae000 ebx=0af9c800 ecx=0e0e1000 edx=000002bc esi=00000001 edi=00000000
eip=00413a98 esp=0019dfa4 ebp=0000117f iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
image00400000+0x13a98:
00413a98 8818 mov byte ptr [eax],bl ds:002b:0afae000=??
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019dfb0 00414c94 0af9c800 0e0e0ff0 000002cc image00400000+0x13a98
01 0019dfb4 0af9c800 0e0e0ff0 000002cc 00000001 image00400000+0x14c94
02 0019dfb8 0e0e0ff0 000002cc 00000001 0000117f 0xaf9c800
03 0019dfbc 00000000 00000001 0000117f 00000000 0xe0e0ff0
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x0000000000013a98 (Hash=0xb2c478d3.0x1c175e82)
User mode write access violations that are not near NULL are exploitable.
