Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

IrfanView 4.52 - Exploitable - User Mode Write AV starting at image00400000+0x00000000000249c6 (Hash=0xf71acf8d.0x0999f838)

The bug

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "z:\s\apr\blackhat\tools\irfan\i_view32.exe" "z:\s\apr\blackhat\crashes_reproduce\irfan\s3\crashes_20190326220014\id_000002_00.pcx"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 005d7000   image00400000
ModLoad: 77a20000 77bb0000   ntdll.dll
Page heap: pid 0xCE0: page heap enabled with flags 0x3.
ModLoad: 71790000 717f4000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0xCE0: page heap enabled with flags 0x3.
ModLoad: 772d0000 773b0000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76d00000 76ee4000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 76a70000 76bfd000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 74300000 74317000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 75ac0000 75ae2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76ef0000 77054000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 77410000 7748d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74320000 7443d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74440000 7578a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 73860000 73a64000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 77060000 7711f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 03f20000 03fdf000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 77230000 77269000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 75dc0000 7601c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 77490000 77518000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 75cf0000 75db0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 03f20000 03fe0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 76450000 76a0a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 758c0000 75938000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 742e0000 74300000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 75b40000 75b84000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 742d0000 742da000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 77670000 776c8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 771e0000 77225000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 77870000 7787f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77880000 77898000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 75af0000 75b35000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77120000 77128000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 75790000 757b6000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 737c0000 7383c000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 77520000 77663000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 77140000 771d6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 734e0000 73503000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 73440000 734bd000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 73150000 731db000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 731e0000 7343d000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 73120000 73149000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 73040000 73116000   C:\Windows\SysWOW64\wintypes.dll
ModLoad: 0a240000 0a316000   C:\Windows\SysWOW64\wintypes.dll
(ce0.954): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=00000000 edx=00000000 esi=0af7b000 edi=00000000
eip=004249c6 esp=0019e1c0 ebp=00000001 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
image00400000+0x249c6:
004249c6 8806            mov     byte ptr [esi],al          ds:002b:0af7b000=??
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019e208 004a4628 0af5c050 3f000000 0059dab0 image00400000+0x249c6
01 00000000 00000000 00000000 00000000 00000000 image00400000+0xa4628
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000000249c6 (Hash=0xf71acf8d.0x0999f838)

User mode write access violations that are not near NULL are exploitable.