Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "z:\s\apr\blackhat\tools\irfan\i_view32.exe" "z:\s\apr\blackhat\crashes_reproduce\irfan\s3\crashes_20190326220014\id_000002_00.pcx"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 005d7000 image00400000
ModLoad: 77a20000 77bb0000 ntdll.dll
Page heap: pid 0xCE0: page heap enabled with flags 0x3.
ModLoad: 71790000 717f4000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0xCE0: page heap enabled with flags 0x3.
ModLoad: 772d0000 773b0000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76d00000 76ee4000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 76a70000 76bfd000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 74300000 74317000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 75ac0000 75ae2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76ef0000 77054000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 77410000 7748d000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74320000 7443d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74440000 7578a000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 73860000 73a64000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 77060000 7711f000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 03f20000 03fdf000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 77230000 77269000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 75dc0000 7601c000 C:\Windows\SysWOW64\combase.dll
ModLoad: 77490000 77518000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 75cf0000 75db0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 03f20000 03fe0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 76450000 76a0a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 758c0000 75938000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 742e0000 74300000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 75b40000 75b84000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 742d0000 742da000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 77670000 776c8000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 771e0000 77225000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 77870000 7787f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77880000 77898000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 75af0000 75b35000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 77120000 77128000 C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 75790000 757b6000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 737c0000 7383c000 C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 77520000 77663000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 77140000 771d6000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 734e0000 73503000 C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 73440000 734bd000 C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 73150000 731db000 C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 731e0000 7343d000 C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 73120000 73149000 C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 73040000 73116000 C:\Windows\SysWOW64\wintypes.dll
ModLoad: 0a240000 0a316000 C:\Windows\SysWOW64\wintypes.dll
(ce0.954): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=00000000 edx=00000000 esi=0af7b000 edi=00000000
eip=004249c6 esp=0019e1c0 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
image00400000+0x249c6:
004249c6 8806 mov byte ptr [esi],al ds:002b:0af7b000=??
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019e208 004a4628 0af5c050 3f000000 0059dab0 image00400000+0x249c6
01 00000000 00000000 00000000 00000000 00000000 image00400000+0xa4628
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000000249c6 (Hash=0xf71acf8d.0x0999f838)
User mode write access violations that are not near NULL are exploitable.