Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

XnView Standard v2.48 - User Mode Write AV starting at xnview+0x0000000000328165 (Hash=0xb0048d34.0x69c1dafc)

  • xnview.exe: 2.48.0.0 (x86)

the bug

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\xnview\XnView\xnview.exe" "z:\s\apr\blackhat\crashes_reproduce\xnview\s1\id_000096_00"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00040000 006ad000   xnview.exe
ModLoad: 770e0000 77270000   ntdll.dll
Page heap: pid 0xF30: page heap enabled with flags 0x3.
ModLoad: 712d0000 71334000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0xF30: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 75830000 76b7a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 75770000 7582f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74e00000 74e39000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74040000 7415d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74160000 741e8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 73a20000 73ae0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74380000 745dc000   C:\Windows\SysWOW64\combase.dll
ModLoad: 751a0000 7575a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74db0000 74df5000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 76c80000 76ca2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73e20000 73fad000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 73d60000 73d6f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 72b80000 72b88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 76b80000 76c56000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74280000 7437c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 73000000 73204000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 712b0000 712cc000   C:\Windows\SysWOW64\AVIFIL32.dll
ModLoad: 71280000 712a3000   C:\Windows\SysWOW64\MSVFW32.dll
ModLoad: 71250000 71274000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 711e0000 7124d000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 711b0000 711d3000   C:\Windows\SysWOW64\WINMMBASE.dll
ModLoad: 71030000 711b0000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 71000000 71030000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 72f30000 72f49000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 70fe0000 70ff9000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 745e0000 74606000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 741f0000 74273000   C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 70f90000 70fda000   Z:\s\apr\blackhat\tools\xnview\XnView\Plugins\openjp2.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 74b20000 74c63000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 72ba0000 72bc3000   C:\Windows\SysWOW64\dwmapi.dll
(f30.8ec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0be04d04 ecx=0be05000 edx=000006f8 esi=00000008 edi=00000002
eip=00368165 esp=00afd580 ebp=00afd5b4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
xnview+0x328165:
00368165 8901            mov     dword ptr [ecx],eax  ds:002b:0be05000=????????
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00afd5b4 00366093 0bd60f60 0bdfcbd8 0004f592 xnview+0x328165
01 00afd5e4 0033e1d8 0bd60f60 0bdfcbd8 00050889 xnview+0x326093
02 00afd934 0033ce09 0bd60f60 0bdfcbd8 00afdacc xnview+0x2fe1d8
03 00afdbbc 0033c5e0 0bd60f60 0bd5eca8 00000000 xnview+0x2fce09
04 00afdbd0 00274505 0bd60f60 0bd5eca8 0bd5eca8 xnview+0x2fc5e0
05 00afdbec 00274424 0bd60f60 0bd5eca8 00000000 xnview+0x234505
06 00afdd14 00278735 0bd60f60 0bd5eca8 00000002 xnview+0x234424
07 00afdd48 002784cc 00afe280 0aaea340 00afdd98 xnview+0x238735
08 00afdd70 00153174 00afe280 0aaea340 00afdd98 xnview+0x2384cc
09 00afe394 001bf6f8 00afe618 00000000 0aaea340 xnview+0x113174
0a 00afe72c 001c066e 00afe8e0 0aaea130 00000001 xnview+0x17f6f8
0b 00aff31c 001c0ca5 0aae0ef8 00000000 00000000 xnview+0x18066e
0c 00aff35c 0014c343 000c06de 00000401 00000000 xnview+0x180ca5
0d 00aff384 001c68e9 00000401 00000000 00aff584 xnview+0x10c343
0e 00aff398 73e5bf1b 000c06de 00000401 00000000 xnview+0x1868e9
0f 00aff3c4 73e583ea 001c68d0 000c06de 00000401 USER32!AddClipboardFormatListener+0x49b
10 00aff4ac 73e3beca 001c68d0 00000000 00000401 USER32!DispatchMessageW+0x97a
11 00aff518 73e3bab1 06807810 00000000 00aff584 USER32!SendMessageW+0x3aa
12 00aff550 001c945b 000c06de 00000401 00000000 USER32!SendMessageA+0x131
13 00aff5a0 001c9eef 00007765 00000000 00aff5c8 xnview+0x18945b
14 00aff750 003c4d80 00040000 00000000 0334ffbb xnview+0x189eef
15 00aff79c 73c98494 00895000 73c98470 a554e5ed xnview+0x384d80
16 00aff7b0 771441c8 00895000 bb30ea23 00000000 KERNEL32!BaseThreadInitThunk+0x24
17 00aff7f8 77144198 ffffffff 7715f355 00000000 ntdll!__RtlUserThreadStart+0x2f
18 00aff808 00000000 003c4c79 00895000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at xnview+0x0000000000328165 (Hash=0xb0048d34.0x69c1dafc)

User mode write access violations that are not near NULL are exploitable.