Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

XnView Standard v2.48 - User Mode Write AV starting at xnview+0x000000000032e849 (Hash=0xb0048d34.0x4dfc13cc)

  • xnview.exe: 2.48.0.0 (x86)

the bug

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\xnview\XnView\xnview.exe" "z:\s\apr\blackhat\crashes_reproduce\xnview\s3\id_000222_00"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00a6d000   xnview.exe
ModLoad: 770e0000 77270000   ntdll.dll
Page heap: pid 0xBEC: page heap enabled with flags 0x3.
ModLoad: 71b50000 71bb4000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0xBEC: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 75830000 76b7a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 75770000 7582f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74e00000 74e39000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74040000 7415d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74160000 741e8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 73a20000 73ae0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74380000 745dc000   C:\Windows\SysWOW64\combase.dll
ModLoad: 751a0000 7575a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74db0000 74df5000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 76c80000 76ca2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73e20000 73fad000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 73d60000 73d6f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76b80000 76c56000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74280000 7437c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 72b80000 72b88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 73000000 73204000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 71b30000 71b4c000   C:\Windows\SysWOW64\AVIFIL32.dll
ModLoad: 71b00000 71b23000   C:\Windows\SysWOW64\MSVFW32.dll
ModLoad: 71250000 71274000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 71a90000 71afd000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 71a70000 71a89000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 71190000 711b3000   C:\Windows\SysWOW64\WINMMBASE.dll
ModLoad: 718f0000 71a70000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 70fe0000 71010000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 72f30000 72f49000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 745e0000 74606000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 741f0000 74273000   C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 718a0000 718ea000   Z:\s\apr\blackhat\tools\xnview\XnView\Plugins\openjp2.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 74b20000 74c63000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 72ba0000 72bc3000   C:\Windows\SysWOW64\dwmapi.dll
(bec.1adc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0be0df7e ebx=000009f9 ecx=0be2f000 edx=0be2f000 esi=0be0dfd6 edi=00000003
eip=0072e849 esp=0019dd98 ebp=0019ddcc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
xnview+0x32e849:
0072e849 884106          mov     byte ptr [ecx+6],al        ds:002b:0be2f006=??
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019ddcc 006fe46e 0bd6cf60 0bdf6be0 00008c3f xnview+0x32e849
01 0019e114 006fce09 0bd6cf60 0bda8be0 0019e2ac xnview+0x2fe46e
02 0019e39c 006fc5e0 0bd6cf60 0bd6aca8 00000000 xnview+0x2fce09
03 0019e3b0 00634505 0bd6cf60 0bd6aca8 0bd6aca8 xnview+0x2fc5e0
04 0019e3cc 00634424 0bd6cf60 0bd6aca8 00000000 xnview+0x234505
05 0019e4f4 00638735 0bd6cf60 0bd6aca8 00000002 xnview+0x234424
06 0019e528 006384cc 0019ea60 0bd46340 0019e578 xnview+0x238735
07 0019e550 00513174 0019ea60 0bd46340 0019e578 xnview+0x2384cc
08 0019eb74 0057f6f8 0019edf8 00000000 0bd46340 xnview+0x113174
09 0019ef0c 0058066e 0019f0c0 0bd46130 00000001 xnview+0x17f6f8
0a 0019fafc 00580ca5 0bd3cef8 00000000 00000000 xnview+0x18066e
0b 0019fb3c 0050c343 00f006d6 00000401 00000000 xnview+0x180ca5
0c 0019fb64 005868e9 00000401 00000000 0019fd64 xnview+0x10c343
0d 0019fb78 73e5bf1b 00f006d6 00000401 00000000 xnview+0x1868e9
0e 0019fba4 73e583ea 005868d0 00f006d6 00000401 USER32!AddClipboardFormatListener+0x49b
0f 0019fc8c 73e3beca 005868d0 00000000 00000401 USER32!DispatchMessageW+0x97a
10 0019fcf8 73e3bab1 06701540 00000000 0019fd64 USER32!SendMessageW+0x3aa
11 0019fd30 0058945b 00f006d6 00000401 00000000 USER32!SendMessageA+0x131
12 0019fd80 00589eef 00007765 00000000 0019fda8 xnview+0x18945b
13 0019ff34 00784d80 00400000 00000000 053effbb xnview+0x189eef
14 0019ff80 73c98494 00324000 73c98470 1f147bde xnview+0x384d80
15 0019ff94 771441c8 00324000 f6fde505 00000000 KERNEL32!BaseThreadInitThunk+0x24
16 0019ffdc 77144198 ffffffff 7715f327 00000000 ntdll!__RtlUserThreadStart+0x2f
17 0019ffec 00000000 00784c79 00324000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at xnview+0x000000000032e849 (Hash=0xb0048d34.0x4dfc13cc)

User mode write access violations that are not near NULL are exploitable.