Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

XnView Standard v2.48 file processing OOBW

version

  • xnview.exe: 2.48.0.0 (x86)

the bug

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*c:\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00a70000 010dd000   xnview.exe
ModLoad: 770e0000 77270000   ntdll.dll
Page heap: pid 0xF44: page heap enabled with flags 0x3.
ModLoad: 70e50000 70eb4000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0xF44: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 75830000 76b7a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 75770000 7582f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74e00000 74e39000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74040000 7415d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74160000 741e8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 73a20000 73ae0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74380000 745dc000   C:\Windows\SysWOW64\combase.dll
ModLoad: 751a0000 7575a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74db0000 74df5000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 76c80000 76ca2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73e20000 73fad000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 73d60000 73d6f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76b80000 76c56000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74280000 7437c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 72700000 72708000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 73000000 73204000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 70e20000 70e43000   C:\Windows\SysWOW64\MSVFW32.dll
ModLoad: 70df0000 70e14000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 70d80000 70ded000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 70d50000 70d73000   C:\Windows\SysWOW64\WINMMBASE.dll
ModLoad: 70bd0000 70d50000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 72f30000 72f49000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 70ba0000 70bd0000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 70b80000 70b9c000   C:\Windows\SysWOW64\AVIFIL32.dll
ModLoad: 70b60000 70b79000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 745e0000 74606000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 741f0000 74273000   C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 70b10000 70b5a000   c:\apr\blackhat\tools\xnview\XnView\Plugins\openjp2.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 74b20000 74c63000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 72ba0000 72bc3000   C:\Windows\SysWOW64\dwmapi.dll
(f44.bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c52f000 ebx=00000003 ecx=8ed07e7c edx=0c52aa03 esi=0c52aa44 edi=0c52aa85
eip=00d7ecfa esp=0121d660 ebp=0121d66c iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
xnview+0x30ecfa:
00d7ecfa 8908            mov     dword ptr [eax],ecx  ds:002b:0c52f000=????????
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0121d66c 00ca4c8c 0c52aac5 0c52f000 0000000d xnview+0x30ecfa
01 0121d694 00d71269 0c52a9f8 00000000 00000001 xnview+0x234c8c
02 0121d6c8 00d715b0 0c510f60 0c50eca8 0121d6ec xnview+0x301269
03 0121dbd8 00ca4505 0c510f60 0c50eca8 0c50eca8 xnview+0x3015b0
04 0121dbf4 00ca4424 0c510f60 0c50eca8 00000000 xnview+0x234505
05 0121dd1c 00ca8735 0c510f60 0c50eca8 0000000c xnview+0x234424
06 0121dd50 00ca84cc 0121e288 0b29a340 0121dda0 xnview+0x238735
07 0121dd78 00b83174 0121e288 0b29a340 0121dda0 xnview+0x2384cc
08 0121e39c 00bef6f8 0121e620 00000000 0b29a340 xnview+0x113174
09 0121e734 00bf066e 0121e8e8 0b29a130 00000001 xnview+0x17f6f8
0a 0121f324 00bf0ca5 0b290ef8 00000000 00000000 xnview+0x18066e
0b 0121f364 00b7c343 00ad054e 00000401 00000000 xnview+0x180ca5
0c 0121f38c 00bf68e9 00000401 00000000 0121f58c xnview+0x10c343
0d 0121f3a0 73e5bf1b 00ad054e 00000401 00000000 xnview+0x1868e9
0e 0121f3cc 73e583ea 00bf68d0 00ad054e 00000401 USER32!AddClipboardFormatListener+0x49b
0f 0121f4b4 73e3beca 00bf68d0 00000000 00000401 USER32!DispatchMessageW+0x97a
10 0121f520 73e3bab1 06f81670 00000000 0121f58c USER32!SendMessageW+0x3aa
11 0121f558 00bf945b 00ad054e 00000401 00000000 USER32!SendMessageA+0x131
12 0121f5a8 00bf9eef 00007765 00000000 0121f5d0 xnview+0x18945b
13 0121f75c 00df4d80 00a70000 00000000 04b9ffbb xnview+0x189eef
14 0121f7a8 73c98494 00819000 73c98470 f30b1308 xnview+0x384d80
15 0121f7bc 771441c8 00819000 47fbbca3 00000000 KERNEL32!BaseThreadInitThunk+0x24
16 0121f804 77144198 ffffffff 7715f326 00000000 ntdll!__RtlUserThreadStart+0x2f
17 0121f814 00000000 00df4c79 00819000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at xnview+0x000000000030ecfa (Hash=0xb0048d34.0x3cb30936)

User mode write access violations that are not near NULL are exploitable.