************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*c:\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00a70000 010dd000 xnview.exe
ModLoad: 770e0000 77270000 ntdll.dll
Page heap: pid 0xF44: page heap enabled with flags 0x3.
ModLoad: 70e50000 70eb4000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0xF44: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 75830000 76b7a000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 75770000 7582f000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74e00000 74e39000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74040000 7415d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74160000 741e8000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 73a20000 73ae0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 74380000 745dc000 C:\Windows\SysWOW64\combase.dll
ModLoad: 751a0000 7575a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74db0000 74df5000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 76c80000 76ca2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73e20000 73fad000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 73d60000 73d6f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000 C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76b80000 76c56000 C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74280000 7437c000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 72700000 72708000 C:\Windows\SysWOW64\VERSION.dll
ModLoad: 73000000 73204000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 70e20000 70e43000 C:\Windows\SysWOW64\MSVFW32.dll
ModLoad: 70df0000 70e14000 C:\Windows\SysWOW64\WINMM.dll
ModLoad: 70d80000 70ded000 C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 70d50000 70d73000 C:\Windows\SysWOW64\WINMMBASE.dll
ModLoad: 70bd0000 70d50000 C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 72f30000 72f49000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 70ba0000 70bd0000 C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 70b80000 70b9c000 C:\Windows\SysWOW64\AVIFIL32.dll
ModLoad: 70b60000 70b79000 C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 745e0000 74606000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000 C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 741f0000 74273000 C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 70b10000 70b5a000 c:\apr\blackhat\tools\xnview\XnView\Plugins\openjp2.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 74b20000 74c63000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 72ba0000 72bc3000 C:\Windows\SysWOW64\dwmapi.dll
(f44.bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c52f000 ebx=00000003 ecx=8ed07e7c edx=0c52aa03 esi=0c52aa44 edi=0c52aa85
eip=00d7ecfa esp=0121d660 ebp=0121d66c iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
xnview+0x30ecfa:
00d7ecfa 8908 mov dword ptr [eax],ecx ds:002b:0c52f000=????????
0:000> .load msec.dll
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0121d66c 00ca4c8c 0c52aac5 0c52f000 0000000d xnview+0x30ecfa
01 0121d694 00d71269 0c52a9f8 00000000 00000001 xnview+0x234c8c
02 0121d6c8 00d715b0 0c510f60 0c50eca8 0121d6ec xnview+0x301269
03 0121dbd8 00ca4505 0c510f60 0c50eca8 0c50eca8 xnview+0x3015b0
04 0121dbf4 00ca4424 0c510f60 0c50eca8 00000000 xnview+0x234505
05 0121dd1c 00ca8735 0c510f60 0c50eca8 0000000c xnview+0x234424
06 0121dd50 00ca84cc 0121e288 0b29a340 0121dda0 xnview+0x238735
07 0121dd78 00b83174 0121e288 0b29a340 0121dda0 xnview+0x2384cc
08 0121e39c 00bef6f8 0121e620 00000000 0b29a340 xnview+0x113174
09 0121e734 00bf066e 0121e8e8 0b29a130 00000001 xnview+0x17f6f8
0a 0121f324 00bf0ca5 0b290ef8 00000000 00000000 xnview+0x18066e
0b 0121f364 00b7c343 00ad054e 00000401 00000000 xnview+0x180ca5
0c 0121f38c 00bf68e9 00000401 00000000 0121f58c xnview+0x10c343
0d 0121f3a0 73e5bf1b 00ad054e 00000401 00000000 xnview+0x1868e9
0e 0121f3cc 73e583ea 00bf68d0 00ad054e 00000401 USER32!AddClipboardFormatListener+0x49b
0f 0121f4b4 73e3beca 00bf68d0 00000000 00000401 USER32!DispatchMessageW+0x97a
10 0121f520 73e3bab1 06f81670 00000000 0121f58c USER32!SendMessageW+0x3aa
11 0121f558 00bf945b 00ad054e 00000401 00000000 USER32!SendMessageA+0x131
12 0121f5a8 00bf9eef 00007765 00000000 0121f5d0 xnview+0x18945b
13 0121f75c 00df4d80 00a70000 00000000 04b9ffbb xnview+0x189eef
14 0121f7a8 73c98494 00819000 73c98470 f30b1308 xnview+0x384d80
15 0121f7bc 771441c8 00819000 47fbbca3 00000000 KERNEL32!BaseThreadInitThunk+0x24
16 0121f804 77144198 ffffffff 7715f326 00000000 ntdll!__RtlUserThreadStart+0x2f
17 0121f814 00000000 00df4c79 00819000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at xnview+0x000000000030ecfa (Hash=0xb0048d34.0x3cb30936)
User mode write access violations that are not near NULL are exploitable.