Skip to content

Latest commit

 

History

History
113 lines (106 loc) · 6.39 KB

0x384e2a.md

File metadata and controls

113 lines (106 loc) · 6.39 KB

XnView Standard v2.48 file processing OOBW

version

  • xnview.exe: 2.48.0.0 (x86)

the bug

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*c:\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00a6d000   xnview.exe
ModLoad: 770e0000 77270000   ntdll.dll
Page heap: pid 0x14B0: page heap enabled with flags 0x3.
ModLoad: 71b50000 71bb4000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x14B0: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 75830000 76b7a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 75770000 7582f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74e00000 74e39000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74040000 7415d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74160000 741e8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 73a20000 73ae0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74380000 745dc000   C:\Windows\SysWOW64\combase.dll
ModLoad: 751a0000 7575a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74db0000 74df5000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 76c80000 76ca2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73e20000 73fad000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 73d60000 73d6f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76b80000 76c56000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74280000 7437c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 72b80000 72b88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 73000000 73204000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 71b30000 71b4c000   C:\Windows\SysWOW64\AVIFIL32.dll
ModLoad: 71b00000 71b23000   C:\Windows\SysWOW64\MSVFW32.dll
ModLoad: 71250000 71274000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 71a90000 71afd000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 71a70000 71a89000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 71190000 711b3000   C:\Windows\SysWOW64\winmmbase.dll
ModLoad: 718f0000 71a70000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 70fe0000 71010000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 72f30000 72f49000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 745e0000 74606000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 741f0000 74273000   C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 718a0000 718ea000   c:\apr\blackhat\tools\xnview\XnView\Plugins\openjp2.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 74b20000 74c63000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 72ba0000 72bc3000   C:\Windows\SysWOW64\dwmapi.dll
(14b0.18e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0beb7c00 ebx=00000000 ecx=00000ff0 edx=00000ff8 esi=0beb6c10 edi=0bebc000
eip=00784e2a esp=0019de2c ebp=0019de44 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
xnview+0x384e2a:
00784e2a f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
0:000> $<c:\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019de44 00634c8c 0beb6c08 0bebbff8 00000004 xnview+0x384e2a
01 0019de6c 007012ed 0beb6c08 00000000 0000c301 xnview+0x234c8c
02 0019dea0 007015b0 0be6cf60 0be6aca8 0019dec4 xnview+0x3012ed
03 0019e3b0 00634505 0be6cf60 0be6aca8 0be6aca8 xnview+0x3015b0
04 0019e3cc 00634424 0be6cf60 0be6aca8 00000000 xnview+0x234505
05 0019e4f4 00638735 0be6cf60 0be6aca8 0000000c xnview+0x234424
06 0019e528 006384cc 0019ea60 0be46340 0019e578 xnview+0x238735
07 0019e550 00513174 0019ea60 0be46340 0019e578 xnview+0x2384cc
08 0019eb74 0057f6f8 0019edf8 00000000 0be46340 xnview+0x113174
09 0019ef0c 0058066e 0019f0c0 0be46130 00000001 xnview+0x17f6f8
0a 0019fafc 00580ca5 0be3cef8 00000000 00000000 xnview+0x18066e
0b 0019fb3c 0050c343 00780690 00000401 00000000 xnview+0x180ca5
0c 0019fb64 005868e9 00000401 00000000 0019fd64 xnview+0x10c343
0d 0019fb78 73e5bf1b 00780690 00000401 00000000 xnview+0x1868e9
0e 0019fba4 73e583ea 005868d0 00780690 00000401 USER32!AddClipboardFormatListener+0x49b
0f 0019fc8c 73e3beca 005868d0 00000000 00000401 USER32!DispatchMessageW+0x97a
10 0019fcf8 73e3bab1 0672f8c0 00000000 0019fd64 USER32!SendMessageW+0x3aa
11 0019fd30 0058945b 00780690 00000401 00000000 USER32!SendMessageA+0x131
12 0019fd80 00589eef 00007765 00000000 0019fda8 xnview+0x18945b
13 0019ff34 00784d80 00400000 00000000 0432ffbb xnview+0x189eef
14 0019ff80 73c98494 00326000 73c98470 9485afab xnview+0x384d80
15 0019ff94 771441c8 00326000 edc0d680 00000000 KERNEL32!BaseThreadInitThunk+0x24
16 0019ffdc 77144198 ffffffff 7715f32a 00000000 ntdll!__RtlUserThreadStart+0x2f
17 0019ffec 00000000 00784c79 00326000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at xnview+0x0000000000384e2a (Hash=0xb0048d34.0x08a170b5)

User mode write access violations that are not near NULL are exploitable.