Skip to content

Latest commit

 

History

History
143 lines (133 loc) · 9.22 KB

0x00000000000b9e7a.md

File metadata and controls

143 lines (133 loc) · 9.22 KB
Raw

ACDSee Free - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a (Hash=0x1f594f60.0xc37cb0eb)

Version 1.1.21

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000045_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000   ACDSee Free.exe
ModLoad: 770e0000 77270000   ntdll.dll
Page heap: pid 0x1324: page heap enabled with flags 0x3.
ModLoad: 712d0000 71334000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1324: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 73e20000 73fad000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 76c80000 76ca2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74040000 7415d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 76b80000 76c56000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 75770000 7582f000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74380000 745dc000   C:\Windows\SysWOW64\combase.dll
ModLoad: 73a20000 73ae0000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74160000 741e8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 74db0000 74df5000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 75830000 76b7a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74e00000 74e39000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 751a0000 7575a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 73d60000 73d6f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76c60000 76c79000   C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 73000000 73204000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 10000000 100a8000   Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 74280000 7437c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 70e40000 70e46000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 708b0000 70e31000   Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 05a90000 05b8c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 74a60000 74ac7000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 73ae0000 73c76000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 73fb0000 73fbe000   C:\Windows\SysWOW64\MSASN1.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 71240000 712ce000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 71190000 71233000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 72700000 72708000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 710f0000 7117e000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 71180000 7118e000   C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 6fda0000 6fe5e000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 6fd30000 6fd99000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 6f8d0000 6fd24000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 6fe60000 70292000   Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 704c0000 708a5000   C:\Windows\SysWOW64\msi.dll
ModLoad: 71080000 710bd000   C:\Windows\SysWOW64\STI.dll
ModLoad: 710c0000 710e1000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 71070000 7107c000   C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 72f30000 72f49000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 26340000 263c8000   Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 745e0000 74606000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 72ba0000 72bc3000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000   C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000   C:\Windows\SysWOW64\security.dll
ModLoad: 72b90000 72b9a000   C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 71050000 71063000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 71020000 7104f000   C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 096e0000 09b08000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 096e0000 09b08000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(1324.1aa4): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09b10000 09e06000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09b10000 09e06000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 74b20000 74c63000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 70fa0000 7101d000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 6f670000 6f8cd000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 70ee0000 70f6b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 70f70000 70f99000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 703e0000 704b6000   C:\Windows\SysWOW64\wintypes.dll
(1324.19ac): C++ EH exception - code e06d7363 (first chance)
(1324.19ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=08120436 ebx=00000100 ecx=00000030 edx=00000000 esi=08120376 edi=0dd24000
eip=09c40b5a esp=0e0ac84c ebp=0e0ac854 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
IDE_ACDStd!IEP_SetColorProfile+0xb9e7a:
09c40b5a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0e0ac854 09b6887d 0dd23cc0 08120036 00000400 IDE_ACDStd!IEP_SetColorProfile+0xb9e7a
01 0e0ac86c 09b6983b 0dd23cc0 00000400 0de2ed88 IDE_ACDStd!JPEGTransW+0x1a9d
02 0e0ac894 09b84bf4 0e0ac9ac 0de2f1ac 0043d8a7 IDE_ACDStd!JPEGTransW+0x2a5b
03 0e0ac8a0 0043d8a7 0a7f6f60 0e0ac9ac 0de2f1ac IDE_ACDStd!IDP_PageDecode+0x24
04 0e0ac8dc 004f4f48 0a7f6f60 0e0ac9ac 0de2f1ac ACDSee_Free+0x3d8a7
05 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xf4f48
0:003> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a (Hash=0x1f594f60.0xc37cb0eb)

User mode write access violations that are not near NULL are exploitable.