ACDSee Free - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a (Hash=0x1f594f60.0xc37cb0eb)
Version 1.1.21
Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000045_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000 ACDSee Free.exe
ModLoad: 770e0000 77270000 ntdll.dll
Page heap: pid 0x1324: page heap enabled with flags 0x3.
ModLoad: 712d0000 71334000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1324: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 73e20000 73fad000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 76c80000 76ca2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74040000 7415d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 76b80000 76c56000 C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 75770000 7582f000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74380000 745dc000 C:\Windows\SysWOW64\combase.dll
ModLoad: 73a20000 73ae0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 74160000 741e8000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 74db0000 74df5000 C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 75830000 76b7a000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74e00000 74e39000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 751a0000 7575a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 73d60000 73d6f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000 C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76c60000 76c79000 C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 73000000 73204000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 10000000 100a8000 Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 74280000 7437c000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 70e40000 70e46000 C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 708b0000 70e31000 Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 05a90000 05b8c000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 74a60000 74ac7000 C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 73ae0000 73c76000 C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 73fb0000 73fbe000 C:\Windows\SysWOW64\MSASN1.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 71240000 712ce000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 71190000 71233000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 72700000 72708000 C:\Windows\SysWOW64\VERSION.dll
ModLoad: 710f0000 7117e000 C:\Windows\SysWOW64\mscms.dll
ModLoad: 71180000 7118e000 C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 6fda0000 6fe5e000 Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 6fd30000 6fd99000 Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 6f8d0000 6fd24000 C:\Windows\SysWOW64\WININET.dll
ModLoad: 6fe60000 70292000 Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 704c0000 708a5000 C:\Windows\SysWOW64\msi.dll
ModLoad: 71080000 710bd000 C:\Windows\SysWOW64\STI.dll
ModLoad: 710c0000 710e1000 C:\Windows\SysWOW64\USERENV.dll
ModLoad: 71070000 7107c000 C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 72f30000 72f49000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 26340000 263c8000 Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 745e0000 74606000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000 C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 72ba0000 72bc3000 C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000 C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000 C:\Windows\SysWOW64\security.dll
ModLoad: 72b90000 72b9a000 C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 71050000 71063000 C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 71020000 7104f000 C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 096e0000 09b08000 Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 096e0000 09b08000 Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(1324.1aa4): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09b10000 09e06000 z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09b10000 09e06000 z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 74b20000 74c63000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 70fa0000 7101d000 C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 6f670000 6f8cd000 C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 70ee0000 70f6b000 C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 70f70000 70f99000 C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 703e0000 704b6000 C:\Windows\SysWOW64\wintypes.dll
(1324.19ac): C++ EH exception - code e06d7363 (first chance)
(1324.19ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=08120436 ebx=00000100 ecx=00000030 edx=00000000 esi=08120376 edi=0dd24000
eip=09c40b5a esp=0e0ac84c ebp=0e0ac854 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
IDE_ACDStd!IEP_SetColorProfile+0xb9e7a:
09c40b5a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0e0ac854 09b6887d 0dd23cc0 08120036 00000400 IDE_ACDStd!IEP_SetColorProfile+0xb9e7a
01 0e0ac86c 09b6983b 0dd23cc0 00000400 0de2ed88 IDE_ACDStd!JPEGTransW+0x1a9d
02 0e0ac894 09b84bf4 0e0ac9ac 0de2f1ac 0043d8a7 IDE_ACDStd!JPEGTransW+0x2a5b
03 0e0ac8a0 0043d8a7 0a7f6f60 0e0ac9ac 0de2f1ac IDE_ACDStd!IDP_PageDecode+0x24
04 0e0ac8dc 004f4f48 0a7f6f60 0e0ac9ac 0de2f1ac ACDSee_Free+0x3d8a7
05 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xf4f48
0:003> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000000b9e7a (Hash=0x1f594f60.0xc37cb0eb)
User mode write access violations that are not near NULL are exploitable.