Skip to content

Latest commit

 

History

History
150 lines (140 loc) · 9.57 KB

0x0000000000002450.md

File metadata and controls

150 lines (140 loc) · 9.57 KB

ACDSee Free - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x0000000000002450 (Hash=0xec22af54.0x90452bcd)

Version 1.1.21

The bug


Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190322105613\id_000082_00r.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred                                       srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000   ACDSee Free.exe
ModLoad: 77660000 777f0000   ntdll.dll
Page heap: pid 0x1BF0: page heap enabled with flags 0x3.
ModLoad: 713d0000 71434000   C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1BF0: page heap enabled with flags 0x3.
ModLoad: 77490000 77570000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 772a0000 77484000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 742f0000 7447d000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 73580000 73784000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 76400000 764bf000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75e10000 7606c000   C:\Windows\SysWOW64\combase.dll
ModLoad: 73f40000 7405d000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 762d0000 76390000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 73f20000 73f40000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73f10000 73f1a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76240000 76298000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 76070000 76087000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 762a0000 762c2000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76510000 76674000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 74270000 742ed000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 76b50000 76c26000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74130000 741b8000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 764c0000 76505000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 74970000 75cba000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74930000 74969000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 76c90000 7724a000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 76090000 76108000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74480000 744c4000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 74260000 7426f000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74910000 74928000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 77250000 77295000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 10000000 100a8000   Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 713c0000 713c6000   C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 70e30000 713b1000   Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 76690000 76698000   C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 76110000 7620c000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 741c0000 74256000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76390000 763f7000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 766a0000 76836000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 76680000 7668e000   C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 76210000 76229000   C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 70930000 709ee000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 709f0000 70e22000   Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 6fef0000 70344000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 708c0000 70929000   Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 26340000 263c8000   Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 704d0000 708b5000   C:\Windows\SysWOW64\msi.dll
ModLoad: 70440000 704ce000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 70390000 70433000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 72c80000 72c88000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 70350000 7038d000   C:\Windows\SysWOW64\STI.dll
ModLoad: 734b0000 734c9000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 6fee0000 6feee000   C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 6fe50000 6fede000   C:\Windows\SysWOW64\mscms.dll
ModLoad: 6fe20000 6fe41000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 6fe10000 6fe1c000   C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 74060000 74086000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 73400000 7347c000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 73120000 73143000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000   C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000   C:\Windows\SysWOW64\security.dll
ModLoad: 72c90000 72c9a000   C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 6fdf0000 6fe03000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 6fdc0000 6fdef000   C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 09a80000 09ea8000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 09a80000 09ea8000   Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(1bf0.498): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09eb0000 0a1a6000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09eb0000 0a1a6000   z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 75cc0000 75e03000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 730a0000 7311d000   C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 72e40000 7309d000   C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 72db0000 72e3b000   C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 72d80000 72da9000   C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 72ca0000 72d76000   C:\Windows\SysWOW64\wintypes.dll
ModLoad: 09150000 09226000   C:\Windows\SysWOW64\wintypes.dll
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
Corrupt JPEG data: 1 extraneous bytes before marker 0xef
(1bf0.ffc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0ab9b003 ebx=0000f600 ecx=ffffffea edx=06190058 esi=0ab98f60 edi=0000f6ff
eip=09f09230 esp=0875fdbc ebp=7fffffff iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
IDE_ACDStd!JPEGTransW+0x2450:
09f09230 8858fd          mov     byte ptr [eax-3],bl        ds:002b:0ab9b000=??
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0875fdc8 09f09c2d 00000002 0990fbb0 09f24c4f IDE_ACDStd!JPEGTransW+0x2450
01 0875fdd4 09f24c4f 0875fe4c 0043db77 0ab98f60 IDE_ACDStd!JPEGTransW+0x2e4d
02 0875fddc 0043db77 0ab98f60 0875fe4c a8c12313 IDE_ACDStd!IDP_PageDecodeStep+0x1f
03 0875fe70 004e9d03 00000000 0875fec4 09a3e06c ACDSee_Free+0x3db77
04 00000000 00000000 00000000 00000000 00000000 ACDSee_Free+0xe9d03
0:003> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!JPEGTransW+0x0000000000002450 (Hash=0xec22af54.0x90452bcd)

User mode write access violations that are not near NULL are exploitable.