...(TL;DR ;) ) ... from 2 weeks of fuzzing :)
But first of all:
I would like to thank the Vendor - XnView - for the great cooperation, quick feedbacks and fast updates during the responsible disclosure. I appreciate it! Thank you very much.
Now - few details for fixed bugs:
>> #01 - ICO:
---<windbg>---
CommandLine: "c:\Program Files\XnViewMP\xnviewmp.exe" C:\sf_fc2a98f8a8428a9a6d5579c79a94fbd8-2027.ico
(...)
Executable search path is:
ModLoad: 013d0000 01db6000 xnviewmp.exe
(...)
eax=ffffffff ebx=03977e28 ecx=00001754 edx=00000000 esi=00001755 edi=0479e8ac
eip=018bb53f esp=0479e6ec ebp=0479e704 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
xnviewmp+0x4eb53f:
018bb53f 880439 mov byte ptr [ecx+edi],al ds:0023:047a0000=??
0:010> !exploitable
(...)
Exception Faulting Address: 0xffffffffffffffff
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
(...)
Instruction Address: 0xffffffffffffffff
Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0xffffffffffffffff called from ntdll!RtlRaiseStatus+0x00000000000000b4 (Hash=0x0500da3d.0x7a809270)
---</windbg>---
>> #02 = RLE:
---<windbg>---
CommandLine: "c:\Program Files\XnViewMP\xnviewmp.exe" C:\sf_acef3cf648f35bc106e3fd813f0514f3-446.rle
(...)
Executable search path is:
ModLoad: 00a00000 013e6000 xnviewmp.exe
(...)
eax=ffffffff ebx=0390f868 ecx=03a1fb28 edx=9d632a31 esi=03a1fb28 edi=03a1fa88
eip=6c4efbf4 esp=0026d3bc ebp=6c7c8a28 iopl=0 nv up ei ng nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010292
Qt5Core!QVariant::~QVariant+0x14:
6c4efbf4 f00fc102 lock xadd dword ptr [edx],eax ds:0023:9d632a31=????????
(...)
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0026d3bc 6c351d95 050b38c7 03a1fa88 03a1fa88 Qt5Core!QVariant::~QVariant+0x14
0026d3e0 6c3561a8 038bef08 6c4d74ec 00000001 Qt5Core!QVariantAnimation::~QVariantAnimation+0x75
0026d3e8 6c4d74ec 00000001 050b38f7 00000000 Qt5Core!QPropertyAnimation::`default constructor closure'+0x18
0026d444 6c34bebb 050b3f5f 039e6e60 0390f868 Qt5Core!QObject::~QObject+0x53c
0026d47c 6c355fca 050b3f87 0390f868 0390f868 Qt5Core!QAbstractAnimation::~QAbstractAnimation+0xab
0026d498 6bac26a9 0390f868 6c4dc6b6 00000001 Qt5Core!QPropertyAnimation::~QPropertyAnimation+0x4a
0026d4a0 6c4dc6b6 00000001 050b3fbf 0390f868 Qt5Widgets!QFocusFrame::tr+0x3a9
0026d4d0 6c5714a6 0026d864 6c586c3b ffffffff Qt5Core!QObject::event+0x96
0026d86c 6c4bacd7 0390f868 039e6e60 050b338f Qt5Core!QCoreApplication::translate+0x33ef6
0026d8c4 6c4fd25f 00436728 00436730 00436710 Qt5Core!QCoreApplicationPrivate::sendPostedEvents+0x1f7
0026d95c 775a86ef 07df029e 00000401 00000000 Qt5Core!QEventDispatcherWin32::sendPostedEvents+0xf
0026da00 775a89b5 00000000 6c4fc740 07df029e USER32!IsThreadDesktopComposited+0x11f
0026da60 775a8e9c 6c4fc740 00000000 00453560 USER32!IsThreadDesktopComposited+0x3e5
0026f81c 6e632305 00000024 02abb9b0 00434580 USER32!DispatchMessageW+0xf
0026f878 6c4b80c0 00000000 050b1387 6c4d6cd0 qwindows!qt_plugin_query_metadata+0x1605
0026f8cc 00d04184 057a739e 00440c08 0000006e Qt5Core!QCoreApplication::exec+0x160
0026fa28 00fb1554 00000002 004310a0 00000000 xnviewmp+0x304184
0026faa8 777a1174 7ffda000 0026faf4 779eb3f5 xnviewmp+0x5b1554
0026faf4 779eb3c8 00faedc6 7ffda000 00000000 kernel32!BaseThreadInitThunk+0x12
0026faf8 00faedc6 7ffda000 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x36
(...)
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
Qt5Core!QVariant::~QVariant+14
6c4efbf4 f00fc102 lock xadd dword ptr [edx],eax
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6c4efbf4 (Qt5Core!QVariant::~QVariant+0x00000014)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 9d632a31
Attempt to write to address 9d632a31
FAULTING_THREAD: 00000c5c
PROCESS_NAME: xnviewmp.exe
MODULE_NAME: Qt5Core
FAULTING_MODULE: 77990000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 5a1ef20b
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 9d632a31
WRITE_ADDRESS: 9d632a31
FOLLOWUP_IP:
Qt5Core!QVariant::~QVariant+14
6c4efbf4 f00fc102 lock xadd dword ptr [edx],eax
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_INVALID_POINTER_WRITE_WRONG_SYMBOLS_FILL_PATTERN_ffffffff
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_ffffffff
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER: from 6c351d95 to 6c4efbf4
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0026d3bc 6c351d95 050b38c7 03a1fa88 03a1fa88 Qt5Core!QVariant::~QVariant+0x14
0026d3e0 6c3561a8 038bef08 6c4d74ec 00000001 Qt5Core!QVariantAnimation::~QVariantAnimation+0x75
0026d3e8 6c4d74ec 00000001 050b38f7 00000000 Qt5Core!QPropertyAnimation::`default constructor closure'+0x18
0026d444 6c34bebb 050b3f5f 039e6e60 0390f868 Qt5Core!QObject::~QObject+0x53c
0026d47c 6c355fca 050b3f87 0390f868 0390f868 Qt5Core!QAbstractAnimation::~QAbstractAnimation+0xab
0026d498 6bac26a9 0390f868 6c4dc6b6 00000001 Qt5Core!QPropertyAnimation::~QPropertyAnimation+0x4a
0026d4a0 6c4dc6b6 00000001 050b3fbf 0390f868 Qt5Widgets!QFocusFrame::tr+0x3a9
0026d4d0 6c5714a6 0026d864 6c586c3b ffffffff Qt5Core!QObject::event+0x96
0026d86c 6c4bacd7 0390f868 039e6e60 050b338f Qt5Core!QCoreApplication::translate+0x33ef6
0026d8c4 6c4fd25f 00436728 00436730 00436710 Qt5Core!QCoreApplicationPrivate::sendPostedEvents+0x1f7
0026d95c 775a86ef 07df029e 00000401 00000000 Qt5Core!QEventDispatcherWin32::sendPostedEvents+0xf
0026da00 775a89b5 00000000 6c4fc740 07df029e USER32!IsThreadDesktopComposited+0x11f
0026da60 775a8e9c 6c4fc740 00000000 00453560 USER32!IsThreadDesktopComposited+0x3e5
0026f81c 6e632305 00000024 02abb9b0 00434580 USER32!DispatchMessageW+0xf
0026f878 6c4b80c0 00000000 050b1387 6c4d6cd0 qwindows!qt_plugin_query_metadata+0x1605
0026f8cc 00d04184 057a739e 00440c08 0000006e Qt5Core!QCoreApplication::exec+0x160
0026fa28 00fb1554 00000002 004310a0 00000000 xnviewmp+0x304184
0026faa8 777a1174 7ffda000 0026faf4 779eb3f5 xnviewmp+0x5b1554
0026faf4 779eb3c8 00faedc6 7ffda000 00000000 kernel32!BaseThreadInitThunk+0x12
0026faf8 00faedc6 7ffda000 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x36
0026fafc 7ffda000 00000000 00000000 00000000 xnviewmp+0x5aedc6
0026fb00 00000000 00000000 00000000 00000000 0x7ffda000
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Qt5Core!QVariant::~QVariant+14
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: Qt5Core.dll
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_ffffffff_c0000005_Qt5Core.dll!QVariant::_QVariant
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/xnviewmp_exe/0_89_0_0/5a9c1479/Qt5Core_dll/5_9_3_0/5a1ef20b/c0000005/001afbf4.htm?Retriage=1
(...)
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffff9d632a31
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:6c4efbf4 lock xadd dword ptr [edx],eax
Exception Hash (Major/Minor): 0x450cf09d.0xb28093b4
Hash Usage : Stack Trace:
Major+Minor : Qt5Core!QVariant::~QVariant+0x14
Major+Minor : Qt5Core!QVariantAnimation::~QVariantAnimation+0x75
Major+Minor : Qt5Core!QPropertyAnimation::`default constructor closure'+0x18
Major+Minor : Qt5Core!QObject::~QObject+0x53c
Major+Minor : Qt5Core!QAbstractAnimation::~QAbstractAnimation+0xab
Minor : Qt5Core!QPropertyAnimation::~QPropertyAnimation+0x4a
Minor : Qt5Widgets!QFocusFrame::tr+0x3a9
Minor : Qt5Core!QObject::event+0x96
Minor : Qt5Core!QCoreApplication::translate+0x33ef6
Minor : Qt5Core!QCoreApplicationPrivate::sendPostedEvents+0x1f7
Minor : Qt5Core!QEventDispatcherWin32::sendPostedEvents+0xf
Minor : USER32!IsThreadDesktopComposited+0x11f
Minor : USER32!IsThreadDesktopComposited+0x3e5
Minor : USER32!DispatchMessageW+0xf
Minor : qwindows!qt_plugin_query_metadata+0x1605
Minor : Qt5Core!QCoreApplication::exec+0x160
Minor : xnviewmp+0x304184
Minor : xnviewmp+0x5b1554
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Minor : xnviewmp+0x5aedc6
Minor : Unknown
Instruction Address: 0x000000006c4efbf4
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at Qt5Core!QVariant::~QVariant+0x0000000000000014 (Hash=0x450cf09d.0xb28093b4)
>> kb;r
User mode write access violations that are not near NULL are exploitable.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0026d3bc 6c351d95 050b38c7 03a1fa88 03a1fa88 Qt5Core!QVariant::~QVariant+0x14
0026d3e0 6c3561a8 038bef08 6c4d74ec 00000001 Qt5Core!QVariantAnimation::~QVariantAnimation+0x75
0026d3e8 6c4d74ec 00000001 050b38f7 00000000 Qt5Core!QPropertyAnimation::`default constructor closure'+0x18
0026d444 6c34bebb 050b3f5f 039e6e60 0390f868 Qt5Core!QObject::~QObject+0x53c
0026d47c 6c355fca 050b3f87 0390f868 0390f868 Qt5Core!QAbstractAnimation::~QAbstractAnimation+0xab
0026d498 6bac26a9 0390f868 6c4dc6b6 00000001 Qt5Core!QPropertyAnimation::~QPropertyAnimation+0x4a
0026d4a0 6c4dc6b6 00000001 050b3fbf 0390f868 Qt5Widgets!QFocusFrame::tr+0x3a9
0026d4d0 6c5714a6 0026d864 6c586c3b ffffffff Qt5Core!QObject::event+0x96
0026d86c 6c4bacd7 0390f868 039e6e60 050b338f Qt5Core!QCoreApplication::translate+0x33ef6
0026d8c4 6c4fd25f 00436728 00436730 00436710 Qt5Core!QCoreApplicationPrivate::sendPostedEvents+0x1f7
0026d95c 775a86ef 07df029e 00000401 00000000 Qt5Core!QEventDispatcherWin32::sendPostedEvents+0xf
0026da00 775a89b5 00000000 6c4fc740 07df029e USER32!IsThreadDesktopComposited+0x11f
0026da60 775a8e9c 6c4fc740 00000000 00453560 USER32!IsThreadDesktopComposited+0x3e5
0026f81c 6e632305 00000024 02abb9b0 00434580 USER32!DispatchMessageW+0xf
0026f878 6c4b80c0 00000000 050b1387 6c4d6cd0 qwindows!qt_plugin_query_metadata+0x1605
0026f8cc 00d04184 057a739e 00440c08 0000006e Qt5Core!QCoreApplication::exec+0x160
0026fa28 00fb1554 00000002 004310a0 00000000 xnviewmp+0x304184
0026faa8 777a1174 7ffda000 0026faf4 779eb3f5 xnviewmp+0x5b1554
0026faf4 779eb3c8 00faedc6 7ffda000 00000000 kernel32!BaseThreadInitThunk+0x12
0026faf8 00faedc6 7ffda000 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x36
eax=ffffffff ebx=0390f868 ecx=03a1fb28 edx=9d632a31 esi=03a1fb28 edi=03a1fa88
eip=6c4efbf4 esp=0026d3bc ebp=6c7c8a28 iopl=0 nv up ei ng nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010292
Qt5Core!QVariant::~QVariant+0x14:
6c4efbf4 f00fc102 lock xadd dword ptr [edx],eax ds:0023:9d632a31=????????
6c4efbf2 c2
---</windbg>---
Next case - again for RLE files:
>> #03 - RLE:
---<windbg>---
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at Qt5Core!QVariant::~QVariant+0x0000000000000014 (Hash=0x82ec6504.0x6dcf82de)
User mode write access violations that are not near NULL are exploitable.
> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0016d4e8 6c351dbc 863072f7 03b6e900 03b6e900 Qt5Core!QVariant::~QVariant+0x14
0016d50c 6c3561a8 039df638 6c4d74ec 00000001 Qt5Core!QVariantAnimation::~QVariantAnimation+0x9c
00000000 00000000 00000000 00000000 00000000 Qt5Core!QPropertyAnimation::`default constructor closure'+0x18
> r
eax=ffffffff ebx=03a35000 ecx=03b6e960 edx=ffd57055 esi=03b6e960 edi=03b6e900
eip=6c4efbf4 esp=0016d4e8 ebp=6c7c8a38 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
Qt5Core!QVariant::~QVariant+0x14:
6c4efbf4 f00fc102 lock xadd dword ptr [edx],eax ds:0023:ffd57055=????????
6c4efbf2 c2
---</windbg>---
Another one - also RLE:
>> #04 - RLE:
---<windbg>---
0:009> r
eax=03c5a27e ebx=03d1b0d0 ecx=00000011 edx=00000002 esi=03c5a238 edi=03d27ad8
eip=6e39f608 esp=057ee8c8 ebp=057eea94 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
MSVCR120!memcpy+0x74:
6e39f608 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
>> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
057eea94 01020887 03af1c20 03d1b0d0 03d1b0d0 MSVCR120!memcpy+0x74
057eeab0 01020722 03af1c20 03d1b0d0 00000000 xnviewmp+0x440887
057eedd8 01024a85 03af1c20 03d1b0d0 ffffffff xnviewmp+0x440722
057eee0c 010249ec 03c85290 057ef284 057eee5c xnviewmp+0x444a85
057eee34 00e9d550 03c85290 057ef284 057eee5c xnviewmp+0x4449ec
057ef058 00e9d149 057ef228 057ef284 000000c0 xnviewmp+0x2bd550
057ef0f4 00f8b855 057ef228 057ef284 000000c0 xnviewmp+0x2bd149
057ef254 00f8bebb 057ef2d4 057ef284 000000c0 xnviewmp+0x3ab855
057ef770 00f8d22b 00000002 03c490a8 00000080 xnviewmp+0x3abebb
057efa00 6c36d542 f8e81f32 00000000 00000000 xnviewmp+0x3ad22b
057efa2c 777a1174 030e8288 057efa78 779eb3f5 Qt5Core!QThread::start+0x362
057efa38 779eb3f5 030d6728 72a7757b 00000000 kernel32!BaseThreadInitThunk+0x12
057efa78 779eb3c8 6c36d390 030d6728 00000000 ntdll!RtlInitializeExceptionChain+0x63
057efa90 00000000 6c36d390 030d6728 00000000 ntdll!RtlInitializeExceptionChain+0x36
(...)
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
MSVCR120!memcpy+74
6e39f608 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6e39f608 (MSVCR120!memcpy+0x00000074)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 03d27ad8
Attempt to write to address 03d27ad8
FAULTING_THREAD: 00000bb8
PROCESS_NAME: xnviewmp.exe
FAULTING_MODULE: 77990000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 524f7ce6
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 03d27ad8
WRITE_ADDRESS: 03d27ad8
FOLLOWUP_IP:
MSVCR120!memcpy+74
6e39f608 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
LAST_CONTROL_TRANSFER: from 01020887 to 6e39f608
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
057eea94 01020887 03af1c20 03d1b0d0 03d1b0d0 MSVCR120!memcpy+0x74
057eeab0 01020722 03af1c20 03d1b0d0 00000000 xnviewmp+0x440887
057eedd8 01024a85 03af1c20 03d1b0d0 ffffffff xnviewmp+0x440722
057eee0c 010249ec 03c85290 057ef284 057eee5c xnviewmp+0x444a85
057eee34 00e9d550 03c85290 057ef284 057eee5c xnviewmp+0x4449ec
057ef058 00e9d149 057ef228 057ef284 000000c0 xnviewmp+0x2bd550
057ef0f4 00f8b855 057ef228 057ef284 000000c0 xnviewmp+0x2bd149
057ef254 00f8bebb 057ef2d4 057ef284 000000c0 xnviewmp+0x3ab855
057ef770 00f8d22b 00000002 03c490a8 00000080 xnviewmp+0x3abebb
057efa00 6c36d542 f8e81f32 00000000 00000000 xnviewmp+0x3ad22b
057efa2c 777a1174 030e8288 057efa78 779eb3f5 Qt5Core!QThread::start+0x362
057efa38 779eb3f5 030d6728 72a7757b 00000000 kernel32!BaseThreadInitThunk+0x12
057efa78 779eb3c8 6c36d390 030d6728 00000000 ntdll!RtlInitializeExceptionChain+0x63
057efa90 00000000 6c36d390 030d6728 00000000 ntdll!RtlInitializeExceptionChain+0x36
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: MSVCR120!memcpy+74
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: MSVCR120
IMAGE_NAME: MSVCR120.dll
STACK_COMMAND: ~9s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: STRING_DEREFERENCE_c0000005_MSVCR120.dll!memcpy
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/xnviewmp_exe/0_89_0_0/5a9c1479/MSVCR120_dll/12_0_21005_1/524f7ce6/c0000005/0000f608.htm?Retriage=1
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x3d27ad8
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:6e39f608 rep movs dword ptr es:[edi],dword ptr [esi]
Exception Hash (Major/Minor): 0x39eb27d7.0x8e5f16dd
Hash Usage : Stack Trace:
Major+Minor : MSVCR120!memcpy+0x74
Major+Minor : xnviewmp+0x440887
Major+Minor : xnviewmp+0x440722
Major+Minor : xnviewmp+0x444a85
Major+Minor : xnviewmp+0x4449ec
Minor : xnviewmp+0x2bd550
Minor : xnviewmp+0x2bd149
Minor : xnviewmp+0x3ab855
Minor : xnviewmp+0x3abebb
Minor : xnviewmp+0x3ad22b
Minor : Qt5Core!QThread::start+0x362
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000006e39f608
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at MSVCR120!memcpy+0x0000000000000074 (Hash=0x39eb27d7.0x8e5f16dd)
> kb
User mode write access violations that are not near NULL are exploitable.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
057eea94 01020887 03af1c20 03d1b0d0 03d1b0d0 MSVCR120!memcpy+0x74
057eeab0 01020722 03af1c20 03d1b0d0 00000000 xnviewmp+0x440887
057eedd8 01024a85 03af1c20 03d1b0d0 ffffffff xnviewmp+0x440722
057eee0c 010249ec 03c85290 057ef284 057eee5c xnviewmp+0x444a85
057eee34 00e9d550 03c85290 057ef284 057eee5c xnviewmp+0x4449ec
057ef058 00e9d149 057ef228 057ef284 000000c0 xnviewmp+0x2bd550
057ef0f4 00f8b855 057ef228 057ef284 000000c0 xnviewmp+0x2bd149
057ef254 00f8bebb 057ef2d4 057ef284 000000c0 xnviewmp+0x3ab855
057ef770 00f8d22b 00000002 03c490a8 00000080 xnviewmp+0x3abebb
057efa00 6c36d542 f8e81f32 00000000 00000000 xnviewmp+0x3ad22b
057efa2c 777a1174 030e8288 057efa78 779eb3f5 Qt5Core!QThread::start+0x362
057efa38 779eb3f5 030d6728 72a7757b 00000000 kernel32!BaseThreadInitThunk+0x12
057efa78 779eb3c8 6c36d390 030d6728 00000000 ntdll!RtlInitializeExceptionChain+0x63
057efa90 00000000 6c36d390 030d6728 00000000 ntdll!RtlInitializeExceptionChain+0x36
> r
eax=03c5a27e ebx=03d1b0d0 ecx=00000011 edx=00000002 esi=03c5a238 edi=03d27ad8
eip=6e39f608 esp=057ee8c8 ebp=057eea94 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
MSVCR120!memcpy+0x74:
6e39f608 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
6e39f606 5f
---</windbg>---
If you would like to check those file - here you can grab it.Version I used to test(s):
Remember to update your XnView to the latest available version! ;)
More? Probably here or here...
Cheers,
Cody
Brak komentarzy:
Prześlij komentarz