FastStone Image Viewer - User Mode Write AV starting at image00400000+0x00000000001a9601 (Hash=0x3eda38dc.0x23ac869e)
Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "Z:\s\apr\blackhat\tools\FSViewer70\FSViewer.exe" "z:\s\apr\blackhat\crashes_reproduce\fsview\crashes\id_000011_00"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*
Deferred srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols;srv*;srv*z:\s\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is: srv*
ModLoad: 00400000 00a90000 image00400000
ModLoad: 77a20000 77bb0000 ntdll.dll
Page heap: pid 0x1594: page heap enabled with flags 0x3.
ModLoad: 71c10000 71c74000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x1594: page heap enabled with flags 0x3.
ModLoad: 772d0000 773b0000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76d00000 76ee4000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 76a70000 76bfd000 C:\Windows\SysWOW64\user32.dll
ModLoad: 74300000 74317000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 75ac0000 75ae2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76ef0000 77054000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 77410000 7748d000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 74320000 7443d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 758c0000 75938000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 77060000 7711f000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75b40000 75b84000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 75cf0000 75db0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 742e0000 74300000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 742d0000 742da000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 77670000 776c8000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 77140000 771d6000 C:\Windows\SysWOW64\oleaut32.dll
ModLoad: 75dc0000 7601c000 C:\Windows\SysWOW64\combase.dll
ModLoad: 757c0000 758bc000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 734c0000 734c8000 C:\Windows\SysWOW64\version.dll
ModLoad: 71c00000 71c06000 C:\Windows\SysWOW64\msimg32.dll
ModLoad: 75790000 757b6000 C:\Windows\SysWOW64\imm32.dll
ModLoad: 73860000 73a64000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\comctl32.dll
ModLoad: 74440000 7578a000 C:\Windows\SysWOW64\shell32.dll
ModLoad: 71b90000 71bfd000 C:\Windows\SysWOW64\winspool.drv
ModLoad: 77230000 77269000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77870000 7787f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 77490000 77518000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 76450000 76a0a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 71a10000 71b90000 C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 771e0000 77225000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 73aa0000 73ab9000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 77880000 77898000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 75af0000 75b35000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 719e0000 71a10000 C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 77120000 77128000 C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 75bb0000 75c86000 C:\Windows\SysWOW64\comdlg32.dll
ModLoad: 719c0000 719dc000 C:\Windows\SysWOW64\avifil32.dll
ModLoad: 71990000 719b3000 C:\Windows\SysWOW64\MsVfW32.dll
ModLoad: 71960000 71984000 C:\Windows\SysWOW64\winmm.dll
ModLoad: 71940000 71959000 C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 71910000 71933000 C:\Windows\SysWOW64\winmmbase.dll
ModLoad: 001d0000 001f3000 C:\Windows\SysWOW64\WINMMBASE.dll
ModLoad: 71760000 71904000 C:\Windows\SysWOW64\quartz.dll
ModLoad: 737c0000 7383c000 C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 77520000 77663000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 734e0000 73503000 C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 71740000 71759000 C:\Windows\SysWOW64\olepro32.dll
ModLoad: 76c70000 76cf3000 C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 715c0000 71731000 C:\Windows\SysWOW64\windowscodecs.dll
ModLoad: 71550000 715b1000 Z:\s\apr\blackhat\tools\FSViewer70\fsplugin06.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 71540000 71547000 C:\Windows\SysWOW64\DCIMAN32.DLL
ModLoad: 732c0000 7330f000 C:\Windows\SysWOW64\dataexchange.dll
ModLoad: 73060000 732b2000 C:\Windows\SysWOW64\d3d11.dll
ModLoad: 72f20000 7305c000 C:\Windows\SysWOW64\dcomp.dll
ModLoad: 72e80000 72f18000 C:\Windows\SysWOW64\dxgi.dll
ModLoad: 72d10000 72e75000 C:\Windows\SysWOW64\twinapi.appcore.dll
ModLoad: 72ce0000 72d01000 C:\Windows\SysWOW64\RMCLIENT.dll
ModLoad: 71210000 71538000 C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll
ModLoad: 711c0000 7120a000 C:\Windows\SysWOW64\thumbcache.dll
ModLoad: 734d0000 734da000 C:\Windows\SysWOW64\Secur32.dll
ModLoad: 711a0000 711b5000 C:\Windows\SysWOW64\samcli.dll
ModLoad: 71180000 71199000 C:\Windows\SysWOW64\SAMLIB.dll
ModLoad: 71170000 7117b000 C:\Windows\SysWOW64\netutils.dll
ModLoad: 73840000 73858000 C:\Windows\SysWOW64\MPR.dll
ModLoad: 71140000 7116a000 C:\Windows\SysWOW64\vmhgfs.dll
ModLoad: 71130000 71139000 C:\Windows\SysWOW64\drprov.dll
ModLoad: 710e0000 71122000 C:\Windows\SysWOW64\WINSTA.dll
ModLoad: 710c0000 710d2000 C:\Windows\SysWOW64\ntlanman.dll
ModLoad: 710a0000 710b9000 C:\Windows\SysWOW64\davclnt.dll
ModLoad: 71090000 7109a000 C:\Windows\SysWOW64\DAVHLPR.dll
ModLoad: 71080000 71090000 C:\Windows\SysWOW64\wkscli.dll
ModLoad: 71070000 7107f000 C:\Windows\SysWOW64\cscapi.dll
(1594.1a14): Unknown exception - code 000006ba (first chance)
ModLoad: 6ad80000 6adfe000 Z:\s\apr\blackhat\tools\FSViewer70\fsplugin05.dll
ModLoad: 70fe0000 71065000 C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll
(1594.1a14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image00400000
eax=000002fd ebx=0bb38693 ecx=096662f4 edx=07f1d1e0 esi=000000ff edi=09668250
eip=005a9601 esp=0019f878 ebp=0019f89c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
image00400000+0x1a9601:
005a9601 66890f mov word ptr [edi],cx ds:002b:09668250=????
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0019f89c 005aa33e 00000000 0019f9a0 07f1d1e0 image00400000+0x1a9601
01 0019f96c 005fa330 00000000 0019f9d0 00000000 image00400000+0x1aa33e
02 0019f9d8 005fa47e 0019fa00 005fa4a4 0019f9f8 image00400000+0x1fa330
03 0019f9f8 005ef05a 0019fa58 005ef2dd 0019fa50 image00400000+0x1fa47e
04 0019fa50 005ee9a3 0019fa78 005ee9ad 0019fa70 image00400000+0x1ef05a
05 0019fa70 008c7ce0 0019faa4 008c7d11 0019fa98 image00400000+0x1ee9a3
06 0019fa98 008ca1a1 0019fba8 0019fab0 008ca1f7 image00400000+0x4c7ce0
07 0019fba8 00902c54 00000001 00000000 00000001 image00400000+0x4ca1a1
08 0019fc40 0077fcfa 0019fc54 0077fd41 0019fcec image00400000+0x502c54
09 0019fcec 0077b96c 0019fd00 0077b976 0019fda8 image00400000+0x37fcfa
0a 0019fda8 004736cf 0019fde8 004736d9 0019fdcc image00400000+0x37b96c
0b 0019fdcc 004733bb 07f68130 07ee5730 004041f2 image00400000+0x736cf
0c 0019ff10 0047abe4 0019ff3c 0047abee 0019ff34 image00400000+0x733bb
0d 0019ff34 0093ba8f 0019ff48 0093baaa 0019ff80 image00400000+0x7abe4
0e 0019ff80 772e8494 003ed000 772e8470 e41dd4a6 image00400000+0x53ba8f
0f 0019ff94 77a841c8 003ed000 ea6d4ce0 00000000 KERNEL32!BaseThreadInitThunk+0x24
10 0019ffdc 77a84198 ffffffff 77a9f35e 00000000 ntdll!__RtlUserThreadStart+0x2f
11 0019ffec 00000000 0093b1bc 003ed000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000001a9601 (Hash=0x3eda38dc.0x23ac869e)
User mode write access violations that are not near NULL are exploitable.