Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "Z:\s\apr\blackhat\tools\xnview\XnView\xnview.exe" "z:\s\apr\blackhat\crashes_reproduce\xnview\s1\id_000096_00"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00040000 006ad000 xnview.exe
ModLoad: 770e0000 77270000 ntdll.dll
Page heap: pid 0xF30: page heap enabled with flags 0x3.
ModLoad: 712d0000 71334000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0xF30: page heap enabled with flags 0x3.
ModLoad: 73c80000 73d60000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 74fb0000 75194000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 75830000 76b7a000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 75770000 7582f000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 74e00000 74e39000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 74040000 7415d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 74160000 741e8000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 73a20000 73ae0000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 739a0000 739c0000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73990000 7399a000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 74d50000 74da8000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 739d0000 73a14000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 74380000 745dc000 C:\Windows\SysWOW64\combase.dll
ModLoad: 751a0000 7575a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 74c70000 74ce8000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74db0000 74df5000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 76c80000 76ca2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 74e40000 74fa4000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 73fc0000 7403d000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73e20000 73fad000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 73e00000 73e17000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 73d60000 73d6f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74610000 74628000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 76e30000 76e75000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 75760000 75768000 C:\Windows\SysWOW64\FLTLIB.DLL
ModLoad: 72b80000 72b88000 C:\Windows\SysWOW64\VERSION.dll
ModLoad: 76b80000 76c56000 C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 74280000 7437c000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 76d30000 76dc6000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 73000000 73204000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 712b0000 712cc000 C:\Windows\SysWOW64\AVIFIL32.dll
ModLoad: 71280000 712a3000 C:\Windows\SysWOW64\MSVFW32.dll
ModLoad: 71250000 71274000 C:\Windows\SysWOW64\WINMM.dll
ModLoad: 711e0000 7124d000 C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 711b0000 711d3000 C:\Windows\SysWOW64\WINMMBASE.dll
ModLoad: 71030000 711b0000 C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 71000000 71030000 C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 72f30000 72f49000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 70fe0000 70ff9000 C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 745e0000 74606000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 72e80000 72efc000 C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 741f0000 74273000 C:\Windows\SysWOW64\clbcatq.dll
ModLoad: 70f90000 70fda000 Z:\s\apr\blackhat\tools\xnview\XnView\Plugins\openjp2.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 74b20000 74c63000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 72ba0000 72bc3000 C:\Windows\SysWOW64\dwmapi.dll
(f30.8ec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0be04d04 ecx=0be05000 edx=000006f8 esi=00000008 edi=00000002
eip=00368165 esp=00afd580 ebp=00afd5b4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
xnview+0x328165:
00368165 8901 mov dword ptr [ecx],eax ds:002b:0be05000=????????
0:000> $<z:\s\apr\office\crashes\cmd.txt
0:000> .load msec.dll
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00afd5b4 00366093 0bd60f60 0bdfcbd8 0004f592 xnview+0x328165
01 00afd5e4 0033e1d8 0bd60f60 0bdfcbd8 00050889 xnview+0x326093
02 00afd934 0033ce09 0bd60f60 0bdfcbd8 00afdacc xnview+0x2fe1d8
03 00afdbbc 0033c5e0 0bd60f60 0bd5eca8 00000000 xnview+0x2fce09
04 00afdbd0 00274505 0bd60f60 0bd5eca8 0bd5eca8 xnview+0x2fc5e0
05 00afdbec 00274424 0bd60f60 0bd5eca8 00000000 xnview+0x234505
06 00afdd14 00278735 0bd60f60 0bd5eca8 00000002 xnview+0x234424
07 00afdd48 002784cc 00afe280 0aaea340 00afdd98 xnview+0x238735
08 00afdd70 00153174 00afe280 0aaea340 00afdd98 xnview+0x2384cc
09 00afe394 001bf6f8 00afe618 00000000 0aaea340 xnview+0x113174
0a 00afe72c 001c066e 00afe8e0 0aaea130 00000001 xnview+0x17f6f8
0b 00aff31c 001c0ca5 0aae0ef8 00000000 00000000 xnview+0x18066e
0c 00aff35c 0014c343 000c06de 00000401 00000000 xnview+0x180ca5
0d 00aff384 001c68e9 00000401 00000000 00aff584 xnview+0x10c343
0e 00aff398 73e5bf1b 000c06de 00000401 00000000 xnview+0x1868e9
0f 00aff3c4 73e583ea 001c68d0 000c06de 00000401 USER32!AddClipboardFormatListener+0x49b
10 00aff4ac 73e3beca 001c68d0 00000000 00000401 USER32!DispatchMessageW+0x97a
11 00aff518 73e3bab1 06807810 00000000 00aff584 USER32!SendMessageW+0x3aa
12 00aff550 001c945b 000c06de 00000401 00000000 USER32!SendMessageA+0x131
13 00aff5a0 001c9eef 00007765 00000000 00aff5c8 xnview+0x18945b
14 00aff750 003c4d80 00040000 00000000 0334ffbb xnview+0x189eef
15 00aff79c 73c98494 00895000 73c98470 a554e5ed xnview+0x384d80
16 00aff7b0 771441c8 00895000 bb30ea23 00000000 KERNEL32!BaseThreadInitThunk+0x24
17 00aff7f8 77144198 ffffffff 7715f355 00000000 ntdll!__RtlUserThreadStart+0x2f
18 00aff808 00000000 003c4c79 00895000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at xnview+0x0000000000328165 (Hash=0xb0048d34.0x69c1dafc)
User mode write access violations that are not near NULL are exploitable.
