DIMIN Viewer 5.4.0 - GIF Decode Crash (PoC)

EDB-ID:

23496

CVE:


Author:

Lizhi Wang

Type:

dos

Platform:

Windows

Published:

2012-12-19

PoC: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/23496.tar.gz

CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 006bb000   image00400000
ModLoad: 7c900000 7c9b0000   ntdll.dll
ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\advapi32.dll
ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 773d0000 774d2000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f10000 77f56000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\comdlg32.dll
ModLoad: 7c9c0000 7d1d4000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 774e0000 7761c000   C:\WINDOWS\system32\ole32.dll
ModLoad: 77120000 771ac000   C:\WINDOWS\system32\oleaut32.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\version.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\winmm.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\winspool.drv
(ed4.988): Break instruction exception - code 80000003 (first chance)
eax=00251eb4 ebx=7ffdb000 ecx=00000000 edx=00000001 esi=00251f48
edi=00251eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
ntdll.dll -
ntdll!DbgBreakPoint:
7c901230 cc              int     3
0:000> g
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 5dac0000 5dac8000   C:\WINDOWS\system32\rdpsnd.dll
ModLoad: 76360000 76370000   C:\WINDOWS\system32\WINSTA.dll
ModLoad: 5b860000 5b8b4000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476b000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 10000000 100a7000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 00e90000 00ee3000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_ffmpeg.dll
ModLoad: 68700000 68ada000   C:\Program Files\DIMIN\Viewer5\avcodec-51.dll
ModLoad: 6b780000 6b796000   C:\Program Files\DIMIN\Viewer5\avutil-49.dll
ModLoad: 6a540000 6a5cb000   C:\Program Files\DIMIN\Viewer5\avformat-52.dll
ModLoad: 67f40000 67f64000   C:\Program Files\DIMIN\Viewer5\swscale-0.dll
ModLoad: 00f10000 00f28000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_ibw.dll
ModLoad: 00f40000 0104f000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll
ModLoad: 01070000 0108a000   C:\Program
Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll
ModLoad: 010b0000 010da000   C:\Program
Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 769c0000 76a73000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll
ModLoad: 77760000 778d0000   C:\WINDOWS\system32\SHDOCVW.dll
ModLoad: 77a80000 77b14000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 754d0000 75550000   C:\WINDOWS\system32\CRYPTUI.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 771b0000 7727e000   C:\WINDOWS\system32\WININET.dll
ModLoad: 01790000 01799000   C:\WINDOWS\system32\Normaliz.dll
ModLoad: 5dca0000 5dce5000   C:\WINDOWS\system32\iertutil.dll
ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 74e30000 74e9c000   C:\WINDOWS\system32\RichEd20.dll
ModLoad: 20000000 202c5000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 5cb00000 5cb6e000   C:\WINDOWS\system32\shimgvw.dll
ModLoad: 4ec50000 4edf3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
(ed4.988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0000001c ecx=0012f108 edx=00130000 esi=00000483
edi=0041b0c4
eip=0059b5a4 esp=0011ef50 ebp=0011ef88 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for
image00400000
image00400000+0x19b5a4:
0059b5a4 8902            mov     dword ptr [edx],eax
ds:0023:00130000=78746341
0:000> !load MSEC.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x130000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x6f00020e.0x4621230e

Stack Trace:
image00400000+0x19b5a4
image00400000+0x19b73d
image00400000+0x19b9b3
Instruction Address: 0x000000000059b5a4

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
image00400000+0x000000000019b5a4 (Hash=0x6f00020e.0x4621230e)

User mode write access violations that are not near NULL are exploitable.