DIMIN Viewer 5.4.0 – GIF Decode Crash (PoC)

• Exploit Database
• 103 阅读

• 作者： Lizhi Wang
  日期： 2012-12-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/23496/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23496.tar.gz   CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe" Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00400000 006bb000 image00400000 ModLoad: 7c900000 7c9b0000 ntdll.dll ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\advapi32.dll ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 773d0000 774d2000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 77f10000 77f56000 C:\WINDOWS\system32\GDI32.dll ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll ModLoad: 7c9c0000 7d1d4000 C:\WINDOWS\system32\SHELL32.dll ModLoad: 774e0000 7761c000 C:\WINDOWS\system32\ole32.dll ModLoad: 77120000 771ac000 C:\WINDOWS\system32\oleaut32.dll ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\winmm.dll ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv (ed4.988): Break instruction exception - code 80000003 (first chance) eax=00251eb4 ebx=7ffdb000 ecx=00000000 edx=00000001 esi=00251f48 edi=00251eb4 eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - ntdll!DbgBreakPoint: 7c901230 ccint 3 0:000> g ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL ModLoad: 5dac0000 5dac8000 C:\WINDOWS\system32\rdpsnd.dll ModLoad: 76360000 76370000 C:\WINDOWS\system32\WINSTA.dll ModLoad: 5b860000 5b8b4000 C:\WINDOWS\system32\NETAPI32.dll ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll ModLoad: 74720000 7476b000 C:\WINDOWS\system32\MSCTF.dll ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime ModLoad: 10000000 100a7000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll ModLoad: 00e90000 00ee3000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_ffmpeg.dll ModLoad: 68700000 68ada000 C:\Program Files\DIMIN\Viewer5\avcodec-51.dll ModLoad: 6b780000 6b796000 C:\Program Files\DIMIN\Viewer5\avutil-49.dll ModLoad: 6a540000 6a5cb000 C:\Program Files\DIMIN\Viewer5\avformat-52.dll ModLoad: 67f40000 67f64000 C:\Program Files\DIMIN\Viewer5\swscale-0.dll ModLoad: 00f10000 00f28000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_ibw.dll ModLoad: 00f40000 0104f000 C:\Program Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll ModLoad: 01070000 0108a000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll ModLoad: 010b0000 010da000 C:\Program Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll ModLoad: 77a20000 77a74000 C:\WINDOWS\System32\cscui.dll ModLoad: 76600000 7661d000 C:\WINDOWS\System32\CSCDLL.dll ModLoad: 75f80000 7607d000 C:\WINDOWS\system32\browseui.dll ModLoad: 76990000 769b5000 C:\WINDOWS\system32\ntshrui.dll ModLoad: 76b20000 76b31000 C:\WINDOWS\system32\ATL.DLL ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\USERENV.dll ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll ModLoad: 77760000 778d0000 C:\WINDOWS\system32\SHDOCVW.dll ModLoad: 77a80000 77b14000 C:\WINDOWS\system32\CRYPT32.dll ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll ModLoad: 754d0000 75550000 C:\WINDOWS\system32\CRYPTUI.dll ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll ModLoad: 771b0000 7727e000 C:\WINDOWS\system32\WININET.dll ModLoad: 01790000 01799000 C:\WINDOWS\system32\Normaliz.dll ModLoad: 5dca0000 5dce5000 C:\WINDOWS\system32\iertutil.dll ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll ModLoad: 5cb00000 5cb6e000 C:\WINDOWS\system32\shimgvw.dll ModLoad: 4ec50000 4edf3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll (ed4.988): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0000001c ecx=0012f108 edx=00130000 esi=00000483 edi=0041b0c4 eip=0059b5a4 esp=0011ef50 ebp=0011ef88 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0x19b5a4: 0059b5a4 8902mov dword ptr [edx],eax ds:0023:00130000=78746341 0:000> !load MSEC.dll 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x130000 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation   Exception Hash (Major/Minor): 0x6f00020e.0x4621230e   Stack Trace: image00400000+0x19b5a4 image00400000+0x19b73d image00400000+0x19b9b3 Instruction Address: 0x000000000059b5a4   Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x000000000019b5a4 (Hash=0x6f00020e.0x4621230e)   User mode write access violations that are not near NULL are exploitable.