DIMIN Viewer 5.4.0 - GIF Decode Crash (PoC)

EDB-ID:

23496

CVE:


EDB Verified:

Author:

Lizhi Wang

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2012-12-19

Vulnerable App: 
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23496.tar.gz

CommandLine: "C:\Program Files\DIMIN\Viewer5\imgview5.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 006bb000   image00400000
ModLoad: 7c900000 7c9b0000   ntdll.dll
ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\advapi32.dll
ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 773d0000 774d2000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f10000 77f56000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\comdlg32.dll
ModLoad: 7c9c0000 7d1d4000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 774e0000 7761c000   C:\WINDOWS\system32\ole32.dll
ModLoad: 77120000 771ac000   C:\WINDOWS\system32\oleaut32.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\version.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\winmm.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\winspool.drv
(ed4.988): Break instruction exception - code 80000003 (first chance)
eax=00251eb4 ebx=7ffdb000 ecx=00000000 edx=00000001 esi=00251f48
edi=00251eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
ntdll.dll -
ntdll!DbgBreakPoint:
7c901230 cc              int     3
0:000> g
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 5dac0000 5dac8000   C:\WINDOWS\system32\rdpsnd.dll
ModLoad: 76360000 76370000   C:\WINDOWS\system32\WINSTA.dll
ModLoad: 5b860000 5b8b4000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476b000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 10000000 100a7000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_dcraw.dll
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 00e90000 00ee3000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_ffmpeg.dll
ModLoad: 68700000 68ada000   C:\Program Files\DIMIN\Viewer5\avcodec-51.dll
ModLoad: 6b780000 6b796000   C:\Program Files\DIMIN\Viewer5\avutil-49.dll
ModLoad: 6a540000 6a5cb000   C:\Program Files\DIMIN\Viewer5\avformat-52.dll
ModLoad: 67f40000 67f64000   C:\Program Files\DIMIN\Viewer5\swscale-0.dll
ModLoad: 00f10000 00f28000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_ibw.dll
ModLoad: 00f40000 0104f000   C:\Program
Files\DIMIN\Viewer5\plugin_formats\div5_xtd_formats.dll
ModLoad: 01070000 0108a000   C:\Program
Files\DIMIN\Viewer5\plugin_filters\div5_morphology.dll
ModLoad: 010b0000 010da000   C:\Program
Files\DIMIN\Viewer5\plugin_filters\div5_xtdFilters.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 769c0000 76a73000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll
ModLoad: 77760000 778d0000   C:\WINDOWS\system32\SHDOCVW.dll
ModLoad: 77a80000 77b14000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 754d0000 75550000   C:\WINDOWS\system32\CRYPTUI.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 771b0000 7727e000   C:\WINDOWS\system32\WININET.dll
ModLoad: 01790000 01799000   C:\WINDOWS\system32\Normaliz.dll
ModLoad: 5dca0000 5dce5000   C:\WINDOWS\system32\iertutil.dll
ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 74e30000 74e9c000   C:\WINDOWS\system32\RichEd20.dll
ModLoad: 20000000 202c5000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 5cb00000 5cb6e000   C:\WINDOWS\system32\shimgvw.dll
ModLoad: 4ec50000 4edf3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
(ed4.988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0000001c ecx=0012f108 edx=00130000 esi=00000483
edi=0041b0c4
eip=0059b5a4 esp=0011ef50 ebp=0011ef88 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for
image00400000
image00400000+0x19b5a4:
0059b5a4 8902            mov     dword ptr [edx],eax
ds:0023:00130000=78746341
0:000> !load MSEC.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x130000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x6f00020e.0x4621230e

Stack Trace:
image00400000+0x19b5a4
image00400000+0x19b73d
image00400000+0x19b9b3
Instruction Address: 0x000000000059b5a4

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
image00400000+0x000000000019b5a4 (Hash=0x6f00020e.0x4621230e)

User mode write access violations that are not near NULL are exploitable.
Copy
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services