FastStone Image Viewer 6.5 few crashes

-

Summary

Version: 6.5
Exploitable crashes: 7
Probably exploitable crashes: 2
Files to reproduce crashes: github
Download Fast Stone 6.5: github


* Fast Stone was asked if they want to get more details about bugs 3th August 2018. I have no received any answer since then.

Details

Exploitable #1

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0xe3f29929.0xf424ea35_0x2d5eeb54.0x25c57d8b_0xa35355bf.0xe2d4da0c_0xcc5b708b.0x512f4c53\sf_1958cb29fd7f80970fde7bb6755c989e.tiff"

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 4ec50000 4edfb000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\gdiplus.dll
(678.4d4): Unknown exception - code 0eedfade (first chance)
(678.4d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004e1237 (image00400000+0x000e1237)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: ff4a65c0
Attempt to write to address ff4a65c0

FAULTING_THREAD:  000004d4

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  ff4a65c0

WRITE_ADDRESS:  ff4a65c0 

FOLLOWUP_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 004dfaaa to 004e1237

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
026ef9cc 004dfaaa 026efd58 00000075 00460000 image00400000+0xe1237
026efa94 004e4b13 026efd58 026efaac 004e4da7 image00400000+0xdfaaa
026efd0c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
026efda8 005e5fe4 026efdd4 005e5ffd 026efdcc image00400000+0x1e5e2b
026efdcc 005e66cf 026efe2c 005e699d 026efe24 image00400000+0x1e5fe4
026efe24 008b6193 026efe38 008b61a0 026efe7c image00400000+0x1e66cf
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6193
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000000 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+e1237

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~1s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/000e1237.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
026ef9cc 004dfaaa 026efd58 00000075 00460000 image00400000+0xe1237
026efa94 004e4b13 026efd58 026efaac 004e4da7 image00400000+0xdfaaa
026efd0c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
026efda8 005e5fe4 026efdd4 005e5ffd 026efdcc image00400000+0x1e5e2b
026efdcc 005e66cf 026efe2c 005e699d 026efe24 image00400000+0x1e5fe4
026efe24 008b6193 026efe38 008b61a0 026efe7c image00400000+0x1e66cf
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6193
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000000 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba
eax=00000012 ebx=026efb24 ecx=00002d2b edx=010ab570 esi=ff4a65c0 edi=00460000
eip=004e1237 esp=026ef908 ebp=026ef9cc iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
image00400000+0xe1237:
004e1237 66890e          mov     word ptr [esi],cx        ds:0023:ff4a65c0=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffff4a65c0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:004e1237 mov word ptr [esi],cx

Exception Hash (Major/Minor): 0x3eda38dc.0xc6e0a4b3

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0xe1237
Major+Minor : image00400000+0xdfaaa
Major+Minor : image00400000+0xe4b13
Major+Minor : image00400000+0x1e5e2b
Major+Minor : image00400000+0x1e5fe4
Minor       : image00400000+0x1e66cf
Minor       : image00400000+0x4b6193
Minor       : image00400000+0x4b6c16
Minor       : image00400000+0x47e62d
Minor       : image00400000+0x47e9e9
Minor       : image00400000+0x2c053
Minor       : image00400000+0x4c22
Minor       : kernel32!GetModuleFileNameA+0x1ba
Instruction Address: 0x00000000004e1237

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000000e1237 (Hash=0x3eda38dc.0xc6e0a4b3)

User mode write access violations that are not near NULL are exploitable.

Exploitable #2

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0xc17440ca.0xfe39f165_0xc17440ca.0xfd90d8b1_0xc3ee9468.0x2d4b005e_0xc17440ca.0x4980d5e7_0xc3ee9468.0x1aaf70e8_0xc17440ca.0x5adda250_0xc3__\SF_195~1.TIF"

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
(530.20c): Unknown exception - code 0eedfade (first chance)
(530.20c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004e1237 (image00400000+0x000e1237)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: ff498540
Attempt to write to address ff498540

FAULTING_THREAD:  0000020c

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  ff498540

WRITE_ADDRESS:  ff498540 

FOLLOWUP_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 004dfaaa to 004e1237

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f63c 004dfaaa 0012f9c8 00000075 00460000 image00400000+0xe1237
0012f704 004e4b13 0012f9c8 0012f71c 004e4da7 image00400000+0xdfaaa
0012f97c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
0012fa18 005e5fe4 0012fa44 005e5ffd 0012fa3c image00400000+0x1e5e2b
0012fa3c 005e66cf 0012fa9c 005e699d 0012fa94 image00400000+0x1e5fe4
0012fa94 005e6063 0012fabc 005e606d 0012fab4 image00400000+0x1e66cf
0012fab4 00898846 0012fae8 00898877 0012fadc image00400000+0x1e6063
0012fadc 0089a9c0 0012fbe8 0012faf4 0089aa16 image00400000+0x498846
0012fbe8 008cfb34 00000001 00000000 00000001 image00400000+0x49a9c0
0012fc80 00914d50 0012fc94 00914d97 0012fd2c image00400000+0x4cfb34
0012fd2c 00911208 0012fd40 00911212 0012fde8 image00400000+0x514d50
0012fde8 00473683 0012fe28 0047368d 0012fe0c image00400000+0x511208
0012fe0c 0047336f 010d8130 0104de30 004041f2 image00400000+0x73683
0012ff50 0047ab98 0012ff7c 0047aba2 0012ff74 image00400000+0x7336f
0012ff74 0091f777 0012ff88 0091f792 0012ffc0 image00400000+0x7ab98
0012ffc0 7c817077 00a6f558 007b9fbc 7ffdb000 image00400000+0x51f777
0012fff0 00000000 0091eea4 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+e1237

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/000e1237.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f63c 004dfaaa 0012f9c8 00000075 00460000 image00400000+0xe1237
0012f704 004e4b13 0012f9c8 0012f71c 004e4da7 image00400000+0xdfaaa
0012f97c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
0012fa18 005e5fe4 0012fa44 005e5ffd 0012fa3c image00400000+0x1e5e2b
0012fa3c 005e66cf 0012fa9c 005e699d 0012fa94 image00400000+0x1e5fe4
0012fa94 005e6063 0012fabc 005e606d 0012fab4 image00400000+0x1e66cf
0012fab4 00898846 0012fae8 00898877 0012fadc image00400000+0x1e6063
0012fadc 0089a9c0 0012fbe8 0012faf4 0089aa16 image00400000+0x498846
0012fbe8 008cfb34 00000001 00000000 00000001 image00400000+0x49a9c0
0012fc80 00914d50 0012fc94 00914d97 0012fd2c image00400000+0x4cfb34
0012fd2c 00911208 0012fd40 00911212 0012fde8 image00400000+0x514d50
0012fde8 00473683 0012fe28 0047368d 0012fe0c image00400000+0x511208
0012fe0c 0047336f 010d8130 0104de30 004041f2 image00400000+0x73683
0012ff50 0047ab98 0012ff7c 0047aba2 0012ff74 image00400000+0x7336f
0012ff74 0091f777 0012ff88 0091f792 0012ffc0 image00400000+0x7ab98
0012ffc0 7c817077 00a6f558 007b9fbc 7ffdb000 image00400000+0x51f777
0012fff0 00000000 0091eea4 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
eax=00000012 ebx=0012f794 ecx=00002d2b edx=010ab570 esi=ff498540 edi=00460000
eip=004e1237 esp=0012f578 ebp=0012f63c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
image00400000+0xe1237:
004e1237 66890e          mov     word ptr [esi],cx        ds:0023:ff498540=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffff498540
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:004e1237 mov word ptr [esi],cx

Exception Hash (Major/Minor): 0x3eda38dc.0x83386591

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0xe1237
Major+Minor : image00400000+0xdfaaa
Major+Minor : image00400000+0xe4b13
Major+Minor : image00400000+0x1e5e2b
Major+Minor : image00400000+0x1e5fe4
Minor       : image00400000+0x1e66cf
Minor       : image00400000+0x1e6063
Minor       : image00400000+0x498846
Minor       : image00400000+0x49a9c0
Minor       : image00400000+0x4cfb34
Minor       : image00400000+0x514d50
Minor       : image00400000+0x511208
Minor       : image00400000+0x73683
Minor       : image00400000+0x7336f
Minor       : image00400000+0x7ab98
Minor       : image00400000+0x51f777
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x00000000004e1237

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000000e1237 (Hash=0x3eda38dc.0x83386591)

User mode write access violations that are not near NULL are exploitable.

Exploitable #3

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0xc963aedf.0xd3ff544f_0x7885396d.0x81035fe4_0xcc5b708b.0x228db2bf_0x9aca83de.0xfd311490_0xcc5b708b.0x5b2f5993\sf_1958cb29fd7f80970fde7bb6755c989e-6lhej5-0x00000000.tiff"

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
(1c8.628): Unknown exception - code 0eedfade (first chance)
(1c8.628): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004e1237 (image00400000+0x000e1237)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: ff51f040
Attempt to write to address ff51f040

FAULTING_THREAD:  00000628

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  ff51f040

WRITE_ADDRESS:  ff51f040 

FOLLOWUP_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 004dfaaa to 004e1237

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f63c 004dfaaa 0012f9c8 00000075 00460000 image00400000+0xe1237
0012f704 004e4b13 0012f9c8 0012f71c 004e4da7 image00400000+0xdfaaa
0012f97c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
0012fa18 005e5fe4 0012fa44 005e5ffd 0012fa3c image00400000+0x1e5e2b
0012fa3c 005e66cf 0012fa9c 005e699d 0012fa94 image00400000+0x1e5fe4
0012fa94 005e6063 0012fabc 005e606d 0012fab4 image00400000+0x1e66cf
0012fab4 00898846 0012fae8 00898877 0012fadc image00400000+0x1e6063
0012fadc 0089a9c0 0012fbe8 0012faf4 0089aa16 image00400000+0x498846
0012fbe8 008cfb34 00000001 00000000 00000001 image00400000+0x49a9c0
0012fc80 00914d50 0012fc94 00914d97 0012fd2c image00400000+0x4cfb34
0012fd2c 00911208 0012fd40 00911212 0012fde8 image00400000+0x514d50
0012fde8 00473683 0012fe28 0047368d 0012fe0c image00400000+0x511208
0012fe0c 0047336f 010d8130 0104de30 004041f2 image00400000+0x73683
0012ff50 0047ab98 0012ff7c 0047aba2 0012ff74 image00400000+0x7336f
0012ff74 0091f777 0012ff88 0091f792 0012ffc0 image00400000+0x7ab98
0012ffc0 7c817077 00a7f558 00aa0256 7ffd4000 image00400000+0x51f777
0012fff0 00000000 0091eea4 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+e1237

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/000e1237.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f63c 004dfaaa 0012f9c8 00000075 00460000 image00400000+0xe1237
0012f704 004e4b13 0012f9c8 0012f71c 004e4da7 image00400000+0xdfaaa
0012f97c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
0012fa18 005e5fe4 0012fa44 005e5ffd 0012fa3c image00400000+0x1e5e2b
0012fa3c 005e66cf 0012fa9c 005e699d 0012fa94 image00400000+0x1e5fe4
0012fa94 005e6063 0012fabc 005e606d 0012fab4 image00400000+0x1e66cf
0012fab4 00898846 0012fae8 00898877 0012fadc image00400000+0x1e6063
0012fadc 0089a9c0 0012fbe8 0012faf4 0089aa16 image00400000+0x498846
0012fbe8 008cfb34 00000001 00000000 00000001 image00400000+0x49a9c0
0012fc80 00914d50 0012fc94 00914d97 0012fd2c image00400000+0x4cfb34
0012fd2c 00911208 0012fd40 00911212 0012fde8 image00400000+0x514d50
0012fde8 00473683 0012fe28 0047368d 0012fe0c image00400000+0x511208
0012fe0c 0047336f 010d8130 0104de30 004041f2 image00400000+0x73683
0012ff50 0047ab98 0012ff7c 0047aba2 0012ff74 image00400000+0x7336f
0012ff74 0091f777 0012ff88 0091f792 0012ffc0 image00400000+0x7ab98
0012ffc0 7c817077 00a7f558 00aa0256 7ffd4000 image00400000+0x51f777
0012fff0 00000000 0091eea4 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
eax=00000012 ebx=0012f794 ecx=00002d2b edx=010ab570 esi=ff51f040 edi=00460000
eip=004e1237 esp=0012f578 ebp=0012f63c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
image00400000+0xe1237:
004e1237 66890e          mov     word ptr [esi],cx        ds:0023:ff51f040=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffff51f040
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:004e1237 mov word ptr [esi],cx

Exception Hash (Major/Minor): 0x3eda38dc.0x83386591

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0xe1237
Major+Minor : image00400000+0xdfaaa
Major+Minor : image00400000+0xe4b13
Major+Minor : image00400000+0x1e5e2b
Major+Minor : image00400000+0x1e5fe4
Minor       : image00400000+0x1e66cf
Minor       : image00400000+0x1e6063
Minor       : image00400000+0x498846
Minor       : image00400000+0x49a9c0
Minor       : image00400000+0x4cfb34
Minor       : image00400000+0x514d50
Minor       : image00400000+0x511208
Minor       : image00400000+0x73683
Minor       : image00400000+0x7336f
Minor       : image00400000+0x7ab98
Minor       : image00400000+0x51f777
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x00000000004e1237

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000000e1237 (Hash=0x3eda38dc.0x83386591)

User mode write access violations that are not near NULL are exploitable.

Exploitable #4

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0xc3fd0e39.0x5f245936_0x777e1892.0x69b75271_0xcc5b708b.0xb781db48_0xa35355bf.0xe2d4da0c_0xcc5b708b.0xdd918b65_0xa35355bf.0x586752a8___\sf_1958cb29fd7f80970fde7bb6755c989e.tiff"

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 4ec50000 4edfb000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\gdiplus.dll
(62c.470): Unknown exception - code 0eedfade (first chance)
(62c.470): Unknown exception - code 0eedfade (first chance)
(62c.470): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+1cb509
005cb509 885002          mov     byte ptr [eax+2],dl

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 005cb509 (image00400000+0x001cb509)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 40affe9a
Attempt to write to address 40affe9a

FAULTING_THREAD:  00000470

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  40affe9a

WRITE_ADDRESS:  40affe9a 

FOLLOWUP_IP: 
image00400000+1cb509
005cb509 885002          mov     byte ptr [eax+2],dl

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS_FILL_PATTERN_ffffffff

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE_FILL_PATTERN_ffffffff

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_FILL_PATTERN_ffffffff

LAST_CONTROL_TRANSFER:  from 005bcbc4 to 005cb509

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
026efdb0 005bcbc4 00ff4f70 00000000 00000000 image00400000+0x1cb509
026efdd4 005bca55 00ff4f70 00000000 00000000 image00400000+0x1bcbc4
026efe14 005bc853 ffffff09 ffffffff 00000000 image00400000+0x1bca55
026efe34 008b6749 00000009 008b697d 026efe50 image00400000+0x1bc853
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6749
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000002 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+1cb509

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~1s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_FILL_PATTERN_ffffffff_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/001cb509.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
026efdb0 005bcbc4 00ff4f70 00000000 00000000 image00400000+0x1cb509
026efdd4 005bca55 00ff4f70 00000000 00000000 image00400000+0x1bcbc4
026efe14 005bc853 ffffff09 ffffffff 00000000 image00400000+0x1bca55
026efe34 008b6749 00000009 008b697d 026efe50 image00400000+0x1bc853
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6749
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000002 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba
eax=40affe98 ebx=0046e1e2 ecx=00000000 edx=00000000 esi=00000000 edi=ffffffff
eip=005cb509 esp=026efc54 ebp=026efdb0 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
image00400000+0x1cb509:
005cb509 885002          mov     byte ptr [eax+2],dl        ds:0023:40affe9a=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x40affe9a
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:005cb509 mov byte ptr [eax+2],dl

Exception Hash (Major/Minor): 0x3eda38dc.0x585eb472

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0x1cb509
Major+Minor : image00400000+0x1bcbc4
Major+Minor : image00400000+0x1bca55
Major+Minor : image00400000+0x1bc853
Major+Minor : image00400000+0x4b6749
Minor       : image00400000+0x4b6c16
Minor       : image00400000+0x47e62d
Minor       : image00400000+0x47e9e9
Minor       : image00400000+0x2c053
Minor       : image00400000+0x4c22
Minor       : kernel32!GetModuleFileNameA+0x1ba
Instruction Address: 0x00000000005cb509

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000001cb509 (Hash=0x3eda38dc.0x585eb472)

User mode write access violations that are not near NULL are exploitable.

Exploitable #5

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0x389e6e8c.0xcd632042_0x781f664c.0x5a4f1469_0xcc5b708b.0x0b11e605_0xcc5b708b.0xb781db48_0xcc5b708b.0x5cbbce8b_0xcc5b708b.0x__\sf_1958cb29fd7f80970fde7bb6755c989e.tiff"

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 4ec50000 4edfb000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\gdiplus.dll
(5d0.684): Unknown exception - code 0eedfade (first chance)
(5d0.684): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004e1237 (image00400000+0x000e1237)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: ff4aab40
Attempt to write to address ff4aab40

FAULTING_THREAD:  00000684

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  ff4aab40

WRITE_ADDRESS:  ff4aab40 

FOLLOWUP_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 004dfaaa to 004e1237

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
026ef9cc 004dfaaa 026efd58 00000075 00460000 image00400000+0xe1237
026efa94 004e4b13 026efd58 026efaac 004e4da7 image00400000+0xdfaaa
026efd0c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
026efda8 005e5fe4 026efdd4 005e5ffd 026efdcc image00400000+0x1e5e2b
026efdcc 005e66cf 026efe2c 005e699d 026efe24 image00400000+0x1e5fe4
026efe24 008b6193 026efe38 008b61a0 026efe7c image00400000+0x1e66cf
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6193
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000000 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+e1237

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~1s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/000e1237.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
026ef9cc 004dfaaa 026efd58 00000075 00460000 image00400000+0xe1237
026efa94 004e4b13 026efd58 026efaac 004e4da7 image00400000+0xdfaaa
026efd0c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
026efda8 005e5fe4 026efdd4 005e5ffd 026efdcc image00400000+0x1e5e2b
026efdcc 005e66cf 026efe2c 005e699d 026efe24 image00400000+0x1e5fe4
026efe24 008b6193 026efe38 008b61a0 026efe7c image00400000+0x1e66cf
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6193
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000000 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba
eax=00000012 ebx=026efb24 ecx=00002d2b edx=010ab570 esi=ff4aab40 edi=00460000
eip=004e1237 esp=026ef908 ebp=026ef9cc iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
image00400000+0xe1237:
004e1237 66890e          mov     word ptr [esi],cx        ds:0023:ff4aab40=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffff4aab40
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:004e1237 mov word ptr [esi],cx

Exception Hash (Major/Minor): 0x3eda38dc.0xc6e0a4b3

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0xe1237
Major+Minor : image00400000+0xdfaaa
Major+Minor : image00400000+0xe4b13
Major+Minor : image00400000+0x1e5e2b
Major+Minor : image00400000+0x1e5fe4
Minor       : image00400000+0x1e66cf
Minor       : image00400000+0x4b6193
Minor       : image00400000+0x4b6c16
Minor       : image00400000+0x47e62d
Minor       : image00400000+0x47e9e9
Minor       : image00400000+0x2c053
Minor       : image00400000+0x4c22
Minor       : kernel32!GetModuleFileNameA+0x1ba
Instruction Address: 0x00000000004e1237

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000000e1237 (Hash=0x3eda38dc.0xc6e0a4b3)

User mode write access violations that are not near NULL are exploitable.

Exploitable #6

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0x17ad2ee8.0x8e4e242d_0xc3ee9468.0x5e70912a_0xcc5b708b.0x228db2bf_0xcc5b708b.0x166aeda0_0xcc5b708b.0x5b2f5993_0xcc5b708b.0xae4449a2_0xcc__\SF_195~1.TIF"

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
(760.5cc): Unknown exception - code 0eedfade (first chance)
(760.5cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004e1237 (image00400000+0x000e1237)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: ff498540
Attempt to write to address ff498540

FAULTING_THREAD:  000005cc

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  ff498540

WRITE_ADDRESS:  ff498540 

FOLLOWUP_IP: 
image00400000+e1237
004e1237 66890e          mov     word ptr [esi],cx

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 004dfaaa to 004e1237

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f63c 004dfaaa 0012f9c8 00000075 00460000 image00400000+0xe1237
0012f704 004e4b13 0012f9c8 0012f71c 004e4da7 image00400000+0xdfaaa
0012f97c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
0012fa18 005e5fe4 0012fa44 005e5ffd 0012fa3c image00400000+0x1e5e2b
0012fa3c 005e66cf 0012fa9c 005e699d 0012fa94 image00400000+0x1e5fe4
0012fa94 005e6063 0012fabc 005e606d 0012fab4 image00400000+0x1e66cf
0012fab4 00898846 0012fae8 00898877 0012fadc image00400000+0x1e6063
0012fadc 0089a9c0 0012fbe8 0012faf4 0089aa16 image00400000+0x498846
0012fbe8 008cfb34 00000001 00000000 00000001 image00400000+0x49a9c0
0012fc80 00914d50 0012fc94 00914d97 0012fd2c image00400000+0x4cfb34
0012fd2c 00911208 0012fd40 00911212 0012fde8 image00400000+0x514d50
0012fde8 00473683 0012fe28 0047368d 0012fe0c image00400000+0x511208
0012fe0c 0047336f 010d8130 0104de30 004041f2 image00400000+0x73683
0012ff50 0047ab98 0012ff7c 0047aba2 0012ff74 image00400000+0x7336f
0012ff74 0091f777 0012ff88 0091f792 0012ffc0 image00400000+0x7ab98
0012ffc0 7c817077 009df558 007b9c5c 7ffd5000 image00400000+0x51f777
0012fff0 00000000 0091eea4 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+e1237

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/000e1237.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f63c 004dfaaa 0012f9c8 00000075 00460000 image00400000+0xe1237
0012f704 004e4b13 0012f9c8 0012f71c 004e4da7 image00400000+0xdfaaa
0012f97c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
0012fa18 005e5fe4 0012fa44 005e5ffd 0012fa3c image00400000+0x1e5e2b
0012fa3c 005e66cf 0012fa9c 005e699d 0012fa94 image00400000+0x1e5fe4
0012fa94 005e6063 0012fabc 005e606d 0012fab4 image00400000+0x1e66cf
0012fab4 00898846 0012fae8 00898877 0012fadc image00400000+0x1e6063
0012fadc 0089a9c0 0012fbe8 0012faf4 0089aa16 image00400000+0x498846
0012fbe8 008cfb34 00000001 00000000 00000001 image00400000+0x49a9c0
0012fc80 00914d50 0012fc94 00914d97 0012fd2c image00400000+0x4cfb34
0012fd2c 00911208 0012fd40 00911212 0012fde8 image00400000+0x514d50
0012fde8 00473683 0012fe28 0047368d 0012fe0c image00400000+0x511208
0012fe0c 0047336f 010d8130 0104de30 004041f2 image00400000+0x73683
0012ff50 0047ab98 0012ff7c 0047aba2 0012ff74 image00400000+0x7336f
0012ff74 0091f777 0012ff88 0091f792 0012ffc0 image00400000+0x7ab98
0012ffc0 7c817077 009df558 007b9c5c 7ffd5000 image00400000+0x51f777
0012fff0 00000000 0091eea4 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
eax=00000012 ebx=0012f794 ecx=00002d2b edx=010ab570 esi=ff498540 edi=00460000
eip=004e1237 esp=0012f578 ebp=0012f63c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
image00400000+0xe1237:
004e1237 66890e          mov     word ptr [esi],cx        ds:0023:ff498540=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffff498540
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:004e1237 mov word ptr [esi],cx

Exception Hash (Major/Minor): 0x3eda38dc.0x83386591

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0xe1237
Major+Minor : image00400000+0xdfaaa
Major+Minor : image00400000+0xe4b13
Major+Minor : image00400000+0x1e5e2b
Major+Minor : image00400000+0x1e5fe4
Minor       : image00400000+0x1e66cf
Minor       : image00400000+0x1e6063
Minor       : image00400000+0x498846
Minor       : image00400000+0x49a9c0
Minor       : image00400000+0x4cfb34
Minor       : image00400000+0x514d50
Minor       : image00400000+0x511208
Minor       : image00400000+0x73683
Minor       : image00400000+0x7336f
Minor       : image00400000+0x7ab98
Minor       : image00400000+0x51f777
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x00000000004e1237

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00400000+0x00000000000e1237 (Hash=0x3eda38dc.0x83386591)

User mode write access violations that are not near NULL are exploitable.

Exploitable #7

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0x08f905bf.0x3bc9c35c_0x08f905bf.0x0480a7e8_0x08f905bf.0x026d88fb_0x08f905bf.0xd670b994_0x08f905bf.0x9c45a039_0x08f905bf.0x2b8410ff___\SF_625~1.GIF"
Symbol search path is: *** Invalid ***

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
(578.5e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+3ef68a
007ef68a 8902            mov     dword ptr [edx],eax

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 007ef68a (image00400000+0x003ef68a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00130000
Attempt to write to address 00130000

FAULTING_THREAD:  000005e8

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00130000

WRITE_ADDRESS:  00130000 

FOLLOWUP_IP: 
image00400000+3ef68a
007ef68a 8902            mov     dword ptr [edx],eax

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 007ef8b1 to 007ef68a

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0011f82c 007ef8b1 0012f9ac 0012f9ac 007efb27 image00400000+0x3ef68a
0011f838 007efb27 0012f9ac 0012f9b4 007efb55 image00400000+0x3ef8b1
0012f9ac 00000000 00000001 00000007 00000008 image00400000+0x3efb27


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+3ef68a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/003ef68a.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0011f82c 007ef8b1 0012f9ac 0012f9ac 007efb27 image00400000+0x3ef68a
0011f838 007efb27 0012f9ac 0012f9b4 007efb55 image00400000+0x3ef8b1
0012f9ac 00000000 00000001 00000007 00000008 image00400000+0x3efb27
eax=00000007 ebx=0000010b ecx=0012f9ac edx=00130000 esi=0012f88c edi=00000148
eip=007ef68a esp=0011f80c ebp=0011f82c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
image00400000+0x3ef68a:
007ef68a 8902            mov     dword ptr [edx],eax  ds:0023:00130000=78746341

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x130000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x03c87530.0x2272cd87

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0x3ef68a
Major+Minor : image00400000+0x3ef8b1
Major+Minor : image00400000+0x3efb27
Instruction Address: 0x00000000007ef68a

Description: Exception Handler Chain Corrupted
Short Description: ExceptionHandlerCorrupted
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at image00400000+0x00000000003ef68a (Hash=0x03c87530.0x2272cd87)

Corruption of the exception handler chain is considered exploitable

Probably Exploitable #1

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0xd4b5265f.0x8a70015d_0x777e1892.0x17349e97_0xf6586fd4.0xd21f845e_0x781f664c.0x281fe8a6_0xe32e4ae2.0x941582fc_0xc3ee9468.0x__\SF_195~1.TIF"
Symbol search path is: *** Invalid ***

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
(56c.438): Unknown exception - code 0eedfade (first chance)
(56c.438): Unknown exception - code 0eedfade (first chance)
(56c.438): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+2d7d
00402d7d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00402d7d (image00400000+0x00002d7d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0014fffc
Attempt to read from address 0014fffc

FAULTING_THREAD:  00000438

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0014fffc

READ_ADDRESS:  0014fffc 

FOLLOWUP_IP: 
image00400000+2d7d
00402d7d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 0061a5c9 to 00402d7d

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f2a8 0061a5c9 002e0000 00460000 00000000 image00400000+0x2d7d
0012f360 0061a17f 00000000 00000000 00000001 image00400000+0x21a5c9
0012f3c0 00609784 00000000 00000000 00000001 image00400000+0x21a17f
0012f4a8 00600869 0012f4b4 00000000 00000000 image00400000+0x209784
00000000 00000000 00000000 00000000 00000000 image00400000+0x200869


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+2d7d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  STRING_DEREFERENCE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/00002d7d.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f2a8 0061a5c9 002e0000 00460000 00000000 image00400000+0x2d7d
0012f360 0061a17f 00000000 00000000 00000001 image00400000+0x21a5c9
0012f3c0 00609784 00000000 00000000 00000001 image00400000+0x21a17f
0012f4a8 00600869 0012f4b4 00000000 00000000 image00400000+0x209784
00000000 00000000 00000000 00000000 00000000 image00400000+0x200869
eax=00d20000 ebx=ff4a3080 ecx=0032db80 edx=ff4a3080 esi=0014fffc edi=00159e7c
eip=00402d7d esp=0012f274 ebp=0012f2a8 iopl=0         nv dn ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010606
image00400000+0x2d7d:
00402d7d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x14fffc
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00402d7d rep movs dword ptr es:[edi],dword ptr [esi]

Exception Hash (Major/Minor): 0x3eda38dc.0x3ffbc2fe

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0x2d7d
Major+Minor : image00400000+0x21a5c9
Major+Minor : image00400000+0x21a17f
Major+Minor : image00400000+0x209784
Major+Minor : image00400000+0x200869
Instruction Address: 0x0000000000402d7d

Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at image00400000+0x0000000000002d7d (Hash=0x3eda38dc.0x3ffbc2fe)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.

Probably Exploitable #2

WinDbg log:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: FSViewer.exe "C:\Documents and Settings\Administrator\Desktop\fs\0x3eda38dc.0xf37551e9_0x3eda38dc.0x829bc5fd_0x3eda38dc.0xead14d12_0xab676fc3.0xe4027df7_0xab676fc3.0xe4027df7\sf_b2c5b61502f10a9f086f4275501d17c9.tiff"
Symbol search path is: *** Invalid ***

0:000> g;!analyze -v;kb;r;!load msec.dll;!exploitable -v
ModLoad: 10000000 1000d000   C:\FOE2\certfuzz\hooks\winxp\Release\hook.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 5edd0000 5ede7000   C:\WINDOWS\system32\olepro32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\psapi.dll
ModLoad: 6ad80000 6adfe000   C:\faststone\fsplugin05.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 4ec50000 4edfb000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\gdiplus.dll
(5a8.364): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

FAULTING_IP: 
image00400000+2d63
00402d63 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00402d63 (image00400000+0x00002d63)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 01451000
Attempt to read from address 01451000

FAULTING_THREAD:  00000364

PROCESS_NAME:  image00400000

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 7c900000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  01451000

READ_ADDRESS:  01451000 

FOLLOWUP_IP: 
image00400000+2d63
00402d63 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 004e11dc to 00402d63

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
026ef8dc 004e11dc 026ef960 026ef964 026ef98c image00400000+0x2d63
026ef9cc 004dfaaa 026efd58 0000002e 00000046 image00400000+0xe11dc
026efa94 004e4b13 026efd58 026efaac 004e4da7 image00400000+0xdfaaa
026efd0c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
026efda8 005e5fe4 026efdd4 005e5ffd 026efdcc image00400000+0x1e5e2b
026efdcc 005e66cf 026efe2c 005e699d 026efe24 image00400000+0x1e5fe4
026efe24 008b6193 026efe38 008b61a0 026efe7c image00400000+0x1e66cf
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6193
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000002 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+2d63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00400000

STACK_COMMAND:  ~1s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\faststone\FSViewer.exe

FAILURE_BUCKET_ID:  STRING_DEREFERENCE_c0000005_C:_faststone_FSViewer.exe!Unknown

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image00400000/6_5_0_0/2a425e19/image00400000/6_5_0_0/2a425e19/c0000005/00002d63.htm?Retriage=1

Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
026ef8dc 004e11dc 026ef960 026ef964 026ef98c image00400000+0x2d63
026ef9cc 004dfaaa 026efd58 0000002e 00000046 image00400000+0xe11dc
026efa94 004e4b13 026efd58 026efaac 004e4da7 image00400000+0xdfaaa
026efd0c 005e5e2b 00000000 00000000 00000001 image00400000+0xe4b13
026efda8 005e5fe4 026efdd4 005e5ffd 026efdcc image00400000+0x1e5e2b
026efdcc 005e66cf 026efe2c 005e699d 026efe24 image00400000+0x1e5fe4
026efe24 008b6193 026efe38 008b61a0 026efe7c image00400000+0x1e66cf
026efe7c 008b6c16 026efee8 026efeec 026efef0 image00400000+0x4b6193
026eff04 0087e62d 026eff18 0087e703 026eff44 image00400000+0x4b6c16
026eff44 0087e9e9 026eff58 0087ea9b 026eff70 image00400000+0x47e62d
026eff70 0042c053 026eff84 0042c05d 026effa0 image00400000+0x47e9e9
026effa0 00404c22 026effdc 0040475c 026effb4 image00400000+0x2c053
026effb4 7c80b729 010f8150 00000000 00000002 image00400000+0x4c22
026effec 00000000 00404bf8 010f8150 00000000 kernel32!GetModuleFileNameA+0x1ba
eax=0d4d6ec0 ebx=026efb24 ecx=0351fb10 edx=00ff5090 esi=01451000 edi=0104d310
eip=00402d63 esp=026ef870 ebp=026ef8dc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
image00400000+0x2d63:
00402d63 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1451000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00402d63 rep movs dword ptr es:[edi],dword ptr [esi]

Exception Hash (Major/Minor): 0x3eda38dc.0x291d610e

 Hash Usage : Stack Trace:
Major+Minor : image00400000+0x2d63
Major+Minor : image00400000+0xe11dc
Major+Minor : image00400000+0xdfaaa
Major+Minor : image00400000+0xe4b13
Major+Minor : image00400000+0x1e5e2b
Minor       : image00400000+0x1e5fe4
Minor       : image00400000+0x1e66cf
Minor       : image00400000+0x4b6193
Minor       : image00400000+0x4b6c16
Minor       : image00400000+0x47e62d
Minor       : image00400000+0x47e9e9
Minor       : image00400000+0x2c053
Minor       : image00400000+0x4c22
Minor       : kernel32!GetModuleFileNameA+0x1ba
Instruction Address: 0x0000000000402d63

Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at image00400000+0x0000000000002d63 (Hash=0x3eda38dc.0x291d610e)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.


Comments

  1. zoehannah23 October 2021 at 08:17

    Nice Post.FastStone Image Viewer Crack

    ReplyDelete
  2. Arif Khichi1 November 2021 at 13:35

    I like your website.This is very useful
    Information the foundry mari crack

    ReplyDelete
  3. Anonymous8 April 2022 at 02:52

    Faststone Image Viewer 6.5 Few Crashes >>>>> Download Now

    >>>>> Download Full

    Faststone Image Viewer 6.5 Few Crashes >>>>> Download LINK

    >>>>> Download Now

    Faststone Image Viewer 6.5 Few Crashes >>>>> Download Full

    >>>>> Download LINK Fy

    ReplyDelete
  4. Anonymous8 April 2022 at 02:52

    Faststone Image Viewer 6.5 Few Crashes >>>>> Download Now

    >>>>> Download Full

    Faststone Image Viewer 6.5 Few Crashes >>>>> Download LINK

    >>>>> Download Now

    Faststone Image Viewer 6.5 Few Crashes >>>>> Download Full

    >>>>> Download LINK gg

    ReplyDelete
  5. crack.net29 August 2022 at 20:00

    I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 2 years, but I had no idea of solving some basic issues. I do not know how to Crack Softwares Free Download But thankfully, I recently visited a website named xxlcrack.net/
    Opera Web Browser Crack
    MAGIX Video Pro Crack

    ReplyDelete

Post a Comment