DIMIN Viewer 5.4.0 GIF Decode Crash PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : DIMIN Viewer 5.4.0 GIF Decode Crash PoC
# Published : 2012-12-19
# Author :
# Previous Title : Grep < 2.11 Integer Overflow Crash PoC
# Next Title : Totem Movie Player (Ubuntu) 3.4.3 Stack Corruption
PoC: http://www.exploit-db.com/sploits/23496.tar.gz

CommandLine: "C:Program FilesDIMINViewer5imgview5.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 006bb000   image00400000
ModLoad: 7c900000 7c9b0000   ntdll.dll
ModLoad: 7c800000 7c8f4000   C:WINDOWSsystem32kernel32.dll
ModLoad: 77dd0000 77e6b000   C:WINDOWSsystem32advapi32.dll
ModLoad: 77e70000 77f01000   C:WINDOWSsystem32RPCRT4.dll
ModLoad: 773d0000 774d2000
C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9comctl32.dll
ModLoad: 77c10000 77c68000   C:WINDOWSsystem32msvcrt.dll
ModLoad: 77f10000 77f56000   C:WINDOWSsystem32GDI32.dll
ModLoad: 77d40000 77dd0000   C:WINDOWSsystem32USER32.dll
ModLoad: 77f60000 77fd6000   C:WINDOWSsystem32SHLWAPI.dll
ModLoad: 763b0000 763f9000   C:WINDOWSsystem32comdlg32.dll
ModLoad: 7c9c0000 7d1d4000   C:WINDOWSsystem32SHELL32.dll
ModLoad: 774e0000 7761c000   C:WINDOWSsystem32ole32.dll
ModLoad: 77120000 771ac000   C:WINDOWSsystem32oleaut32.dll
ModLoad: 77c00000 77c08000   C:WINDOWSsystem32version.dll
ModLoad: 76b40000 76b6d000   C:WINDOWSsystem32winmm.dll
ModLoad: 73000000 73026000   C:WINDOWSsystem32winspool.drv
(ed4.988): Break instruction exception - code 80000003 (first chance)
eax=00251eb4 ebx=7ffdb000 ecx=00000000 edx=00000001 esi=00251f48
edi=00251eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
ntdll.dll -
ntdll!DbgBreakPoint:
7c901230 cc              int     3
0:000> g
ModLoad: 76390000 763ad000   C:WINDOWSsystem32IMM32.DLL
ModLoad: 5dac0000 5dac8000   C:WINDOWSsystem32rdpsnd.dll
ModLoad: 76360000 76370000   C:WINDOWSsystem32WINSTA.dll
ModLoad: 5b860000 5b8b4000   C:WINDOWSsystem32NETAPI32.dll
ModLoad: 76bf0000 76bfb000   C:WINDOWSsystem32PSAPI.DLL
ModLoad: 5ad70000 5ada8000   C:WINDOWSsystem32uxtheme.dll
ModLoad: 74720000 7476b000   C:WINDOWSsystem32MSCTF.dll
ModLoad: 755c0000 755ee000   C:WINDOWSsystem32msctfime.ime
ModLoad: 10000000 100a7000   C:Program
FilesDIMINViewer5plugin_formatsdiv5_dcraw.dll
ModLoad: 71ab0000 71ac7000   C:WINDOWSsystem32WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:WINDOWSsystem32WS2HELP.dll
ModLoad: 00e90000 00ee3000   C:Program
FilesDIMINViewer5plugin_formatsdiv5_ffmpeg.dll
ModLoad: 68700000 68ada000   C:Program FilesDIMINViewer5avcodec-51.dll
ModLoad: 6b780000 6b796000   C:Program FilesDIMINViewer5avutil-49.dll
ModLoad: 6a540000 6a5cb000   C:Program FilesDIMINViewer5avformat-52.dll
ModLoad: 67f40000 67f64000   C:Program FilesDIMINViewer5swscale-0.dll
ModLoad: 00f10000 00f28000   C:Program
FilesDIMINViewer5plugin_formatsdiv5_ibw.dll
ModLoad: 00f40000 0104f000   C:Program
FilesDIMINViewer5plugin_formatsdiv5_xtd_formats.dll
ModLoad: 01070000 0108a000   C:Program
FilesDIMINViewer5plugin_filtersdiv5_morphology.dll
ModLoad: 010b0000 010da000   C:Program
FilesDIMINViewer5plugin_filtersdiv5_xtdFilters.dll
ModLoad: 77920000 77a13000   C:WINDOWSsystem32SETUPAPI.dll
ModLoad: 77b40000 77b62000   C:WINDOWSsystem32appHelp.dll
ModLoad: 76fd0000 7704f000   C:WINDOWSsystem32CLBCATQ.DLL
ModLoad: 77050000 77115000   C:WINDOWSsystem32COMRes.dll
ModLoad: 77a20000 77a74000   C:WINDOWSSystem32cscui.dll
ModLoad: 76600000 7661d000   C:WINDOWSSystem32CSCDLL.dll
ModLoad: 75f80000 7607d000   C:WINDOWSsystem32browseui.dll
ModLoad: 76990000 769b5000   C:WINDOWSsystem32ntshrui.dll
ModLoad: 76b20000 76b31000   C:WINDOWSsystem32ATL.DLL
ModLoad: 769c0000 76a73000   C:WINDOWSsystem32USERENV.dll
ModLoad: 76980000 76988000   C:WINDOWSsystem32LINKINFO.dll
ModLoad: 77760000 778d0000   C:WINDOWSsystem32SHDOCVW.dll
ModLoad: 77a80000 77b14000   C:WINDOWSsystem32CRYPT32.dll
ModLoad: 77b20000 77b32000   C:WINDOWSsystem32MSASN1.dll
ModLoad: 754d0000 75550000   C:WINDOWSsystem32CRYPTUI.dll
ModLoad: 76c30000 76c5e000   C:WINDOWSsystem32WINTRUST.dll
ModLoad: 76c90000 76cb8000   C:WINDOWSsystem32IMAGEHLP.dll
ModLoad: 771b0000 7727e000   C:WINDOWSsystem32WININET.dll
ModLoad: 01790000 01799000   C:WINDOWSsystem32Normaliz.dll
ModLoad: 5dca0000 5dce5000   C:WINDOWSsystem32iertutil.dll
ModLoad: 76f60000 76f8c000   C:WINDOWSsystem32WLDAP32.dll
ModLoad: 74e30000 74e9c000   C:WINDOWSsystem32RichEd20.dll
ModLoad: 20000000 202c5000   C:WINDOWSsystem32xpsp2res.dll
ModLoad: 5cb00000 5cb6e000   C:WINDOWSsystem32shimgvw.dll
ModLoad: 4ec50000 4edf3000
C:WINDOWSWinSxSx86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82gdiplus.dll
(ed4.988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0000001c ecx=0012f108 edx=00130000 esi=00000483
edi=0041b0c4
eip=0059b5a4 esp=0011ef50 ebp=0011ef88 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for
image00400000
image00400000+0x19b5a4:
0059b5a4 8902            mov     dword ptr [edx],eax
ds:0023:00130000=78746341
0:000> !load MSEC.dll
0:000> !exploitable -v
HostMachineHostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x130000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x6f00020e.0x4621230e

Stack Trace:
image00400000+0x19b5a4
image00400000+0x19b73d
image00400000+0x19b9b3
Instruction Address: 0x000000000059b5a4

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
image00400000+0x000000000019b5a4 (Hash=0x6f00020e.0x4621230e)

User mode write access violations that are not near NULL are exploitable.