ACDSee Free - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000001172b0 (Hash=0x61f80bbd.0x93f51cb6)
Version 1.1.21
Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "Z:\s\apr\blackhat\tools\ACDSee Free\ACDSee Free.exe" "z:\s\apr\blackhat\crashes_reproduce\acdsee\crashes_20190326220106\id_000050_00w.bmp"
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\atlmfc.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\concurrency.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\cpp_rest.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\stl.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Data.Json.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\Windows.Media.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\windows.natvis'
NatVis script successfully loaded from 'c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers\winrt.natvis'
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols
Deferred srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*z:\s\symbols*http://msdl.microsoft.com/download/symbols;srv*z:\s\symbols*\\vmware-host\Shared Folders\s\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 007c6000 ACDSee Free.exe
ModLoad: 77660000 777f0000 ntdll.dll
Page heap: pid 0x12F0: page heap enabled with flags 0x3.
ModLoad: 713d0000 71434000 C:\Windows\SysWOW64\verifier.dll
Page heap: pid 0x12F0: page heap enabled with flags 0x3.
ModLoad: 77490000 77570000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 772a0000 77484000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 742f0000 7447d000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 76070000 76087000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 73580000 73784000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.706_none_42f0d9a244e0990d\COMCTL32.dll
ModLoad: 76400000 764bf000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 75e10000 7606c000 C:\Windows\SysWOW64\combase.dll
ModLoad: 762a0000 762c2000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76510000 76674000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 74270000 742ed000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 73f40000 7405d000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 76b50000 76c26000 C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 05830000 05a8c000 C:\Windows\SysWOW64\combase.dll
ModLoad: 762d0000 76390000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 73f20000 73f40000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 73f10000 73f1a000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 76240000 76298000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 74480000 744c4000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 10000000 100a8000 Z:\s\apr\blackhat\tools\ACDSee Free\ShellIntMgr51U.dll
ModLoad: 74130000 741b8000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 764c0000 76505000 C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 713c0000 713c6000 C:\Windows\SysWOW64\MSIMG32.dll
ModLoad: 70e30000 713b1000 Z:\s\apr\blackhat\tools\ACDSee Free\AcdIDClient.dll
ModLoad: 74970000 75cba000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 74930000 74969000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 76c90000 7724a000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 76090000 76108000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 74260000 7426f000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 74910000 74928000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 77250000 77295000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76690000 76698000 C:\Windows\SysWOW64\FLTLIB.DLL
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 76210000 76229000 C:\Windows\SysWOW64\imagehlp.dll
ModLoad: 76110000 7620c000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 741c0000 74256000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76390000 763f7000 C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 766a0000 76836000 C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 76680000 7668e000 C:\Windows\SysWOW64\MSASN1.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 70da0000 70e2e000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCP90.dll
ModLoad: 70ce0000 70cee000 C:\Windows\WinSxS\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.6161_none_80ba6c811e9b4aff\VCOMP90.DLL
ModLoad: 72c80000 72c88000 C:\Windows\SysWOW64\VERSION.dll
ModLoad: 70cf0000 70d93000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
ModLoad: 70c50000 70cde000 C:\Windows\SysWOW64\mscms.dll
ModLoad: 70810000 70c42000 Z:\s\apr\blackhat\tools\ACDSee Free\mfc100u.dll
ModLoad: 70750000 7080e000 Z:\s\apr\blackhat\tools\ACDSee Free\MSVCR100.dll
ModLoad: 706e0000 70749000 Z:\s\apr\blackhat\tools\ACDSee Free\MSVCP100.dll
ModLoad: 6fef0000 70344000 C:\Windows\SysWOW64\WININET.dll
ModLoad: 6f730000 6fb15000 C:\Windows\SysWOW64\msi.dll
ModLoad: 26340000 263c8000 Z:\s\apr\blackhat\tools\ACDSee Free\ipwssl6.dll
ModLoad: 6fe20000 6fe41000 C:\Windows\SysWOW64\USERENV.dll
ModLoad: 706d0000 706dc000 C:\Windows\SysWOW64\ColorAdapterClient.dll
ModLoad: 734b0000 734c9000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 70690000 706cd000 C:\Windows\SysWOW64\STI.dll
ModLoad: 74060000 74086000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 73400000 7347c000 C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 73120000 73143000 C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 5d360000 5d36d000 C:\Windows\SysWOW64\MFC100ENU.DLL
ModLoad: 46480000 46483000 C:\Windows\SysWOW64\security.dll
ModLoad: 72c90000 72c9a000 C:\Windows\SysWOW64\SECUR32.DLL
ModLoad: 70670000 70683000 C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 70640000 7066f000 C:\Windows\SysWOW64\rsaenh.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
ModLoad: 09850000 09c78000 Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
ModLoad: 09850000 09c78000 Z:\s\apr\blackhat\tools\ACDSee Free\1033\ACDSee Free.exe.dll
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
(12f0.1840): C++ EH exception - code e06d7363 (first chance)
PIM: Loading IDE_ACDStd.apl
ModLoad: 09c80000 09f76000 z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
ModLoad: 09c80000 09f76000 z:\s\apr\blackhat\tools\acdsee free\plugins\IDE_ACDStd.apl
BasepIsRemovableMedia: Host device is removable, Shim cache deactivated
PIM: Loading IDE_ACDStd.apl
ModLoad: 75cc0000 75e03000 C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 730a0000 7311d000 C:\Windows\SysWOW64\TextInputFramework.dll
ModLoad: 72db0000 7300d000 C:\Windows\SysWOW64\CoreUIComponents.dll
ModLoad: 73010000 7309b000 C:\Windows\SysWOW64\CoreMessaging.dll
ModLoad: 72d80000 72da9000 C:\Windows\SysWOW64\ntmarta.dll
ModLoad: 72ca0000 72d76000 C:\Windows\SysWOW64\wintypes.dll
(12f0.920): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10503000 ebx=10502ff0 ecx=100caf94 edx=105030ff esi=0f810e60 edi=100caf80
eip=09e0df90 esp=0f5efd00 ebp=0f5efd00 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
IDE_ACDStd!IEP_SetColorProfile+0x1172b0:
09e0df90 8810 mov byte ptr [eax],dl ds:002b:10503000=??
0:003> $<z:\s\apr\office\crashes\cmd.txt
0:003> .load msec.dll
0:003> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0f5efd00 09ce5dff 100caf94 10503000 0000000a IDE_ACDStd!IEP_SetColorProfile+0x1172b0
01 00000000 00000000 00000000 00000000 00000000 IDE_ACDStd!JPEGTransW+0xf01f
0:003> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IDE_ACDStd!IEP_SetColorProfile+0x00000000001172b0 (Hash=0x61f80bbd.0x93f51cb6)
User mode write access violations that are not near NULL are exploitable.