win7 sp1 32 + xnview classic 2.49.2
https://download.xnview.com/XnView-win-full.zip
Windbg attach to xnview.exe.Then open poc.wic.Crash is below:
(db0.d10): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0a673d66 ebx=09fbfc3c ecx=00000000 edx=000003e8 esi=00000001 edi=0801fe34
eip=01e21169 esp=002bc164 ebp=09fdfc38 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
*** WARNING: Unable to verify checksum for C:\poc\XnView\Plugins\Xwic.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\poc\XnView\Plugins\Xwic.dll -
Xwic+0x1169:
01e21169 884c30ff mov byte ptr [eax+esi-1],cl ds:0023:0a673d66=??
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xa673d66
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x664d5447.0x622e0869
Stack Trace:
Xwic+0x1169
Xwic!gffGetFormatInfo+0x15e0
Xwic!gffGetFormatInfo+0x92b
Xwic+0x2481
Xwic!gffGetFormatInfo+0x9db
Xwic+0x22de
Unknown
Unknown
Xwic!gffGetFormatInfo+0x9f18
Unknown
Instruction Address: 0x0000000001e21169
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at Xwic+0x0000000000001169 (Hash=0x664d5447.0x622e0869)
User mode write access violations that are not near NULL are exploitable.
The poc and original file have sent to contact@xnview.com.
Exploitable wic WriteAV
Moderators: XnTriq, helmut, xnview