Jump to content
Nytro

Windows Journal has a lot of 0days!

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Windows Journal has a lot of 0days![/h]

    

    @w3bd3vil

    I was reading the blog at beyondtrust and decided to check if Journal was really an easy target.
    Behold, multiple exploitable looking crashes in a couple of minutes of mutation!

    The original.jnt is the same file used in the blog. All files can be downloaded from:
    https://mega.co.nz/#!nUUS3DhK!cQuL3x1Z-MmxOUsUwfDlVjfiJDyjlkhAacynW4FnAKc
    Password: webdevil

    Tested on Win7

    otelgyuztokyfflidmre.jnt

    (388.133c): Access violation - code c0000005 (!!! second chance !!!)
    ntdll!RtlpFreeHeap+0x5d5:
    00000000`772b46e5 418b40f8        mov     eax,dword ptr [r8-8] ds:ffffffff`fffffff8=????????
    0:000> k
    Child-SP          RetAddr           Call Site
    00000000`0029e320 00000000`772b40fd ntdll!RtlpFreeHeap+0x5d5
    00000000`0029e660 000007fe`feeb10c8 ntdll!RtlFreeHeap+0x1a6
    00000000`0029e6e0 000007fe`ebb02070 msvcrt!free+0x1c
    00000000`0029e710 000007fe`ebb00985 NBDoc!CEPMRCFormatReader::BlcReWrite+0xba0
    00000000`0029e8c0 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2c5
    00000000`0029ea10 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c
    00000000`0029eb10 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
    00000000`0029ec00 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172
    00000000`0029ec70 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
    00000000`0029ed30 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
    00000000`0029ed80 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb
    00000000`0029edd0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
    00000000`0029ee30 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
    00000000`0029eee0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
    00000000`0029f040 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
    00000000`0029f090 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
    00000000`0029f100 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb
    *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
    00000000`0029f160 00000001`3fc69920 MSPVWCTL!CEPDocView::put_Document+0x53
    00000000`0029f1a0 00000001`3fc8b44d Journal+0x49920
    00000000`0029f1f0 00000001`3fc816cd Journal+0x6b44d

    ddvptbflittlwwyifrhz.jnt

    (b04.1370): Unknown exception - code c0000374 (!!! second chance !!!)
    ntdll!RtlReportCriticalFailure+0x62:
    00000000`77324102 eb00            jmp     ntdll!RtlReportCriticalFailure+0x64 (00000000`77324104)
    0:000> k
    Child-SP          RetAddr           Call Site
    00000000`001dd460 00000000`77324746 ntdll!RtlReportCriticalFailure+0x62
    00000000`001dd530 00000000`77325952 ntdll!RtlpReportHeapFailure+0x26
    00000000`001dd560 00000000`77327604 ntdll!RtlpHeapHandleError+0x12
    00000000`001dd590 00000000`772cdc1f ntdll!RtlpLogHeapFailure+0xa4
    00000000`001dd5c0 000007fe`feeb10c8 ntdll! ?? ::FNODOBFM::`string'+0x10c54
    00000000`001dd640 000007fe`eb66c2c2 msvcrt!free+0x1c
    00000000`001dd670 000007fe`eb66b9a0 NBDoc!DecodePos+0x71a
    00000000`001dd7e0 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
    00000000`001deae0 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d
    00000000`001deb10 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b
    00000000`001deb90 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c
    00000000`001dec40 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
    00000000`001decb0 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
    00000000`001dee00 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c
    00000000`001def00 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
    00000000`001deff0 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172
    00000000`001df060 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
    00000000`001df120 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
    00000000`001df170 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb
    00000000`001df1c0 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6


    fiisfjwpxxywlwiqcowm.jnt

    (380.12f4): Access violation - code c0000005 (!!! second chance !!!)
    NBDoc!CopyToken+0x65:
    000007fe`eb66bb31 44382c10        cmp     byte ptr [rax+rdx],r13b ds:00000000`00db5a0d=??
    0:000> k
    Child-SP          RetAddr           Call Site
    00000000`0014d7e0 000007fe`eb66c251 NBDoc!CopyToken+0x65
    00000000`0014d810 000007fe`eb66b9a0 NBDoc!DecodePos+0x6a9
    00000000`0014d980 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
    00000000`0014ec80 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d
    00000000`0014ecb0 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b
    00000000`0014ed30 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c
    00000000`0014ede0 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
    00000000`0014ee50 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
    00000000`0014efa0 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c
    00000000`0014f0a0 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
    00000000`0014f190 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172
    00000000`0014f200 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
    00000000`0014f2c0 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
    00000000`0014f310 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb
    00000000`0014f360 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
    00000000`0014f3c0 000007fe`f2bd56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
    00000000`0014f470 000007fe`f2bd4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
    00000000`0014f5d0 000007fe`f2bb6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
    00000000`0014f620 000007fe`f2bb6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
    00000000`0014f690 000007fe`f2bb768f MSPVWCTL!CEPDocView::Commit+0xcb

    rxamgbdcsmxhvlfyyabm.jnt

    (954.368): Access violation - code c0000005 (!!! second chance !!!)
    NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90:
    000007fe`ebb00430 488b4cd018      mov     rcx,qword ptr [rax+rdx*8+18h] ds:00000000`003b1000=????????????????
    0:000> k
    Child-SP          RetAddr           Call Site
    00000000`000eefe0 000007fe`ebb009eb NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90
    00000000`000ef010 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x32b
    00000000`000ef160 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c
    00000000`000ef260 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
    00000000`000ef350 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172
    00000000`000ef3c0 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
    00000000`000ef480 000007fe`eb6ea523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
    00000000`000ef4d0 000007fe`eb6f636a MSPVWCTL!CPage::EnableImageLayer+0xbb
    00000000`000ef520 000007fe`eb6e4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
    00000000`000ef580 000007fe`eb6e56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
    00000000`000ef630 000007fe`eb6e4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
    00000000`000ef790 000007fe`eb6c6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
    00000000`000ef7e0 000007fe`eb6c6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
    00000000`000ef850 000007fe`eb6c768f MSPVWCTL!CEPDocView::Commit+0xcb
    *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
    00000000`000ef8b0 00000001`3fd19920 MSPVWCTL!CEPDocView::put_Document+0x53
    00000000`000ef8f0 00000001`3fd3b44d Journal+0x49920
    00000000`000ef940 00000001`3fd316cd Journal+0x6b44d
    00000000`000ef990 00000001`3fd2bc8a Journal+0x616cd
    00000000`000efcb0 00000001`3fd2a654 Journal+0x5bc8a
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\MFC42u.dll -
    00000000`000efd10 000007fe`ec65c8d6 Journal+0x5a654


    oviykfqppyxljkodifhb.jnt

    (1350.1270): Access violation - code c0000005 (!!! second chance !!!)
    NBDoc!CopyToken+0x65:
    000007fe`ebf4bb31 44382c10        cmp     byte ptr [rax+rdx],r13b ds:00000000`0937cf42=??
    0:000> k
    Child-SP          RetAddr           Call Site
    00000000`000fd740 000007fe`ebf4c251 NBDoc!CopyToken+0x65
    00000000`000fd770 000007fe`ebf4b9a0 NBDoc!DecodePos+0x6a9
    00000000`000fd8e0 000007fe`ebf53b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
    00000000`000febe0 000007fe`ebf53a07 NBDoc!CBLCDecode::Decode+0x3d
    00000000`000fec10 000007fe`ebf9cd8c NBDoc!CBLCDecode::Decode+0x8b
    00000000`000fec90 000007fe`ebfb02e2 NBDoc!DecodeBlcToCanvas+0x24c
    00000000`000fed40 000007fe`ebfb096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
    00000000`000fedb0 000007fe`ebf9fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
    00000000`000fef00 000007fe`ebf9e744 NBDoc!CIFD::GetMRCImages+0x54c
    00000000`000ff000 000007fe`ebf9dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
    00000000`000ff0f0 000007fe`ebf30f2c NBDoc!CIFD::GetImageLayerEx+0x172
    00000000`000ff160 000007fe`ebf30cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
    00000000`000ff220 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
    00000000`000ff270 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb
    00000000`000ff2c0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
    00000000`000ff320 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
    00000000`000ff3d0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
    00000000`000ff530 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
    00000000`000ff580 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
    00000000`000ff5f0 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb


    fkdmtsxkowdcnxpyjqfj.jnt

    (478.1128): Access violation - code c0000005 (!!! second chance !!!)
    msvcrt!memset+0xb0:
    000007fe`feec58e3 480fc311        movnti  qword ptr [rcx],rdx ds:00000000`00000000=????????????????
    0:000> k
    Child-SP          RetAddr           Call Site
    00000000`0022d738 000007fe`eb20b333 msvcrt!memset+0xb0
    00000000`0022d740 000007fe`eb213b05 NBDoc!CBLCDecode::DecodeWithClusters+0x1fb
    00000000`0022ea40 000007fe`eb213a07 NBDoc!CBLCDecode::Decode+0x3d
    00000000`0022ea70 000007fe`eb25cd8c NBDoc!CBLCDecode::Decode+0x8b
    00000000`0022eaf0 000007fe`eb2702e2 NBDoc!DecodeBlcToCanvas+0x24c
    00000000`0022eba0 000007fe`eb27096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
    00000000`0022ec10 000007fe`eb25fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
    00000000`0022ed60 000007fe`eb25e744 NBDoc!CIFD::GetMRCImages+0x54c
    00000000`0022ee60 000007fe`eb25dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
    00000000`0022ef50 000007fe`eb1f0f2c NBDoc!CIFD::GetImageLayerEx+0x172
    00000000`0022efc0 000007fe`eb1f0cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
    00000000`0022f080 000007fe`eba5a523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
    00000000`0022f0d0 000007fe`eba6636a MSPVWCTL!CPage::EnableImageLayer+0xbb
    00000000`0022f120 000007fe`eba54210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
    00000000`0022f180 000007fe`eba556e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
    00000000`0022f230 000007fe`eba54b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
    00000000`0022f390 000007fe`eba36245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
    00000000`0022f3e0 000007fe`eba36717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
    00000000`0022f450 000007fe`eba3768f MSPVWCTL!CEPDocView::Commit+0xcb
    *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
    00000000`0022f4b0 00000001`3f5d9920 MSPVWCTL!CEPDocView::put_Document+0x53

Sursa: Windows Journal has a lot of 0days! - Pastebin.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...