daily pastebin goal
28%
SHARE
TWEET

Windows Journal has a lot of 0days!

a guest Dec 2nd, 2014 4,026 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. @w3bd3vil
  2.  
  3. I was reading the blog at beyondtrust and decided to check if Journal was really an easy target.
  4. Behold, multiple exploitable looking crashes in a couple of minutes of mutation!
  5.  
  6. The original.jnt is the same file used in the blog. All files can be downloaded from:
  7. https://mega.co.nz/#!nUUS3DhK!cQuL3x1Z-MmxOUsUwfDlVjfiJDyjlkhAacynW4FnAKc
  8. Password: webdevil
  9.  
  10. Tested on Win7
  11.  
  12. otelgyuztokyfflidmre.jnt
  13.  
  14. (388.133c): Access violation - code c0000005 (!!! second chance !!!)
  15. ntdll!RtlpFreeHeap+0x5d5:
  16. 00000000`772b46e5 418b40f8        mov     eax,dword ptr [r8-8] ds:ffffffff`fffffff8=????????
  17. 0:000> k
  18. Child-SP          RetAddr           Call Site
  19. 00000000`0029e320 00000000`772b40fd ntdll!RtlpFreeHeap+0x5d5
  20. 00000000`0029e660 000007fe`feeb10c8 ntdll!RtlFreeHeap+0x1a6
  21. 00000000`0029e6e0 000007fe`ebb02070 msvcrt!free+0x1c
  22. 00000000`0029e710 000007fe`ebb00985 NBDoc!CEPMRCFormatReader::BlcReWrite+0xba0
  23. 00000000`0029e8c0 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2c5
  24. 00000000`0029ea10 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c
  25. 00000000`0029eb10 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
  26. 00000000`0029ec00 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172
  27. 00000000`0029ec70 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
  28. 00000000`0029ed30 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
  29. 00000000`0029ed80 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb
  30. 00000000`0029edd0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
  31. 00000000`0029ee30 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
  32. 00000000`0029eee0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
  33. 00000000`0029f040 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
  34. 00000000`0029f090 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
  35. 00000000`0029f100 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb
  36. *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
  37. 00000000`0029f160 00000001`3fc69920 MSPVWCTL!CEPDocView::put_Document+0x53
  38. 00000000`0029f1a0 00000001`3fc8b44d Journal+0x49920
  39. 00000000`0029f1f0 00000001`3fc816cd Journal+0x6b44d
  40.  
  41. ddvptbflittlwwyifrhz.jnt
  42.  
  43. (b04.1370): Unknown exception - code c0000374 (!!! second chance !!!)
  44. ntdll!RtlReportCriticalFailure+0x62:
  45. 00000000`77324102 eb00            jmp     ntdll!RtlReportCriticalFailure+0x64 (00000000`77324104)
  46. 0:000> k
  47. Child-SP          RetAddr           Call Site
  48. 00000000`001dd460 00000000`77324746 ntdll!RtlReportCriticalFailure+0x62
  49. 00000000`001dd530 00000000`77325952 ntdll!RtlpReportHeapFailure+0x26
  50. 00000000`001dd560 00000000`77327604 ntdll!RtlpHeapHandleError+0x12
  51. 00000000`001dd590 00000000`772cdc1f ntdll!RtlpLogHeapFailure+0xa4
  52. 00000000`001dd5c0 000007fe`feeb10c8 ntdll! ?? ::FNODOBFM::`string'+0x10c54
  53. 00000000`001dd640 000007fe`eb66c2c2 msvcrt!free+0x1c
  54. 00000000`001dd670 000007fe`eb66b9a0 NBDoc!DecodePos+0x71a
  55. 00000000`001dd7e0 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
  56. 00000000`001deae0 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d
  57. 00000000`001deb10 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b
  58. 00000000`001deb90 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c
  59. 00000000`001dec40 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
  60. 00000000`001decb0 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
  61. 00000000`001dee00 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c
  62. 00000000`001def00 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
  63. 00000000`001deff0 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172
  64. 00000000`001df060 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
  65. 00000000`001df120 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
  66. 00000000`001df170 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb
  67. 00000000`001df1c0 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
  68.  
  69.  
  70. fiisfjwpxxywlwiqcowm.jnt
  71.  
  72. (380.12f4): Access violation - code c0000005 (!!! second chance !!!)
  73. NBDoc!CopyToken+0x65:
  74. 000007fe`eb66bb31 44382c10        cmp     byte ptr [rax+rdx],r13b ds:00000000`00db5a0d=??
  75. 0:000> k
  76. Child-SP          RetAddr           Call Site
  77. 00000000`0014d7e0 000007fe`eb66c251 NBDoc!CopyToken+0x65
  78. 00000000`0014d810 000007fe`eb66b9a0 NBDoc!DecodePos+0x6a9
  79. 00000000`0014d980 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
  80. 00000000`0014ec80 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d
  81. 00000000`0014ecb0 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b
  82. 00000000`0014ed30 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c
  83. 00000000`0014ede0 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
  84. 00000000`0014ee50 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
  85. 00000000`0014efa0 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c
  86. 00000000`0014f0a0 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
  87. 00000000`0014f190 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172
  88. 00000000`0014f200 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
  89. 00000000`0014f2c0 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
  90. 00000000`0014f310 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb
  91. 00000000`0014f360 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
  92. 00000000`0014f3c0 000007fe`f2bd56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
  93. 00000000`0014f470 000007fe`f2bd4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
  94. 00000000`0014f5d0 000007fe`f2bb6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
  95. 00000000`0014f620 000007fe`f2bb6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
  96. 00000000`0014f690 000007fe`f2bb768f MSPVWCTL!CEPDocView::Commit+0xcb
  97.  
  98. rxamgbdcsmxhvlfyyabm.jnt
  99.  
  100. (954.368): Access violation - code c0000005 (!!! second chance !!!)
  101. NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90:
  102. 000007fe`ebb00430 488b4cd018      mov     rcx,qword ptr [rax+rdx*8+18h] ds:00000000`003b1000=????????????????
  103. 0:000> k
  104. Child-SP          RetAddr           Call Site
  105. 00000000`000eefe0 000007fe`ebb009eb NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90
  106. 00000000`000ef010 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x32b
  107. 00000000`000ef160 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c
  108. 00000000`000ef260 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
  109. 00000000`000ef350 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172
  110. 00000000`000ef3c0 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
  111. 00000000`000ef480 000007fe`eb6ea523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
  112. 00000000`000ef4d0 000007fe`eb6f636a MSPVWCTL!CPage::EnableImageLayer+0xbb
  113. 00000000`000ef520 000007fe`eb6e4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
  114. 00000000`000ef580 000007fe`eb6e56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
  115. 00000000`000ef630 000007fe`eb6e4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
  116. 00000000`000ef790 000007fe`eb6c6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
  117. 00000000`000ef7e0 000007fe`eb6c6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
  118. 00000000`000ef850 000007fe`eb6c768f MSPVWCTL!CEPDocView::Commit+0xcb
  119. *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
  120. 00000000`000ef8b0 00000001`3fd19920 MSPVWCTL!CEPDocView::put_Document+0x53
  121. 00000000`000ef8f0 00000001`3fd3b44d Journal+0x49920
  122. 00000000`000ef940 00000001`3fd316cd Journal+0x6b44d
  123. 00000000`000ef990 00000001`3fd2bc8a Journal+0x616cd
  124. 00000000`000efcb0 00000001`3fd2a654 Journal+0x5bc8a
  125. *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\MFC42u.dll -
  126. 00000000`000efd10 000007fe`ec65c8d6 Journal+0x5a654
  127.  
  128.  
  129. oviykfqppyxljkodifhb.jnt
  130.  
  131. (1350.1270): Access violation - code c0000005 (!!! second chance !!!)
  132. NBDoc!CopyToken+0x65:
  133. 000007fe`ebf4bb31 44382c10        cmp     byte ptr [rax+rdx],r13b ds:00000000`0937cf42=??
  134. 0:000> k
  135. Child-SP          RetAddr           Call Site
  136. 00000000`000fd740 000007fe`ebf4c251 NBDoc!CopyToken+0x65
  137. 00000000`000fd770 000007fe`ebf4b9a0 NBDoc!DecodePos+0x6a9
  138. 00000000`000fd8e0 000007fe`ebf53b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
  139. 00000000`000febe0 000007fe`ebf53a07 NBDoc!CBLCDecode::Decode+0x3d
  140. 00000000`000fec10 000007fe`ebf9cd8c NBDoc!CBLCDecode::Decode+0x8b
  141. 00000000`000fec90 000007fe`ebfb02e2 NBDoc!DecodeBlcToCanvas+0x24c
  142. 00000000`000fed40 000007fe`ebfb096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
  143. 00000000`000fedb0 000007fe`ebf9fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
  144. 00000000`000fef00 000007fe`ebf9e744 NBDoc!CIFD::GetMRCImages+0x54c
  145. 00000000`000ff000 000007fe`ebf9dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
  146. 00000000`000ff0f0 000007fe`ebf30f2c NBDoc!CIFD::GetImageLayerEx+0x172
  147. 00000000`000ff160 000007fe`ebf30cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
  148. 00000000`000ff220 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
  149. 00000000`000ff270 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb
  150. 00000000`000ff2c0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
  151. 00000000`000ff320 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
  152. 00000000`000ff3d0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
  153. 00000000`000ff530 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
  154. 00000000`000ff580 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
  155. 00000000`000ff5f0 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb
  156.  
  157.  
  158. fkdmtsxkowdcnxpyjqfj.jnt
  159.  
  160. (478.1128): Access violation - code c0000005 (!!! second chance !!!)
  161. msvcrt!memset+0xb0:
  162. 000007fe`feec58e3 480fc311        movnti  qword ptr [rcx],rdx ds:00000000`00000000=????????????????
  163. 0:000> k
  164. Child-SP          RetAddr           Call Site
  165. 00000000`0022d738 000007fe`eb20b333 msvcrt!memset+0xb0
  166. 00000000`0022d740 000007fe`eb213b05 NBDoc!CBLCDecode::DecodeWithClusters+0x1fb
  167. 00000000`0022ea40 000007fe`eb213a07 NBDoc!CBLCDecode::Decode+0x3d
  168. 00000000`0022ea70 000007fe`eb25cd8c NBDoc!CBLCDecode::Decode+0x8b
  169. 00000000`0022eaf0 000007fe`eb2702e2 NBDoc!DecodeBlcToCanvas+0x24c
  170. 00000000`0022eba0 000007fe`eb27096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
  171. 00000000`0022ec10 000007fe`eb25fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
  172. 00000000`0022ed60 000007fe`eb25e744 NBDoc!CIFD::GetMRCImages+0x54c
  173. 00000000`0022ee60 000007fe`eb25dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
  174. 00000000`0022ef50 000007fe`eb1f0f2c NBDoc!CIFD::GetImageLayerEx+0x172
  175. 00000000`0022efc0 000007fe`eb1f0cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
  176. 00000000`0022f080 000007fe`eba5a523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
  177. 00000000`0022f0d0 000007fe`eba6636a MSPVWCTL!CPage::EnableImageLayer+0xbb
  178. 00000000`0022f120 000007fe`eba54210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
  179. 00000000`0022f180 000007fe`eba556e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
  180. 00000000`0022f230 000007fe`eba54b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
  181. 00000000`0022f390 000007fe`eba36245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
  182. 00000000`0022f3e0 000007fe`eba36717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
  183. 00000000`0022f450 000007fe`eba3768f MSPVWCTL!CEPDocView::Commit+0xcb
  184. *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
  185. 00000000`0022f4b0 00000001`3f5d9920 MSPVWCTL!CEPDocView::put_Document+0x53
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top