Windows Journal has a lot of 0days!

1. @w3bd3vil
2.  
3. I was reading the blog at beyondtrust and decided to check if Journal was really an easy target.
4. Behold, multiple exploitable looking crashes in a couple of minutes of mutation!
5.  
6. The original.jnt is the same file used in the blog. All files can be downloaded from:
7. https://mega.co.nz/#!nUUS3DhK!cQuL3x1Z-MmxOUsUwfDlVjfiJDyjlkhAacynW4FnAKc
8. Password: webdevil
9.  
10. Tested on Win7
11.  
12. otelgyuztokyfflidmre.jnt
13.  
14. (388.133c): Access violation - code c0000005 (!!! second chance !!!)
15. ntdll!RtlpFreeHeap+0x5d5:
16. 00000000`772b46e5 418b40f8 mov eax,dword ptr [r8-8] ds:ffffffff`fffffff8=????????
17. 0:000> k
18. Child-SP RetAddr Call Site
19. 00000000`0029e320 00000000`772b40fd ntdll!RtlpFreeHeap+0x5d5
20. 00000000`0029e660 000007fe`feeb10c8 ntdll!RtlFreeHeap+0x1a6
21. 00000000`0029e6e0 000007fe`ebb02070 msvcrt!free+0x1c
22. 00000000`0029e710 000007fe`ebb00985 NBDoc!CEPMRCFormatReader::BlcReWrite+0xba0
23. 00000000`0029e8c0 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2c5
24. 00000000`0029ea10 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c
25. 00000000`0029eb10 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
26. 00000000`0029ec00 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172
27. 00000000`0029ec70 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
28. 00000000`0029ed30 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
29. 00000000`0029ed80 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb
30. 00000000`0029edd0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
31. 00000000`0029ee30 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
32. 00000000`0029eee0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
33. 00000000`0029f040 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
34. 00000000`0029f090 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
35. 00000000`0029f100 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb
36. *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
37. 00000000`0029f160 00000001`3fc69920 MSPVWCTL!CEPDocView::put_Document+0x53
38. 00000000`0029f1a0 00000001`3fc8b44d Journal+0x49920
39. 00000000`0029f1f0 00000001`3fc816cd Journal+0x6b44d
40.  
41. ddvptbflittlwwyifrhz.jnt
42.  
43. (b04.1370): Unknown exception - code c0000374 (!!! second chance !!!)
44. ntdll!RtlReportCriticalFailure+0x62:
45. 00000000`77324102 eb00 jmp ntdll!RtlReportCriticalFailure+0x64 (00000000`77324104)
46. 0:000> k
47. Child-SP RetAddr Call Site
48. 00000000`001dd460 00000000`77324746 ntdll!RtlReportCriticalFailure+0x62
49. 00000000`001dd530 00000000`77325952 ntdll!RtlpReportHeapFailure+0x26
50. 00000000`001dd560 00000000`77327604 ntdll!RtlpHeapHandleError+0x12
51. 00000000`001dd590 00000000`772cdc1f ntdll!RtlpLogHeapFailure+0xa4
52. 00000000`001dd5c0 000007fe`feeb10c8 ntdll! ?? ::FNODOBFM::`string'+0x10c54
53. 00000000`001dd640 000007fe`eb66c2c2 msvcrt!free+0x1c
54. 00000000`001dd670 000007fe`eb66b9a0 NBDoc!DecodePos+0x71a
55. 00000000`001dd7e0 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
56. 00000000`001deae0 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d
57. 00000000`001deb10 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b
58. 00000000`001deb90 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c
59. 00000000`001dec40 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
60. 00000000`001decb0 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
61. 00000000`001dee00 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c
62. 00000000`001def00 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
63. 00000000`001deff0 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172
64. 00000000`001df060 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
65. 00000000`001df120 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
66. 00000000`001df170 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb
67. 00000000`001df1c0 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
68.  
69.  
70. fiisfjwpxxywlwiqcowm.jnt
71.  
72. (380.12f4): Access violation - code c0000005 (!!! second chance !!!)
73. NBDoc!CopyToken+0x65:
74. 000007fe`eb66bb31 44382c10 cmp byte ptr [rax+rdx],r13b ds:00000000`00db5a0d=??
75. 0:000> k
76. Child-SP RetAddr Call Site
77. 00000000`0014d7e0 000007fe`eb66c251 NBDoc!CopyToken+0x65
78. 00000000`0014d810 000007fe`eb66b9a0 NBDoc!DecodePos+0x6a9
79. 00000000`0014d980 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
80. 00000000`0014ec80 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d
81. 00000000`0014ecb0 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b
82. 00000000`0014ed30 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c
83. 00000000`0014ede0 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
84. 00000000`0014ee50 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
85. 00000000`0014efa0 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c
86. 00000000`0014f0a0 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
87. 00000000`0014f190 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172
88. 00000000`0014f200 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
89. 00000000`0014f2c0 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
90. 00000000`0014f310 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb
91. 00000000`0014f360 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
92. 00000000`0014f3c0 000007fe`f2bd56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
93. 00000000`0014f470 000007fe`f2bd4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
94. 00000000`0014f5d0 000007fe`f2bb6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
95. 00000000`0014f620 000007fe`f2bb6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
96. 00000000`0014f690 000007fe`f2bb768f MSPVWCTL!CEPDocView::Commit+0xcb
97.  
98. rxamgbdcsmxhvlfyyabm.jnt
99.  
100. (954.368): Access violation - code c0000005 (!!! second chance !!!)
101. NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90:
102. 000007fe`ebb00430 488b4cd018 mov rcx,qword ptr [rax+rdx*8+18h] ds:00000000`003b1000=????????????????
103. 0:000> k
104. Child-SP RetAddr Call Site
105. 00000000`000eefe0 000007fe`ebb009eb NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90
106. 00000000`000ef010 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x32b
107. 00000000`000ef160 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c
108. 00000000`000ef260 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
109. 00000000`000ef350 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172
110. 00000000`000ef3c0 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
111. 00000000`000ef480 000007fe`eb6ea523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
112. 00000000`000ef4d0 000007fe`eb6f636a MSPVWCTL!CPage::EnableImageLayer+0xbb
113. 00000000`000ef520 000007fe`eb6e4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
114. 00000000`000ef580 000007fe`eb6e56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
115. 00000000`000ef630 000007fe`eb6e4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
116. 00000000`000ef790 000007fe`eb6c6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
117. 00000000`000ef7e0 000007fe`eb6c6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
118. 00000000`000ef850 000007fe`eb6c768f MSPVWCTL!CEPDocView::Commit+0xcb
119. *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
120. 00000000`000ef8b0 00000001`3fd19920 MSPVWCTL!CEPDocView::put_Document+0x53
121. 00000000`000ef8f0 00000001`3fd3b44d Journal+0x49920
122. 00000000`000ef940 00000001`3fd316cd Journal+0x6b44d
123. 00000000`000ef990 00000001`3fd2bc8a Journal+0x616cd
124. 00000000`000efcb0 00000001`3fd2a654 Journal+0x5bc8a
125. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MFC42u.dll -
126. 00000000`000efd10 000007fe`ec65c8d6 Journal+0x5a654
127.  
128.  
129. oviykfqppyxljkodifhb.jnt
130.  
131. (1350.1270): Access violation - code c0000005 (!!! second chance !!!)
132. NBDoc!CopyToken+0x65:
133. 000007fe`ebf4bb31 44382c10 cmp byte ptr [rax+rdx],r13b ds:00000000`0937cf42=??
134. 0:000> k
135. Child-SP RetAddr Call Site
136. 00000000`000fd740 000007fe`ebf4c251 NBDoc!CopyToken+0x65
137. 00000000`000fd770 000007fe`ebf4b9a0 NBDoc!DecodePos+0x6a9
138. 00000000`000fd8e0 000007fe`ebf53b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868
139. 00000000`000febe0 000007fe`ebf53a07 NBDoc!CBLCDecode::Decode+0x3d
140. 00000000`000fec10 000007fe`ebf9cd8c NBDoc!CBLCDecode::Decode+0x8b
141. 00000000`000fec90 000007fe`ebfb02e2 NBDoc!DecodeBlcToCanvas+0x24c
142. 00000000`000fed40 000007fe`ebfb096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
143. 00000000`000fedb0 000007fe`ebf9fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
144. 00000000`000fef00 000007fe`ebf9e744 NBDoc!CIFD::GetMRCImages+0x54c
145. 00000000`000ff000 000007fe`ebf9dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
146. 00000000`000ff0f0 000007fe`ebf30f2c NBDoc!CIFD::GetImageLayerEx+0x172
147. 00000000`000ff160 000007fe`ebf30cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
148. 00000000`000ff220 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
149. 00000000`000ff270 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb
150. 00000000`000ff2c0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
151. 00000000`000ff320 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
152. 00000000`000ff3d0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
153. 00000000`000ff530 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
154. 00000000`000ff580 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
155. 00000000`000ff5f0 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb
156.  
157.  
158. fkdmtsxkowdcnxpyjqfj.jnt
159.  
160. (478.1128): Access violation - code c0000005 (!!! second chance !!!)
161. msvcrt!memset+0xb0:
162. 000007fe`feec58e3 480fc311 movnti qword ptr [rcx],rdx ds:00000000`00000000=????????????????
163. 0:000> k
164. Child-SP RetAddr Call Site
165. 00000000`0022d738 000007fe`eb20b333 msvcrt!memset+0xb0
166. 00000000`0022d740 000007fe`eb213b05 NBDoc!CBLCDecode::DecodeWithClusters+0x1fb
167. 00000000`0022ea40 000007fe`eb213a07 NBDoc!CBLCDecode::Decode+0x3d
168. 00000000`0022ea70 000007fe`eb25cd8c NBDoc!CBLCDecode::Decode+0x8b
169. 00000000`0022eaf0 000007fe`eb2702e2 NBDoc!DecodeBlcToCanvas+0x24c
170. 00000000`0022eba0 000007fe`eb27096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142
171. 00000000`0022ec10 000007fe`eb25fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa
172. 00000000`0022ed60 000007fe`eb25e744 NBDoc!CIFD::GetMRCImages+0x54c
173. 00000000`0022ee60 000007fe`eb25dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4
174. 00000000`0022ef50 000007fe`eb1f0f2c NBDoc!CIFD::GetImageLayerEx+0x172
175. 00000000`0022efc0 000007fe`eb1f0cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218
176. 00000000`0022f080 000007fe`eba5a523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80
177. 00000000`0022f0d0 000007fe`eba6636a MSPVWCTL!CPage::EnableImageLayer+0xbb
178. 00000000`0022f120 000007fe`eba54210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6
179. 00000000`0022f180 000007fe`eba556e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc
180. 00000000`0022f230 000007fe`eba54b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca
181. 00000000`0022f390 000007fe`eba36245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c
182. 00000000`0022f3e0 000007fe`eba36717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165
183. 00000000`0022f450 000007fe`eba3768f MSPVWCTL!CEPDocView::Commit+0xcb
184. *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe
185. 00000000`0022f4b0 00000001`3f5d9920 MSPVWCTL!CEPDocView::put_Document+0x53