Document Title: =============== FlashFXP v3.6.0 - Buffer Overflow Vulnerability Release Date: ============= 2011-07-20 Vulnerability Laboratory ID (VL-ID): ==================================== 121 Product & Service Introduction: =============================== FlashFXP is a FTP (File Transfer Protocol) client for Windows, it offers you easy and fast ways to transfer any file between other local computers (LAN - Local Area Network) running a FTP server or via the Internet (WAN - Wide Area Network) and even directly between two servers using Site to Site transfers (FXP - File eXchange Protocol). Use FlashFXP to publish and maintain your website, Upload and download documents, photos, videos, music and more! Share your files with your friends and co-workers using the powerful site manager. There are many features and advanced options available within FlashFXP which are being added with the release of each new version stable or beta*. The software is available in over 20 languages and under active development. FlashFXP offers high security, performance, and reliability that you can always depend on to get your job done swiftly and efficiently. (Copy of the Vendor Homepage: http://www.flashfxp.com) Abstract Advisory Information: ============================== Vulnerability Laboratory Research Team discovered a Buffer Overflow Vulnerability on FlashFXP v3.6.0. Vulnerability Disclosure Timeline: ================================== 2011-07-21: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A Buffer Overflow Vulnerability is detected on FlashFXP. The vulnerability is located on the unrestricted (size-string) import function. Attackers implement large uni-code strings to overwrite the ebp & eip of the software process. Successful exploitation can result in system compromise via process escalation with system process privileges. Vulnerable Module(s): [+] .dat import [+] File Assosiations --- DEBUG LOG --- (4a4.198): Unknown exception - code 0eedfade (first chance) (4a4.198): Unknown exception - code 0eedfade (first chance) (4a4.78c): Break instruction exception - code 80000003 (first chance) eax=7ef9d000 ebx=00000000 ecx=00000000 edx=772cf50a esi=00000000 edi=00000000 eip=7724000c esp=05c2ff5c ebp=05c2ff88 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 --- ERROR LOG --- date/time : 2010-04-13 01:20 computer name : HOSTBUSTER user name : Rem0ve operating system : Windows NT New Tablet PC x64 build 7600 system language : German system up time : 7 hours 57 minutes program up time : 2 minutes 9 seconds processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz physical memory : 2563/4091 MB (free/total) free disk space : (C:) 233,38 GB display mode : 1366x768, 32 bit monitors : 1 process id : $13bc allocated memory : 115,85 MB executable : FlashFXP.exe executable hash : 370F40D4853967D56580F0699D3958DE executable size : 3068360 exec. date/time : 2008-02-20 10:52 version : 3.6.0.1240 madExcept version : 2.7k exception class : ERangeError exception message : Range check error. main thread ($15bc): 0040593a FlashFXP.exe System DynArraySetLength 00405aa1 FlashFXP.exe System @DynArraySetLength 0049cc08 FlashFXP.exe cxGraphics 1587 +61 TCustomConsole.WrapLine 0049c9be FlashFXP.exe cxGraphics 1451 +40 TCustomConsole.AddText 005df7bf FlashFXP.exe FrmMain1 9659 +43 TFrmMain.AddTextStatus 005e1597 FlashFXP.exe FrmMain1 10166 +314 TFrmMain.ConnectToHost 005f7dc7 FlashFXP.exe FrmMain1 17531 +329 TFrmMain.CmdLineConnect 005cd9c2 FlashFXP.exe FrmMain1 2444 +4 TFrmMain.SMConnect 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004699dd FlashFXP.exe Forms 3190 +139 TCustomForm.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c4df4 FlashFXP.exe ThemeMgr 1149 +38 TThemeManager.FormWindowProc 004c62f8 FlashFXP.exe ThemeMgr 2056 +2 TThemeManager.PreFormWindowProc 005290ea FlashFXP.exe VistaAltFixUnit 269 +1 TFormObj.WndProc 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 7698810d user32.dll DispatchMessageA 0046f6a3 FlashFXP.exe Forms 6898 +34 TApplication.ProcessMessage 0046f6da FlashFXP.exe Forms 6936 +1 TApplication.HandleMessage 0046f8fa FlashFXP.exe Forms 7026 +21 TApplication.Run 00624e6c FlashFXP.exe FlashFXP 671 +503 initialization 75453675 kernel32.dll BaseThreadInitThunk thread $ebc: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1748: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1478: 772500fd ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1308 (TChangeHandlerThread): 772500fd ntdll.dll 757a095c KERNELBASE.dll WaitForMultipleObjectsEx 75451628 kernel32.dll WaitForMultipleObjectsEx 7545191c kernel32.dll WaitForMultipleObjects 00507339 FlashFXP.exe UPTShellControls 4021 +11 TChangeHandlerThread.Execute 0044bcce FlashFXP.exe madExcept HookedTThreadExecute 0041b104 FlashFXP.exe Classes 6898 +1 ThreadProc 00403f38 FlashFXP.exe System ThreadWrapper 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by main thread ($15bc) at: 00506fff FlashFXP.exe UPTShellControls 3916 +2 TChangeHandlerThread.Create thread $1128: 7724fd31 ntdll.dll 757a2c4a KERNELBASE.dll SleepEx 757a351b KERNELBASE.dll Sleep 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by main thread ($15bc) at: 755b642e ole32.dll thread $1348: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $14ec: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $127c: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1104: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1530: 76987e47 user32.dll 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by thread $ebc at: 768b480b SHLWAPI.dll thread $998: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $e38: 7724f871 ntdll.dll 757a0810 KERNELBASE.dll WaitForSingleObjectEx 7545117f kernel32.dll WaitForSingleObjectEx 75451133 kernel32.dll WaitForSingleObject 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by main thread ($15bc) at: 75554d5c WS2_32.dll modules: 00400000 FlashFXP.exe 3.6.0.1240 C:/Program Files (x86)/FlashFXP 04820000 ssleay32.dll 0.9.8.9 C:/Program Files (x86)/FlashFXP 10000000 libeay32.dll 0.9.8.9 C:/Program Files (x86)/FlashFXP 6a460000 ieframe.DLL 8.0.7600.16535 C:/Windows/system32 6da00000 WMVCore.DLL 12.0.7600.16385 C:/Windows/system32 6dc70000 wpdshext.dll 6.1.7600.16385 C:/Windows/system32 6df50000 NetworkExplorer.dll 6.1.7600.16385 C:/Windows/system32 6fcb0000 ntshrui.dll 6.1.7600.16385 C:/Windows/system32 6fd30000 SXS.DLL 6.1.7600.16385 C:/Windows/system32 6fd90000 EhStorShell.dll 6.1.7600.16385 C:/Windows/system32 6fe00000 slc.dll 6.1.7600.16385 C:/Windows/system32 6ff30000 SearchFolder.dll 6.1.7600.16385 C:/Windows/system32 701f0000 SAMLIB.dll 6.1.7600.16385 C:/Windows/system32 70210000 actxprxy.dll 6.1.7600.16385 C:/Windows/SysWOW64 70260000 StructuredQuery.dll 7.0.7600.16385 C:/Windows/System32 702c0000 UIAutomationCore.dll 7.0.0.0 C:/Windows/system32 70350000 xmllite.dll 1.3.1000.0 C:/Windows/system32 70410000 DUI70.dll 6.1.7600.16385 C:/Windows/system32 704d0000 explorerframe.dll 6.1.7600.16385 C:/Windows/system32 70b00000 msls31.dll 3.10.349.0 C:/Windows/system32 70b30000 ieproxy.dll 8.0.7600.16535 C:/Program Files (x86)/Internet Explorer 70b60000 EhStorAPI.dll 6.1.7600.16385 C:/Windows/system32 70b90000 shdocvw.dll 6.1.7600.16385 C:/Windows/System32 70bc0000 DUser.dll 6.1.7600.16385 C:/Windows/system32 70bf0000 thumbcache.dll 6.1.7600.16385 C:/Windows/SysWOW64 70c10000 PortableDeviceApi.dll 6.1.7600.16385 C:/Windows/system32 70ca0000 LINKINFO.dll 6.1.7600.16385 C:/Windows/system32 70cb0000 audiodev.dll 6.1.7600.16385 C:/Windows/system32 70cf0000 WMASF.DLL 12.0.7600.16385 C:/Windows/system32 726b0000 WindowsCodecs.dll 6.1.7600.16385 C:/Windows/system32 72870000 dwmapi.dll 6.1.7600.16385 C:/Windows/system32 72890000 uxtheme.dll 6.1.7600.16385 C:/Windows/system32 729a0000 tiptsf.dll 6.1.7600.16385 C:/Program Files (x86)/Common Files/microsoft shared/ink 72b40000 Secur32.dll 6.1.7600.16385 C:/Windows/System32 72b50000 apphelp.dll 6.1.7600.16385 C:/Windows/system32 72ba0000 rsaenh.dll 6.1.7600.16385 C:/Windows/system32 72be0000 CRYPTSP.dll 6.1.7600.16385 C:/Windows/system32 72c00000 comctl32.dll 6.10.7600.16385 C:/Windows/WinSxS/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc 72da0000 rasadhlp.dll 6.1.7600.16385 C:/Windows/system32 72db0000 fwpuclnt.dll 6.1.7600.16385 C:/Windows/System32 72df0000 pnrpnsp.dll 6.1.7600.16385 C:/Windows/system32 72e10000 napinsp.dll 6.1.7600.16385 C:/Windows/system32 72e20000 winrnr.dll 6.1.7600.16385 C:/Windows/System32 72e30000 DNSAPI.dll 6.1.7600.16385 C:/Windows/system32 72e80000 NLAapi.dll 6.1.7600.16385 C:/Windows/system32 72ea0000 WINSTA.dll 6.1.7600.16385 C:/Windows/System32 73020000 wsock32.dll 6.1.7600.16385 C:/Windows/system32 73040000 wkscli.dll 6.1.7600.16385 C:/Windows/system32 73050000 srvcli.dll 6.1.7600.16385 C:/Windows/system32 73070000 netutils.dll 6.1.7600.16385 C:/Windows/system32 730b0000 winspool.drv 6.1.7600.16385 C:/Windows/system32 73110000 oleacc.dll 7.0.0.0 C:/Windows/system32 733c0000 mswsock.dll 6.1.7600.16385 C:/Windows/System32 73410000 WINNSI.DLL 6.1.7600.16385 C:/Windows/system32 73420000 IPHLPAPI.DLL 6.1.7600.16385 C:/Windows/system32 73440000 RpcRtRemote.dll 6.1.7600.16385 C:/Windows/system32 73450000 MPR.dll 6.1.7600.16385 C:/Windows/system32 73870000 samcli.dll 6.1.7600.16385 C:/Windows/system32 739c0000 winmm.dll 6.1.7600.16385 C:/Windows/system32 73b40000 cscapi.dll 6.1.7600.16385 C:/Windows/system32 73b50000 DAVHLPR.dll 6.1.7600.16385 C:/Windows/System32 73b60000 davclnt.dll 6.1.7600.16385 C:/Windows/System32 73b80000 ntlanman.dll 6.1.7600.16385 C:/Windows/System32 73ba0000 drprov.dll 6.1.7600.16385 C:/Windows/System32 74320000 gdiplus.dll 6.1.7600.16385 C:/Windows/WinSxS/x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca 744b0000 propsys.dll 7.0.7600.16385 C:/Windows/system32 74730000 ntmarta.dll 6.1.7600.16385 C:/Windows/system32 748e0000 profapi.dll 6.1.7600.16385 C:/Windows/system32 74910000 version.dll 6.1.7600.16385 C:/Windows/system32 74d90000 CRYPTBASE.dll 6.1.7600.16385 C:/Windows/syswow64 74da0000 SspiCli.dll 6.1.7600.16385 C:/Windows/syswow64 74e00000 PSAPI.DLL 6.1.7600.16385 C:/Windows/syswow64 74e10000 CLBCatQ.DLL 2001.12.8530.16385 C:/Windows/syswow64 74fe0000 CFGMGR32.dll 6.1.7600.16385 C:/Windows/syswow64 75010000 comdlg32.dll 6.1.7600.16385 C:/Windows/syswow64 75090000 iertutil.dll 8.0.7600.16385 C:/Windows/syswow64 75290000 MSASN1.dll 6.1.7600.16415 C:/Windows/syswow64 752a0000 SETUPAPI.dll 6.1.7600.16385 C:/Windows/syswow64 75440000 kernel32.dll 6.1.7600.16385 C:/Windows/syswow64 75540000 WS2_32.dll 6.1.7600.16385 C:/Windows/syswow64 75580000 ole32.dll 6.1.7600.16385 C:/Windows/syswow64 756e0000 NSI.dll 6.1.7600.16385 C:/Windows/syswow64 756f0000 ADVAPI32.dll 6.1.7600.16385 C:/Windows/syswow64 75790000 KERNELBASE.dll 6.1.7600.16385 C:/Windows/syswow64 757e0000 shell32.dll 6.1.7600.16385 C:/Windows/syswow64 76430000 USP10.dll 1.626.7600.16385 C:/Windows/syswow64 764d0000 WINTRUST.dll 6.1.7600.16385 C:/Windows/syswow64 76500000 MSCTF.dll 6.1.7600.16385 C:/Windows/syswow64 765d0000 msvcrt.dll 7.0.7600.16385 C:/Windows/syswow64 76680000 GDI32.dll 6.1.7600.16385 C:/Windows/syswow64 76740000 RPCRT4.dll 6.1.7600.16385 C:/Windows/syswow64 76830000 WLDAP32.dll 6.1.7600.16385 C:/Windows/syswow64 76880000 DEVOBJ.dll 6.1.7600.16385 C:/Windows/syswow64 768a0000 SHLWAPI.dll 6.1.7600.16385 C:/Windows/syswow64 76900000 LPK.dll 6.1.7600.16385 C:/Windows/syswow64 76970000 user32.dll 6.1.7600.16385 C:/Windows/syswow64 76b00000 crypt32.dll 6.1.7600.16385 C:/Windows/syswow64 76c20000 sechost.dll 6.1.7600.16385 C:/Windows/SysWOW64 76d40000 IMM32.DLL 6.1.7600.16385 C:/Windows/system32 76da0000 oleaut32.dll 6.1.7600.16385 C:/Windows/syswow64 77230000 ntdll.dll 6.1.7600.16385 C:/Windows/SysWOW64 disassembling: 00405910 public System.DynArraySetLength: ; function entry point 00405910 push ebp 00405911 mov ebp, esp 00405913 add esp, -$20 00405916 push ebx 00405917 push esi 00405918 push edi 00405919 mov [ebp-8], ecx 0040591c mov esi, edx 0040591e mov [ebp-4], eax 00405921 mov ebx, [ebp-4] 00405924 mov ebx, [ebx] 00405926 mov eax, [ebp+8] 00405929 mov edi, [eax] 0040592b test edi, edi 0040592d jg loc_405949 0040592f test edi, edi 00405931 jge loc_40593a 00405933 mov al, 4 00405935 call -$2e92 ($402aa8) ; System.Error 0040593a > mov eax, [ebp-4] 0040593d mov edx, esi 0040593f call -$3c ($405908) ; System.DynArrayClear 00405944 jmp loc_405a91 00405949 xor eax, eax 0040594b mov [ebp-$10], eax 0040594e test ebx, ebx 00405950 jz loc_40595d 00405952 sub ebx, 4 00405955 mov eax, [ebx] 00405957 mov [ebp-$10], eax 0040595a sub ebx, 4 0040595d xor eax, eax 0040595f mov al, [esi+1] 00405962 add esi, eax 00405964 mov eax, [esi+2] 00405967 mov [ebp-$18], eax 0040596a mov eax, [esi+6] 0040596d test eax, eax 0040596f jz loc_405975 00405971 mov esi, [eax] [...] ---------- date/time : 2010-04-12 23:51 computer name : HOSTBUSTER user name : Rem0ve operating system : Windows NT New Tablet PC x64 build 7600 system language : German system up time : 6 hours 28 minutes program up time : 1 minute 45 seconds processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz physical memory : 2047/4091 MB (free/total) free disk space : (C:) 233,39 GB display mode : 1366x768, 32 bit monitors : 1 process id : $1064 allocated memory : 182,26 MB executable : FlashFXP.exe executable hash : 370F40D4853967D56580F0699D3958DE executable size : 3068360 exec. date/time : 2008-02-20 10:52 version : 3.6.0.1240 madExcept version : 2.7k exception class : EStringListError exception message : List index out of bounds (24). main thread ($950): 00462240 FlashFXP.exe StdCtrls 3254 +2 TListBoxStrings.Get 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 00462e45 FlashFXP.exe StdCtrls 3660 +14 TCustomListBox.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 00415f71 FlashFXP.exe Classes 3217 +4 TStringList.Grow 004160ab FlashFXP.exe Classes 3247 +13 TStringList.InsertItem 0048c148 FlashFXP.exe IniFiles32 951 +15 TIniFile32.WriteSection 005c60da FlashFXP.exe FilterDlg 330 +13 TFrmFilter.bOkClick 00476a76 FlashFXP.exe Controls 4294 +9 TControl.Click 0046177b FlashFXP.exe StdCtrls 2869 +3 TButton.Click 00461887 FlashFXP.exe StdCtrls 2921 +1 TButton.CNCommand 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004616e7 FlashFXP.exe StdCtrls 2849 +13 TButtonControl.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c4ce6 FlashFXP.exe ThemeMgr 924 +61 TThemeManager.ButtonControlWindowProc 004c62e4 FlashFXP.exe ThemeMgr 2030 +2 TThemeManager.PreButtonControlWindowProc 00476710 FlashFXP.exe Controls 4158 +5 TControl.Perform 00479287 FlashFXP.exe Controls 5741 +6 DoControlMsg 0047978b FlashFXP.exe Controls 5917 +1 TWinControl.WMCommand 0046b7e8 FlashFXP.exe Forms 4161 +3 TCustomForm.WMCommand 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004699dd FlashFXP.exe Forms 3190 +139 TCustomForm.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c4df4 FlashFXP.exe ThemeMgr 1149 +38 TThemeManager.FormWindowProc 004c62f8 FlashFXP.exe ThemeMgr 2056 +2 TThemeManager.PreFormWindowProc 005290ea FlashFXP.exe VistaAltFixUnit 269 +1 TFormObj.WndProc 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 772400e3 ntdll.dll KiUserCallbackDispatcher 7698cd7c user32.dll SendMessageW 76997b0a user32.dll CallWindowProcA 0047920b FlashFXP.exe Controls 5720 +18 TWinControl.DefaultHandler 00476e7c FlashFXP.exe Controls 4441 +1 TControl.WMLButtonUp 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004616e7 FlashFXP.exe StdCtrls 2849 +13 TButtonControl.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c4ce6 FlashFXP.exe ThemeMgr 924 +61 TThemeManager.ButtonControlWindowProc 004c62e4 FlashFXP.exe ThemeMgr 2030 +2 TThemeManager.PreButtonControlWindowProc 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 7698810d user32.dll DispatchMessageA 0046f6a3 FlashFXP.exe Forms 6898 +34 TApplication.ProcessMessage 0046f6da FlashFXP.exe Forms 6936 +1 TApplication.HandleMessage 0046f8fa FlashFXP.exe Forms 7026 +21 TApplication.Run 00624e6c FlashFXP.exe FlashFXP 671 +503 initialization 75453675 kernel32.dll BaseThreadInitThunk thread $9b8: 772500fd ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1484 (TChangeHandlerThread): 772500fd ntdll.dll 757a095c KERNELBASE.dll WaitForMultipleObjectsEx 75451628 kernel32.dll WaitForMultipleObjectsEx 7545191c kernel32.dll WaitForMultipleObjects 00507339 FlashFXP.exe UPTShellControls 4021 +11 TChangeHandlerThread.Execute 0044bcce FlashFXP.exe madExcept HookedTThreadExecute 0041b104 FlashFXP.exe Classes 6898 +1 ThreadProc 00403f38 FlashFXP.exe System ThreadWrapper 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by main thread ($950) at: 00506fff FlashFXP.exe UPTShellControls 3916 +2 TChangeHandlerThread.Create thread $1148: 7724fd31 ntdll.dll 757a2c4a KERNELBASE.dll SleepEx 757a351b KERNELBASE.dll Sleep 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by thread $12c4 at: 755b642e ole32.dll thread $3ec: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1510: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1268: 76987e47 user32.dll 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by thread $1644 at: 768b480b SHLWAPI.dll modules: 00400000 FlashFXP.exe 3.6.0.1240 C:/Program Files (x86)/FlashFXP 03a60000 ssleay32.dll 0.9.8.9 C:/Program Files (x86)/FlashFXP 10000000 libeay32.dll 0.9.8.9 C:/Program Files (x86)/FlashFXP 641d0000 wpdshext.dll 6.1.7600.16385 C:/Windows/system32 66960000 EhStorAPI.dll 6.1.7600.16385 C:/Windows/system32 66990000 PortableDeviceApi.dll 6.1.7600.16385 C:/Windows/system32 66a20000 SearchFolder.dll 6.1.7600.16385 C:/Windows/system32 66ac0000 ieproxy.dll 8.0.7600.16535 C:/Program Files (x86)/Internet Explorer 6aae0000 NetworkExplorer.dll 6.1.7600.16385 C:/Windows/system32 6ac90000 actxprxy.dll 6.1.7600.16385 C:/Windows/SysWOW64 6ace0000 StructuredQuery.dll 7.0.7600.16385 C:/Windows/System32 6afc0000 LINKINFO.dll 6.1.7600.16385 C:/Windows/system32 6afd0000 xmllite.dll 1.3.1000.0 C:/Windows/system32 6b1c0000 UIAutomationCore.dll 7.0.0.0 C:/Windows/system32 6b250000 msls31.dll 3.10.349.0 C:/Windows/system32 6cb30000 thumbcache.dll 6.1.7600.16385 C:/Windows/SysWOW64 6cd80000 WMASF.DLL 12.0.7600.16385 C:/Windows/system32 6cdc0000 WMVCore.DLL 12.0.7600.16385 C:/Windows/system32 6d190000 SAMLIB.dll 6.1.7600.16385 C:/Windows/system32 6d630000 ieframe.DLL 8.0.7600.16535 C:/Windows/system32 6e1c0000 audiodev.dll 6.1.7600.16385 C:/Windows/system32 6f7a0000 shdocvw.dll 6.1.7600.16385 C:/Windows/System32 6f8a0000 DUI70.dll 6.1.7600.16385 C:/Windows/system32 6f960000 explorerframe.dll 6.1.7600.16385 C:/Windows/system32 6fcb0000 ntshrui.dll 6.1.7600.16385 C:/Windows/system32 6fd30000 SXS.DLL 6.1.7600.16385 C:/Windows/system32 6fd90000 EhStorShell.dll 6.1.7600.16385 C:/Windows/system32 6fdd0000 DUser.dll 6.1.7600.16385 C:/Windows/system32 6fe00000 slc.dll 6.1.7600.16385 C:/Windows/system32 726b0000 WindowsCodecs.dll 6.1.7600.16385 C:/Windows/system32 72870000 dwmapi.dll 6.1.7600.16385 C:/Windows/system32 72890000 uxtheme.dll 6.1.7600.16385 C:/Windows/system32 729a0000 tiptsf.dll 6.1.7600.16385 C:/Program Files (x86)/Common Files/microsoft shared/ink 72b40000 Secur32.dll 6.1.7600.16385 C:/Windows/System32 72b50000 apphelp.dll 6.1.7600.16385 C:/Windows/system32 72ba0000 rsaenh.dll 6.1.7600.16385 C:/Windows/system32 72be0000 CRYPTSP.dll 6.1.7600.16385 C:/Windows/system32 72c00000 comctl32.dll 6.10.7600.16385 C:/Windows/WinSxS/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc 72ea0000 WINSTA.dll 6.1.7600.16385 C:/Windows/System32 73020000 wsock32.dll 6.1.7600.16385 C:/Windows/system32 73040000 wkscli.dll 6.1.7600.16385 C:/Windows/system32 73050000 srvcli.dll 6.1.7600.16385 C:/Windows/system32 73070000 netutils.dll 6.1.7600.16385 C:/Windows/system32 730b0000 winspool.drv 6.1.7600.16385 C:/Windows/system32 73110000 oleacc.dll 7.0.0.0 C:/Windows/system32 73440000 RpcRtRemote.dll 6.1.7600.16385 C:/Windows/system32 73450000 MPR.dll 6.1.7600.16385 C:/Windows/system32 73870000 samcli.dll 6.1.7600.16385 C:/Windows/system32 739c0000 winmm.dll 6.1.7600.16385 C:/Windows/system32 73b40000 cscapi.dll 6.1.7600.16385 C:/Windows/system32 73b50000 DAVHLPR.dll 6.1.7600.16385 C:/Windows/System32 73b60000 davclnt.dll 6.1.7600.16385 C:/Windows/System32 73b80000 ntlanman.dll 6.1.7600.16385 C:/Windows/System32 73ba0000 drprov.dll 6.1.7600.16385 C:/Windows/System32 74320000 gdiplus.dll 6.1.7600.16385 C:/Windows/WinSxS/x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca 744b0000 propsys.dll 7.0.7600.16385 C:/Windows/system32 74730000 ntmarta.dll 6.1.7600.16385 C:/Windows/system32 748e0000 profapi.dll 6.1.7600.16385 C:/Windows/system32 74910000 version.dll 6.1.7600.16385 C:/Windows/system32 74d90000 CRYPTBASE.dll 6.1.7600.16385 C:/Windows/syswow64 74da0000 SspiCli.dll 6.1.7600.16385 C:/Windows/syswow64 74e00000 PSAPI.DLL 6.1.7600.16385 C:/Windows/syswow64 74e10000 CLBCatQ.DLL 2001.12.8530.16385 C:/Windows/syswow64 74fe0000 CFGMGR32.dll 6.1.7600.16385 C:/Windows/syswow64 75010000 comdlg32.dll 6.1.7600.16385 C:/Windows/syswow64 75090000 iertutil.dll 8.0.7600.16385 C:/Windows/syswow64 75290000 MSASN1.dll 6.1.7600.16415 C:/Windows/syswow64 752a0000 SETUPAPI.dll 6.1.7600.16385 C:/Windows/syswow64 75440000 kernel32.dll 6.1.7600.16385 C:/Windows/syswow64 75540000 WS2_32.dll 6.1.7600.16385 C:/Windows/syswow64 75580000 ole32.dll 6.1.7600.16385 C:/Windows/syswow64 756e0000 NSI.dll 6.1.7600.16385 C:/Windows/syswow64 756f0000 ADVAPI32.dll 6.1.7600.16385 C:/Windows/syswow64 75790000 KERNELBASE.dll 6.1.7600.16385 C:/Windows/syswow64 757e0000 shell32.dll 6.1.7600.16385 C:/Windows/syswow64 76430000 USP10.dll 1.626.7600.16385 C:/Windows/syswow64 764d0000 WINTRUST.dll 6.1.7600.16385 C:/Windows/syswow64 76500000 MSCTF.dll 6.1.7600.16385 C:/Windows/syswow64 765d0000 msvcrt.dll 7.0.7600.16385 C:/Windows/syswow64 76680000 GDI32.dll 6.1.7600.16385 C:/Windows/syswow64 76740000 RPCRT4.dll 6.1.7600.16385 C:/Windows/syswow64 76830000 WLDAP32.dll 6.1.7600.16385 C:/Windows/syswow64 76880000 DEVOBJ.dll 6.1.7600.16385 C:/Windows/syswow64 768a0000 SHLWAPI.dll 6.1.7600.16385 C:/Windows/syswow64 76900000 LPK.dll 6.1.7600.16385 C:/Windows/syswow64 76970000 user32.dll 6.1.7600.16385 C:/Windows/syswow64 76b00000 crypt32.dll 6.1.7600.16385 C:/Windows/syswow64 76c20000 sechost.dll 6.1.7600.16385 C:/Windows/SysWOW64 76d40000 IMM32.DLL 6.1.7600.16385 C:/Windows/system32 76da0000 oleaut32.dll 6.1.7600.16385 C:/Windows/syswow64 77230000 ntdll.dll 6.1.7600.16385 C:/Windows/SysWOW64 disassembling: [...] 004621fa push $46226e ; System.@HandleFinally 004621ff push dword ptr fs:[eax] 00462202 mov fs:[eax], esp 00462205 3253 lea eax, [ebp-$1004] 0046220b push eax 0046220c push edi 0046220d push $189 00462212 mov eax, [esi+$c] 00462215 call +$192f2 ($47b50c) ; Controls.TWinControl.GetHandle 0046221a push eax 0046221b call -$5a5b8 ($407c68) ; Windows.SendMessage 00462220 mov ebx, eax 00462222 3254 test ebx, ebx 00462224 jge loc_462245 00462226 lea edx, [ebp-$1008] 0046222c mov eax, [$637a30] 00462231 call -$5c24a ($405fec) ; System.LoadResString 00462236 mov edx, [ebp-$1008] 0046223c mov ecx, edi 0046223e mov eax, esi 00462240 > call -$4d3fd ($414e48) ; Classes.TStrings.Error 00462245 3255 lea edx, [ebp-$1004] 0046224b mov eax, [ebp-4] 0046224e mov ecx, ebx 00462250 call -$5e1dd ($404078) ; System.@LStrFromPCharLen 00462255 xor eax, eax 00462257 pop edx 00462258 pop ecx 00462259 pop ecx 0046225a mov fs:[eax], edx 0046225d push $462275 00462262 lea eax, [ebp-$1008] 00462268 call -$5e2d9 ($403f94) ; System.@LStrClr 0046226d ret 0046226e jmp -$5e923 ($403950) ; System.@HandleFinally 00462273 jmp loc_462262 00462275 3256 pop edi 00462276 pop esi 00462277 pop ebx 00462278 mov esp, ebp 0046227a pop ebp [...] ------ date/time : 2010-04-12 23:33 computer name : HOSTBUSTER user name : Rem0ve operating system : Windows NT New Tablet PC x64 build 7600 system language : German system up time : 6 hours 10 minutes program up time : 1 minute processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz physical memory : 2041/4091 MB (free/total) free disk space : (C:) 233,38 GB display mode : 1366x768, 32 bit monitors : 1 process id : $d00 allocated memory : 49,27 MB executable : FlashFXP.exe executable hash : 370F40D4853967D56580F0699D3958DE executable size : 3068360 exec. date/time : 2008-02-20 10:52 version : 3.6.0.1240 madExcept version : 2.7k exception class : EStringListError exception message : List index out of bounds (0). main thread ($12bc): 00462240 FlashFXP.exe StdCtrls 3254 +2 TListBoxStrings.Get 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004b87e0 FlashFXP.exe ComCtrls 12780 +13 TCustomListView.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c5197 FlashFXP.exe ThemeMgr 1344 +18 TThemeManager.ListviewWindowProc 004c6320 FlashFXP.exe ThemeMgr 2093 +2 TThemeManager.PreListviewWindowProc 00476710 FlashFXP.exe Controls 4158 +5 TControl.Perform 00479287 FlashFXP.exe Controls 5741 +6 DoControlMsg 004797ad FlashFXP.exe Controls 5922 +1 TWinControl.WMNotify 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c5892 FlashFXP.exe ThemeMgr 1566 +57 TThemeManager.PanelWindowProc 004c6334 FlashFXP.exe ThemeMgr 2104 +2 TThemeManager.PrePanelWindowProc 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 772400e3 ntdll.dll KiUserCallbackDispatcher 7698cd7c user32.dll SendMessageW 0047bcd7 FlashFXP.exe Controls 7500 +20 DoCalcConstraints 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c5892 FlashFXP.exe ThemeMgr 1566 +57 TThemeManager.PanelWindowProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 772400e3 ntdll.dll KiUserCallbackDispatcher 769aef3b user32.dll SendMessageA 004621d0 FlashFXP.exe StdCtrls 3245 +1 TListBoxStrings.GetCount 00414fb1 FlashFXP.exe Classes 2777 +2 TStrings.GetCommaText 005b3975 FlashFXP.exe FrmVD1 176 +10 TFrmVD.bOk2Click 00476a76 FlashFXP.exe Controls 4294 +9 TControl.Click 0046177b FlashFXP.exe StdCtrls 2869 +3 TButton.Click 00461887 FlashFXP.exe StdCtrls 2921 +1 TButton.CNCommand 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004616e7 FlashFXP.exe StdCtrls 2849 +13 TButtonControl.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c4ce6 FlashFXP.exe ThemeMgr 924 +61 TThemeManager.ButtonControlWindowProc 004c62e4 FlashFXP.exe ThemeMgr 2030 +2 TThemeManager.PreButtonControlWindowProc 00476710 FlashFXP.exe Controls 4158 +5 TControl.Perform 00479287 FlashFXP.exe Controls 5741 +6 DoControlMsg 0047978b FlashFXP.exe Controls 5917 +1 TWinControl.WMCommand 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c5892 FlashFXP.exe ThemeMgr 1566 +57 TThemeManager.PanelWindowProc 004c6334 FlashFXP.exe ThemeMgr 2104 +2 TThemeManager.PrePanelWindowProc 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 772400e3 ntdll.dll KiUserCallbackDispatcher 7698cd7c user32.dll SendMessageW 76997b0a user32.dll CallWindowProcA 0047920b FlashFXP.exe Controls 5720 +18 TWinControl.DefaultHandler 00476e7c FlashFXP.exe Controls 4441 +1 TControl.WMLButtonUp 004768e1 FlashFXP.exe Controls 4233 +37 TControl.WndProc 00479116 FlashFXP.exe Controls 5698 +42 TWinControl.WndProc 004616e7 FlashFXP.exe StdCtrls 2849 +13 TButtonControl.WndProc 004c449e FlashFXP.exe ThemeMgr 591 +10 TWindowProcList.DispatchMessage 004c4ce6 FlashFXP.exe ThemeMgr 924 +61 TThemeManager.ButtonControlWindowProc 004c62e4 FlashFXP.exe ThemeMgr 2030 +2 TThemeManager.PreButtonControlWindowProc 00478da0 FlashFXP.exe Controls 5571 +3 TWinControl.MainWndProc 00466aac FlashFXP.exe Forms 1484 +8 StdWndProc 7698810d user32.dll DispatchMessageA 0046f6a3 FlashFXP.exe Forms 6898 +34 TApplication.ProcessMessage 0046f6da FlashFXP.exe Forms 6936 +1 TApplication.HandleMessage 0046f8fa FlashFXP.exe Forms 7026 +21 TApplication.Run 00624e6c FlashFXP.exe FlashFXP 671 +503 initialization 75453675 kernel32.dll BaseThreadInitThunk thread $13a8: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $660: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1420: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1554: 772500fd ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk thread $1518 (TChangeHandlerThread): 772500fd ntdll.dll 757a095c KERNELBASE.dll WaitForMultipleObjectsEx 75451628 kernel32.dll WaitForMultipleObjectsEx 7545191c kernel32.dll WaitForMultipleObjects 00507339 FlashFXP.exe UPTShellControls 4021 +11 TChangeHandlerThread.Execute 0044bcce FlashFXP.exe madExcept HookedTThreadExecute 0041b104 FlashFXP.exe Classes 6898 +1 ThreadProc 00403f38 FlashFXP.exe System ThreadWrapper 0044bc01 FlashFXP.exe madExcept CallThreadProc 0044bc43 FlashFXP.exe madExcept ThreadExceptFrame 75453675 kernel32.dll BaseThreadInitThunk >> created by main thread ($12bc) at: 00506fff FlashFXP.exe UPTShellControls 3916 +2 TChangeHandlerThread.Create thread $1660: 77251ee6 ntdll.dll 75453675 kernel32.dll BaseThreadInitThunk modules: 00400000 FlashFXP.exe 3.6.0.1240 C:/Program Files (x86)/FlashFXP 03570000 ssleay32.dll 0.9.8.9 C:/Program Files (x86)/FlashFXP 10000000 libeay32.dll 0.9.8.9 C:/Program Files (x86)/FlashFXP 641d0000 wpdshext.dll 6.1.7600.16385 C:/Windows/system32 66960000 EhStorAPI.dll 6.1.7600.16385 C:/Windows/system32 66990000 PortableDeviceApi.dll 6.1.7600.16385 C:/Windows/system32 6cd80000 WMASF.DLL 12.0.7600.16385 C:/Windows/system32 6cdc0000 WMVCore.DLL 12.0.7600.16385 C:/Windows/system32 6e180000 audiodev.dll 6.1.7600.16385 C:/Windows/system32 6f7a0000 shdocvw.dll 6.1.7600.16385 C:/Windows/System32 6fcb0000 ntshrui.dll 6.1.7600.16385 C:/Windows/system32 6fd90000 EhStorShell.dll 6.1.7600.16385 C:/Windows/system32 6fe00000 slc.dll 6.1.7600.16385 C:/Windows/system32 726b0000 WindowsCodecs.dll 6.1.7600.16385 C:/Windows/system32 72870000 dwmapi.dll 6.1.7600.16385 C:/Windows/system32 72890000 uxtheme.dll 6.1.7600.16385 C:/Windows/system32 729a0000 tiptsf.dll 6.1.7600.16385 C:/Program Files (x86)/Common Files/microsoft shared/ink 72b50000 apphelp.dll 6.1.7600.16385 C:/Windows/system32 72c00000 comctl32.dll 6.10.7600.16385 C:/Windows/WinSxS/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc 72ea0000 WINSTA.dll 6.1.7600.16385 C:/Windows/System32 73020000 wsock32.dll 6.1.7600.16385 C:/Windows/system32 73040000 wkscli.dll 6.1.7600.16385 C:/Windows/system32 73050000 srvcli.dll 6.1.7600.16385 C:/Windows/system32 73070000 netutils.dll 6.1.7600.16385 C:/Windows/system32 730b0000 winspool.drv 6.1.7600.16385 C:/Windows/system32 73110000 oleacc.dll 7.0.0.0 C:/Windows/system32 73450000 MPR.dll 6.1.7600.16385 C:/Windows/system32 739c0000 winmm.dll 6.1.7600.16385 C:/Windows/system32 73b40000 cscapi.dll 6.1.7600.16385 C:/Windows/system32 73b50000 DAVHLPR.dll 6.1.7600.16385 C:/Windows/System32 73b60000 davclnt.dll 6.1.7600.16385 C:/Windows/System32 73b80000 ntlanman.dll 6.1.7600.16385 C:/Windows/System32 73ba0000 drprov.dll 6.1.7600.16385 C:/Windows/System32 74320000 gdiplus.dll 6.1.7600.16385 C:/Windows/WinSxS/x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca 744b0000 propsys.dll 7.0.7600.16385 C:/Windows/system32 74730000 ntmarta.dll 6.1.7600.16385 C:/Windows/system32 748e0000 profapi.dll 6.1.7600.16385 C:/Windows/system32 74910000 version.dll 6.1.7600.16385 C:/Windows/system32 74d90000 CRYPTBASE.dll 6.1.7600.16385 C:/Windows/syswow64 74da0000 SspiCli.dll 6.1.7600.16385 C:/Windows/syswow64 74e10000 CLBCatQ.DLL 2001.12.8530.16385 C:/Windows/syswow64 74fe0000 CFGMGR32.dll 6.1.7600.16385 C:/Windows/syswow64 75010000 comdlg32.dll 6.1.7600.16385 C:/Windows/syswow64 75290000 MSASN1.dll 6.1.7600.16415 C:/Windows/syswow64 752a0000 SETUPAPI.dll 6.1.7600.16385 C:/Windows/syswow64 75440000 kernel32.dll 6.1.7600.16385 C:/Windows/syswow64 75540000 WS2_32.dll 6.1.7600.16385 C:/Windows/syswow64 75580000 ole32.dll 6.1.7600.16385 C:/Windows/syswow64 756e0000 NSI.dll 6.1.7600.16385 C:/Windows/syswow64 756f0000 ADVAPI32.dll 6.1.7600.16385 C:/Windows/syswow64 75790000 KERNELBASE.dll 6.1.7600.16385 C:/Windows/syswow64 757e0000 shell32.dll 6.1.7600.16385 C:/Windows/syswow64 76430000 USP10.dll 1.626.7600.16385 C:/Windows/syswow64 764d0000 WINTRUST.dll 6.1.7600.16385 C:/Windows/syswow64 76500000 MSCTF.dll 6.1.7600.16385 C:/Windows/syswow64 765d0000 msvcrt.dll 7.0.7600.16385 C:/Windows/syswow64 76680000 GDI32.dll 6.1.7600.16385 C:/Windows/syswow64 76740000 RPCRT4.dll 6.1.7600.16385 C:/Windows/syswow64 76830000 WLDAP32.dll 6.1.7600.16385 C:/Windows/syswow64 76880000 DEVOBJ.dll 6.1.7600.16385 C:/Windows/syswow64 768a0000 SHLWAPI.dll 6.1.7600.16385 C:/Windows/syswow64 76900000 LPK.dll 6.1.7600.16385 C:/Windows/syswow64 76970000 user32.dll 6.1.7600.16385 C:/Windows/syswow64 76b00000 crypt32.dll 6.1.7600.16385 C:/Windows/syswow64 76c20000 sechost.dll 6.1.7600.16385 C:/Windows/SysWOW64 76d40000 IMM32.DLL 6.1.7600.16385 C:/Windows/system32 76da0000 oleaut32.dll 6.1.7600.16385 C:/Windows/syswow64 77230000 ntdll.dll 6.1.7600.16385 C:/Windows/SysWOW64 disassembling: [...] 004621fa push $46226e ; System.@HandleFinally 004621ff push dword ptr fs:[eax] 00462202 mov fs:[eax], esp 00462205 3253 lea eax, [ebp-$1004] 0046220b push eax 0046220c push edi 0046220d push $189 00462212 mov eax, [esi+$c] 00462215 call +$192f2 ($47b50c) ; Controls.TWinControl.GetHandle 0046221a push eax 0046221b call -$5a5b8 ($407c68) ; Windows.SendMessage 00462220 mov ebx, eax 00462222 3254 test ebx, ebx 00462224 jge loc_462245 00462226 lea edx, [ebp-$1008] 0046222c mov eax, [$637a30] 00462231 call -$5c24a ($405fec) ; System.LoadResString 00462236 mov edx, [ebp-$1008] 0046223c mov ecx, edi 0046223e mov eax, esi 00462240 > call -$4d3fd ($414e48) ; Classes.TStrings.Error 00462245 3255 lea edx, [ebp-$1004] 0046224b mov eax, [ebp-4] 0046224e mov ecx, ebx 00462250 call -$5e1dd ($404078) ; System.@LStrFromPCharLen 00462255 xor eax, eax 00462257 pop edx 00462258 pop ecx 00462259 pop ecx 0046225a mov fs:[eax], edx 0046225d push $462275 00462262 lea eax, [ebp-$1008] 00462268 call -$5e2d9 ($403f94) ; System.@LStrClr 0046226d ret 0046226e jmp -$5e923 ($403950) ; System.@HandleFinally 00462273 jmp loc_462262 00462275 3256 pop edi 00462276 pop esi 00462277 pop ebx 00462278 mov esp, ebp 0046227a pop ebp [...] ----- Analysis Picture(s): ../Analyses/bugreport.txt ../Analyses/bugreport2.txt ../Analyses/bugreport3.txt Picture(s): ../1.png ../2.png Proof of Concept (PoC): ======================= This vulnerabilities can be exploited by local attackers to crash/stop the software ... The problem can be reproduced over the import function of flashfxp as .dat extension. Example Insertion: [Default Sites Web Browsers Opera] IP=[String].com // <= Include Over-Sized Url on [String] Port=21 User=anonymous anonymous=1 Options=300333300003300110300001000 Created=38187.2293877083 Pass= Path=/pub/opera/ References: ../PoC/Sites.dat Reproduce the other crash ... 1. Options => File Associations 2. Add => File Mask (*.*) 3. Include over-sized String & switch down + choose the empty field what is now included hidden 4. Check on Viewing & Editing & klick "Ok" 5. Feel free and get stable crashed ^^ Security Risk: ============== A local attacker is able to crash the software with different critical software errors & exceptions. The security risk of the vulnerability is estimated as medium. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory