exploit-db-mirror/platforms/windows/dos/40617.txt
Offensive Security 506182d72d DB: 2016-10-22
7 new exploits

RealSecure / Blackice - iss_pam1.dll Remote Overflow
RealSecure / Blackice - 'iss_pam1.dll' Remote Overflow

Wireshark 1.2.10 - (airpcap.dll) DLL Hijacking Exploit
Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking

Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking Exploit
Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking
uTorrent 2.0.3 - (plugin_dll.dll) DLL Hijacking Exploit
Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking Exploit
uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking
Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking
Mozilla Firefox 3.6.8 - (dwmapi.dll) DLL Hijacking Exploit
Microsoft Windows Movie Maker 2.6.4038.0 - (hhctrl.ocx) DLL Hijacking Exploit
Opera 10.61 - DLL Hijacking Exploit (dwmapi.dll)
Microsoft Windows 7 - wab.exe DLL Hijacking Exploit (wab32res.dll)
TeamViewer 5.0.8703 - (dwmapi.dll) DLL Hijacking Exploit
Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking Exploit
Microsoft Address Book 6.00.2900.5512 - (wab32res.dll) DLL Hijacking Exploit
Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking Exploit
TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking Exploit
Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking
Microsoft Windows Movie Maker 2.6.4038.0 - 'hhctrl.ocx' DLL Hijacking
Opera 10.61 - 'dwmapi.dll' DLL Hijacking
Microsoft Windows 7 - 'wab32res.dll' wab.exe DLL
TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking
Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking
Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking
Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking
Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking
TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking
BS.Player 2.56 build 1043 - (mfc71loc.dll) DLL Hijacking Exploit
Adobe Dreamweaver CS5 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll)
Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking Exploit
BS.Player 2.56 build 1043 - 'mfc71loc.dll' DLL Hijacking
Adobe Dreamweaver CS5 11.0 build 4909 -  'mfc90loc.dll' DLL Hijacking
Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking

Avast! 5.0.594 - (mfc90loc.dll) License Files DLL Hijacking Exploit
Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking

VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking Exploit
VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking
Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking Exploit
Safari 5.0.1 - DLL Hijacking Exploit (dwmapi.dll)
InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking Exploit
Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking Exploit
Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking Exploit
Ettercap NG-0.7.3 - (wpcap.dll) DLL Hijacking Exploit
Microsoft Group Convertor - 'imm.dll' DLL Hijacking Exploit
Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking
Safari 5.0.1 - 'dwmapi.dll' DLL Hijacking
InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking
Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking
Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking
Ettercap NG-0.7.3 - 'wpcap.dll' DLL Hijacking
Microsoft Group Convertor - 'imm.dll' DLL Hijacking
TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking Exploit
MediaPlayer Classic 1.3.2189.0 - DLL Hijacking Exploit (iacenc.dll)
Skype 4.2.0.169 - (wab32.dll) DLL Hijacking Exploit
TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking
MediaPlayer Classic 1.3.2189.0 - 'iacenc.dll' DLL Hijacking
Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking
Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking Exploit
Nvidia Driver - DLL Hijacking Exploit (nview.dll)
Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking Exploit
Cisco Packet Tracer 5.2 - (wintab32.dll) DLL Hijacking Exploit
Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking
Nvidia Driver -  'nview.dll' DLL Hijacking
Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking
Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking
Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking
Cisco Packet Tracer 5.2 - 'wintab32.dll' DLL Hijacking
Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking
Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking Exploit
Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking Exploit
Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking Exploit
Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking Exploit
Mozilla Thunderbird - DLL Hijacking Exploit (dwmapi.dll)
Adobe Extension Manager CS5 5.0.298 - DLL Hijacking Exploit (dwmapi.dll)
Adobe ExtendedScript Toolkit CS5 3.5.0.52 - DLL Hijacking Exploit (dwmapi.dll)
CorelDRAW X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)
Corel PHOTO-PAINT X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)
Media Player Classic 6.4.9.1 - (iacenc.dll) DLL Hijacking Exploit
Nullsoft Winamp 5.581 - DLL Hijacking Exploit (wnaspi32.dll)
Google Earth 5.1.3535.3218 - DLL Hijacking Exploit (quserex.dll)
Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking Exploit
Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking
Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking
Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking
Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking
Mozilla Thunderbird - 'dwmapi.dll' DLL Hijacking
Adobe Extension Manager CS5 5.0.298 -  'dwmapi.dll' DLL Hijacking
Adobe ExtendedScript Toolkit CS5 3.5.0.52 - 'dwmapi.dll' DLL Hijacking
CorelDRAW X3 13.0.0.576 - 'crlrib.dll' DLL Hijacking
Corel PHOTO-PAINT X3 13.0.0.576 -  'crlrib.dll' DLL Hijacking
Media Player Classic 6.4.9.1 - 'iacenc.dll' DLL Hijacking
Nullsoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking
Google Earth 5.1.3535.3218 -  'quserex.dll' DLL Hijacking
Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking

Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking Exploit
Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking

Microsoft Edge - Array.map Heap Overflow (MS16-119)
Microsoft Edge - 'Array.map' Heap Overflow (MS16-119)

Microsoft Edge - Array.join Info Leak (MS16-119)
Microsoft Edge - 'Array.join' Infomation Leak (MS16-119)

Adobe Flash - Transform.colorTranform Getter Info Leak
Adobe Flash - Transform.colorTranform Getter Infomation Leak
Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)
Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)
Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)
Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Microsoft Windows - DeviceApi CMApi User Hive Impersonation Privilege Escalation (MS16-124)
Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)
Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)
Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)
Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)
Microsoft Edge - Function.apply Info Leak (MS16-119)
Microsoft Windows - 'win32k.sys' TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)
Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)
Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)
Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)
Microsoft Edge - Function.apply Infomation Leak (MS16-119)
Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)
Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)
Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)
Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)
Just Dial Clone Script - SQL Injection
FreePBX 10.13.66 - Remote Command Execution / Privilege Escalation
RealPlayer 18.1.5.705 - '.QCP' Crash (PoC)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)
Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)
TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)
2016-10-22 05:01:17 +00:00

200 lines
No EOL
9.9 KiB
Text
Executable file

Tested on: Win7 / Win10 x64
Date: October 20th 2016
Vendor homepage: http://www.real.com
Software link: http://realplayer-download.real.com/free/windows/installer/stubinst/stub/rt1/T10EUDRP/RealTimes-RealPlayer.exe
File version (both realplay.exe and qcpfformat.dll): 18.1.5.705
Exploit author: Alwin Peppels
Found with: Peach Fuzzer
Context:
eax=00000002 ebx=00000000 ecx=0d4cb9a0 edx=00000000 esi=00000000 edi=046abd0c
eip=534013dc esp=00d7e254 ebp=00d7e254 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
qcpfformat+0x13dc:
534013dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
Call stack:
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00d7e254 53401e92 00000000 00000000 0d4cb9a0 qcpfformat+0x13dc
01 00d7e2a4 53403342 046abd0c 80004005 00000000 qcpfformat+0x1e92
02 00d7e2d8 53402d37 1d26bbf0 74617276 534018a9 qcpfformat!RMACreateInstance+0xc62
03 00d7e308 534030cb 046abd0c 00000000 74617276 qcpfformat!RMACreateInstance+0x657
04 00d7e328 533e20f0 1ee51040 00000000 00000008 qcpfformat!RMACreateInstance+0x9eb
05 00d7e348 533e1da6 00000008 00d7e370 00000005 smplfsys+0x20f0
06 00d7e374 533e3582 00d7e394 00000000 00000000 smplfsys+0x1da6
07 00d7e38c 5340349f 00000000 00000008 00000000 smplfsys+0x3582
08 00d7e3b4 533e3cd9 00d7e3d0 0d4cb9a4 0d4cb9a4 qcpfformat!RMACreateInstance+0xdbf
09 00d7e3c8 53403597 00000000 00000000 00000000 smplfsys+0x3cd9
0a 00d7e444 533e283c 1d26bbf8 0d4cb9a4 0d4cb9a0 qcpfformat!RMACreateInstance+0xeb7
0b 00d7e460 53402c51 1d26bbf0 00000005 0d4cb9a0 smplfsys+0x283c
0c 00d7e488 57a8a692 1d190950 0ce86fd8 1d26bd48 qcpfformat!RMACreateInstance+0x571
0d 00d7e4f0 57a8adfd 0d49dd78 5865cb7c 00d7e528 mametadata!SetDLLAccessPath+0x18392
0e 00d7e568 585afd7c 0d4aca0c 046a2610 5865cb7c mametadata!SetDLLAccessPath+0x18afd
0f 00d7e5ac 585af1d0 1d26c088 00d7e5fc 00000000 rpcl3260!RMAShutdown+0x2584c
10 00d7e5c0 585ae90a 00000000 1d26c088 03ecd74c rpcl3260!RMAShutdown+0x24ca0
11 00d7e5d8 57c788ba 1d26c088 00d7e5fc 03ecd74c rpcl3260!RMAShutdown+0x243da
12 00d7e608 57c38009 1d26c088 00000002 1d26c088 rpmn3260!SetDLLAccessPath+0x58b1a
13 00d7e628 585bc25e 1d26c088 1d26c088 00000000 rpmn3260!SetDLLAccessPath+0x18269
Disassembly:
qcpfformat+0x13d0:
534013d0 55 push ebp
534013d1 8bec mov ebp,esp
534013d3 83794000 cmp dword ptr [ecx+40h],0
534013d7 8b5508 mov edx,dword ptr [ebp+8]
534013da 7422 je qcpfformat+0x13fe (534013fe)
534013dc 0fb64203 movzx eax,byte ptr [edx+3]
534013e0 0fb64a02 movzx ecx,byte ptr [edx+2]
534013e4 c1e008 shl eax,8
The edx register is being zeroed out by the move from ebp+8 at +13d7, causing the memory read at instruction 13dc to point to 0x00000003
In the analysis below the PoC files place in memory starts at 0b880012
Here the first VRAT tag (hex 76 72 61 74) is read in correctly the first time from 0b881044. As can be seen in the instructions above that, on the first iteration EBP is pointing at the tags but is quickly set to an address outside the file.
Breakpoint 1 hit
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d0 esp=00bce58c ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d1 esp=00bce588 ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d3 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce590=0b881044
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13da esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13dc esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:0b881047=74
0:000> t
eax=00000074 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e0:
54cd13e0 0fb64a02 movzx ecx,byte ptr [edx+2] ds:002b:0b881046=61
0:000> t
eax=00000074 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e4 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e4:
54cd13e4 c1e008 shl eax,8
0:000> t
eax=00007400 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13e7:
54cd13e7 0bc1 or eax,ecx
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e9 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e9:
54cd13e9 0fb64a01 movzx ecx,byte ptr [edx+1] ds:002b:0b881045=72
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13ed esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13ed:
54cd13ed c1e008 shl eax,8
0:000> t
eax=00746100 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f0:
54cd13f0 0bc1 or eax,ecx
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f2 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f2:
54cd13f2 0fb60a movzx ecx,byte ptr [edx] ds:002b:0b881044=76
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000076 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f5 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f5:
54cd13f5 c1e008 shl eax,8
So now both ESP and EBP are pointing outside the source file, causing the next iteration to read NULL into EDX, setting up the access violation:
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d0 esp=00bce4d0 ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d1 esp=00bce4cc ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d3 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d7 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce4d4=00000000
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13da esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13dc esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40617.zip