[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAHK0WTAONpi0tooMJCh-J+h9eH=dq=yFraO8EMW-R5xp_6oVw@mail.gmail.com>
Date: Tue, 2 Mar 2021 15:50:14 -0500
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Backdoor.Win32.BO2K.ab / Local File Buffer Overflow
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/ca4e5a6ff033b62fa59de5a5dd24c7f9.txt
Contact: malvuln13@...il.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.BO2K.ab
Vulnerability: Local File Buffer Overflow
Description: PsyConf - Program configuration tool doesnt properly check the
executables it parses. Loading a specially crafted file triggers a buffer
overflow overwriting ECX register etc.
Type: PE32
MD5: ca4e5a6ff033b62fa59de5a5dd24c7f9
Vuln ID: MVID-2021-0119
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 03/02/2021
Memory Dump:
(414.e80): Unknown exception - code c000041d (first/second chance not
available)
eax=001c0000 ebx=023655c0 ecx=41414141 edx=00000000 esi=0019fe0c
edi=74de3cf0
eip=00401e17 esp=0019f3c0 ebp=0019f604 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010206
*** WARNING: Unable to verify checksum for
Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe
*** ERROR: Module load completed but symbols could not be loaded for
Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1e17:
00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h]
ds:002b:415d4191=????????
0:000> !analyze -v
*******************************************************************************
*
*
* Exception Analysis
*
*
*
*******************************************************************************
FAULTING_IP:
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17
00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00401e17
(Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x00001e17)
ExceptionCode: c000041d
ExceptionFlags: 00000001
NumberParameters: 0
PROCESS_NAME: Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe
ERROR_CODE: (NTSTATUS) 0xc000041d - An unhandled exception was encountered
during a user callback.
EXCEPTION_CODE: (NTSTATUS) 0xc000041d - An unhandled exception was
encountered during a user callback.
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000e80
BUGCHECK_STR: APPLICATION_FAULT_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 0040ff6f to 00401e17
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0019f604 0040ff6f 0019fe0c 000003e8 00000000
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1e17
0019f634 004103af 000003e8 00000000 00000000
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0xff6f
0019f658 00412819 000003e8 00000000 00000000
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x103af
0019f6a8 00412258 00000000 000a07fe 0019fe0c
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x12819
0019f724 0041220a 00000111 000003e8 000a07fe
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x12258
0019f744 00411325 00000111 000003e8 000a07fe
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1220a
0019f7a4 0041152d 00000000 001307ba 00000111
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x11325
0019f7c0 761147ab 001307ba 00000111 000003e8
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1152d
0019f7ec 760f52ac 00411502 001307ba 00000111
user32!_InternalCallWinProc+0x2b
0019f8d0 760f4e4a 00411502 00000000 00000111
user32!UserCallWinProcCheckWow+0x3ac
0019f934 760fe4cf 00c8edc0 00000000 00000111
user32!DispatchClientMessage+0xea
0019f970 770e537d 0019f98c 00000020 0019fc5c user32!__fnDWORD+0x3f
0019f9a8 76052c0c 760f4c18 001307ba 00000111
ntdll!KiUserCallbackDispatcher+0x4d
0019f9ac 760f4c18 001307ba 00000111 000003e8 win32u!NtUserMessageCall+0xc
0019fa10 760f4723 00c8edc0 00000000 000a07fe user32!SendMessageWorker+0x3b8
0019fa44 761303ee 001307ba 00000111 000003e8 user32!SendMessageW+0x123
0019fa68 761300f3 00ca0690 00000000 00000000
user32!xxxButtonNotifyParent+0x54
0019fa90 7612f5f8 004ed7f0 00000000 00ca0690
user32!xxxBNReleaseCapture+0x141
0019fb30 7612ea92 00ca0690 00000000 00000202
user32!ButtonWndProcWorker+0xad8
0019fb5c 761147ab 000a07fe 00000202 00000000 user32!ButtonWndProcA+0x52
0019fb88 760f52ac 7612ea40 000a07fe 00000202
user32!_InternalCallWinProc+0x2b
0019fc6c 760f43fe 7083c410 00007ffb 00000202
user32!UserCallWinProcCheckWow+0x3ac
0019fce0 760f8401 00000000 004205e8 004205e0
user32!DispatchMessageWorker+0x20e
0019fd14 76110d5e 001307ba 004205e0 004205e0 user32!IsDialogMessageW+0x101
0019fd40 00413a80 001307ba 004205e0 0019fe0c user32!IsDialogMessageA+0x4e
004205e0 00000000 00000000 00140028 4a60bbbc
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x13a80
FOLLOWUP_IP:
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17
00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9
IMAGE_NAME: Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 396c698b
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt
ntdll!LdrpFailureData ; ~0s; .ecxr ; kb
FAILURE_BUCKET_ID:
FILL_PATTERN_41414141_c000041d_Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe!Unknown
BUCKET_ID:
APPLICATION_FAULT_FILL_PATTERN_41414141_Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17
Exploit/PoC:
python -c "print( 'MZ'+'A'*72000)" > dirty0tis.exe
Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility for any damage caused by the
use or misuse of this information. The author prohibits any malicious use
of security related information or exploits by the author or elsewhere. Do
not attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper Malware
handling or the downloading of ANY Malware mentioned on this website or
elsewhere. All content Copyright (c) Malvuln.com (TM).
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists