| عنوان | TROJAN.WIN32.SHARER.H / Known Vulnerable Component - Heap Corruption |
|---|
| الوصف | Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/9f80c3b1e7f5f6f7d0c8aea25fe83551_C.txt
Contact: [email protected]
Media: twitter.com/malvuln
Threat: Trojan.Win32.Sharer.h
Vulnerability: Known Vulnerable Component - Heap Corruption
Description: Sharer.h by GOLDSWORD - www.daokers.cn can run several types of services, one is a third-party component named "HFS HTTP File Server" that listens on TCP port 80. The HFS server seems to be a pirated version of the original by www.rejetto.com as the properties of the executable read "Copyright DAOKERS.CN" This can be confirmed by running the EXE against strings util where we find "Http File Server - www.rejetto.com/hfs" value or simply using the menu about feature when running. This file server has a known remote buffer overflow vulnerability CVE-2020-13432 which I myself discovered (hyp3rlinx) last year that targeted v2.3m. However, after testing this version of the server it is also vulnerable to a remote heap corruption by sending specially crafted packets to the infected host. Running the malware you may get missing "picclp32.ocx" error just run it again and it should work.
Type: PE32
MD5: 9f80c3b1e7f5f6f7d0c8aea25fe83551
Vuln ID: MVID-2021-0160
Dropped files: hfs.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 04/03/2021
Memory Dump:
(25f8.38a4): Access violation - code c0000005 (first/second chance not available)
eax=000a24b4 ebx=000a1150 ecx=028e0000 edx=00000002 esi=028e0000 edi=00000800
eip=770e2a0e esp=000a0f50 ebp=000a1100 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
ntdll!RtlpAllocateHeap+0x1e:
770e2a0e 53 push ebx
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for hfs.exe
*** ERROR: Module load completed but symbols could not be loaded for hfs.exe
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
ntdll!RtlpAllocateHeap+1e
770e2a0e 53 push ebx
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 770e2a0e (ntdll!RtlpAllocateHeap+0x0000001e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 000a0f4c
Attempt to write to address 000a0f4c
PROCESS_NAME: hfs.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 000a0f4c
WRITE_ADDRESS: 000a0f4c
FOLLOWUP_IP:
ntdll!RtlpAllocateHeap+1e
770e2a0e 53 push ebx
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer
FAULTING_THREAD: 000038a4
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_STACK_ACCESS_INVALID_POINTER_WRITE_EXPLOITABLE
LAST_CONTROL_TRANSFER: from 770e16b7 to 770e2a0e
STACK_TEXT:
000a1100 770e16b7 00000800 00000808 028e9050 ntdll!RtlpAllocateHeap+0x1e
000a1150 770e13ee 00000000 00000000 02997398 ntdll!RtlpAllocateHeapInternal+0x2b7
000a1168 7630190d 028e0000 00000000 00000800 ntdll!RtlAllocateHeap+0x3e
000a1180 7630110d 00000800 02997398 00000000 gdi32full!UspAllocCache+0x2d
000a11b0 76300f53 00000000 02997328 0401385b gdi32full!InitializeMetricBlock+0x4a
000a14d8 76300e89 00000000 00000040 00000024 gdi32full!LoadGlyphMetricsWithGetCharABCWidthsI+0x70
000a14f8 763001c4 00000024 00000001 000a1708 gdi32full!LoadGlyphMetrics+0x73
000a152c 762fcea3 0290d52c 00000006 0290d5c8 gdi32full!GetGlyphAdvanceWidths+0xd4
000a1558 762f9911 000a16e8 0290d52c 00000006 gdi32full!CUspShapingFont::GetGlyphDefaultAdvanceWidths+0x23
000a1644 762f9348 000a16f0 00000000 00000000 gdi32full!ShapingGetGlyphPositions+0x1e1
000a1788 762f6cb9 0401385b 0290d294 0290d52c gdi32full!ShlPlaceOT+0x218
000a1820 762f6596 00000000 000a18d0 0290d170 gdi32full!RenderItemNoFallback+0x409
000a1860 762f6448 00000000 000a18d0 00000000 gdi32full!RenderItemWithFallback+0x126
000a1888 762f61de 00000000 000a18d0 0290d270 gdi32full!RenderItem+0x28
000a18e0 762f3f84 0401385b 01800009 000010a2 gdi32full!ScriptStringAnalyzeGlyphs+0x1be
000a1d44 762f1596 0401385b 04b57f78 00000006 gdi32full!ScriptStringAnalyse+0x734
000a1efc 762f0db0 762f0d80 762f0d80 00000030 gdi32full!LpkCharsetDraw+0x626
000a1f28 76f36844 0401385b 00000000 00000000 gdi32full!LpkDrawTextEx+0x30
000a1f8c 76f36b38 00000000 04b57f78 00000006 user32!DT_DrawStr+0x72
000a1fec 76edd8fb 00000058 00002e50 000a2034 user32!DT_GetLineBreak+0xa2
000a20a4 76f214cd ffffffff 000a20f4 00002e50 user32!DrawTextExWorker+0x32b
000a2120 76f400be 02cf3490 00000000 00000032 user32!MB_CalcDialogSize+0x10c
000a2204 73ee39ec 000a2370 76f22093 000a2388 user32!SoftModalMessageBox+0x3ae
000a220c 76f22093 000a2388 04b57f78 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc
000a2450 6b0bf698 000218b0 0437c930 043bede8 user32!MessageBoxWorker+0x29a
000a2474 6b0c033c 000218b0 0437c930 043bede8 apphelp!MbHook_MessageBoxA+0x38
000a249c 00489f7b 000218b0 0437c930 043bede8 apphelp!SrHook_MessageBoxA+0x3c
WARNING: Stack unwind information not available. Following frames may be wrong.
000a2520 0048a093 00000010 000a42d4 0048a0b4 hfs+0x89f7b
000a2648 004bf174 004bf184 00000020 ffffffff hfs+0x8a093
000a2668 00489e49 0046b7b1 04292190 0438f460 hfs+0xbf174
000a267c 0046b7c0 00000000 6aa8ad67 043b26b0 hfs+0x89e49
000a42f4 00429f36 000000c2 00000000 043b2640 hfs+0x6b7c0
000a430c 76eee0bb 00031b30 000000c2 00000000 hfs+0x29f36
000a4338 76ef8849 02730e83 00031b30 000000c2 user32!_InternalCallWinProc+0x2b
000a435c 76efb145 000000c2 00000000 043b2640 user32!InternalCallWinProc+0x20
000a442c 76efa89c 02730e83 00000000 000000c2 user32!UserCallWinProcCheckWow+0x1be
000a4498 76edab54 02f9dee0 00000000 043b2640 user32!SendMessageWorker+0x6ff
000a44b8 00442016 00031b30 000000c2 00000000 user32!SendMessageA+0x54
000a44d8 00519853 000a4568 00519920 000a455c hfs+0x42016
000a455c 0051aa64 00000000 000a4618 0051ae77 hfs+0x119853
000a460c 0051d400 000a4660 000a467c 0051d41c hfs+0x11aa64
000a4660 004eda33 066cf540 000a4674 004ef995 hfs+0x11d400
000a466c 004ef995 000a46bc 004eee5e 000a46c4 hfs+0xeda33
000a4674 004eee5e 000a46c4 004ef0c2 000a46bc hfs+0xef995
000a46bc 004ef20c 000a46f4 004ef222 000a46dc hfs+0xeee5e
000a46dc 004c7c16 0671db40 0671db40 000a472c hfs+0xef20c
000a46ec 004c9680 000a476c 004c9cdb 000a472c hfs+0xc7c16
000a472c 004ca581 00000401 000a4c38 0671db01 hfs+0xc9680
000a4764 004c4727 000a4ba8 004c47d2 000a4b90 hfs+0xca581
000a4b90 004c4873 000a4c38 0671db40 000a4be8 hfs+0xc4727
000a4ba0 004c4b61 000a4bf0 004c4beb 000a4be8 hfs+0xc4873
000a4be8 004c364e 000a4d58 004c36e5 000a4c0c hfs+0xc4b61
000a4c0c 004ca0e0 00000401 009107b8 0671db40 hfs+0xc364e
000a4c24 004c3784 004c3730 009107b8 00000000 hfs+0xca0e0
000a4c48 76eee0bb 009107b8 00000401 00000388 hfs+0xc3784
000a4c74 76ef8849 004c3730 009107b8 00000401 user32!_InternalCallWinProc+0x2b
000a4c98 76efb145 00000401 00000388 00000001 user32!InternalCallWinProc+0x20
000a4d68 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a4dd4 76ee38c0 000a4df8 00489a13 000a4e00 user32!DispatchMessageWorker+0x4ac
000a4ddc 00489a13 000a4e00 0437c990 01000001 user32!DispatchMessageA+0x10
000a4df8 00489a3c 009107b8 00000401 00000388 hfs+0x89a13
000a4e20 0051150d 042e8b70 000a4fc0 00511ebc hfs+0x89a3c
000a4e2c 00511ebc 000a5018 000a4fcc 00512089 hfs+0x11150d
000a4fc0 00512255 000a5018 000a4fd8 00512281 hfs+0x111ebc
000a5018 00516989 00000000 00000001 ffffffff hfs+0x112255
000a5234 0051c787 000a5274 043b3510 000a52c4 hfs+0x116989
000a52b8 0051cf7a 000a530c 000a5328 0051d41c hfs+0x11c787
000a530c 004eda33 066cdd80 000a5320 004ef995 hfs+0x11cf7a
000a5318 004ef995 000a5368 004eee5e 000a5370 hfs+0xeda33
000a5320 004eee5e 000a5370 004ef0c2 000a5368 hfs+0xef995
000a5368 004ef20c 000a53a0 004ef222 000a5388 hfs+0xeee5e
000a5388 004c7c16 0671f070 0671f070 000a53d8 hfs+0xef20c
000a5398 004c9680 000a5418 004c9cdb 000a53d8 hfs+0xc7c16
000a53d8 004ca581 00000401 000a58e4 0671f001 hfs+0xc9680
000a5410 004c4727 000a5854 004c47d2 000a583c hfs+0xca581
000a583c 004c4873 000a58e4 0671f070 000a5894 hfs+0xc4727
000a584c 004c4b61 000a589c 004c4beb 000a5894 hfs+0xc4873
000a5894 004c364e 000a5a04 004c36e5 000a58b8 hfs+0xc4b61
000a58b8 004ca0e0 00000401 00c31614 0671f070 hfs+0xc364e
000a58d0 004c3784 004c3730 00c31614 00000000 hfs+0xca0e0
000a58f4 76eee0bb 00c31614 00000401 00000388 hfs+0xc3784
000a5920 76ef8849 004c3730 00c31614 00000401 user32!_InternalCallWinProc+0x2b
000a5944 76efb145 00000401 00000388 00000001 user32!InternalCallWinProc+0x20
000a5a14 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a5a80 76ee38c0 000a5aa4 00489a13 000a5aac user32!DispatchMessageWorker+0x4ac
000a5a88 00489a13 000a5aac 0437c990 01000001 user32!DispatchMessageA+0x10
000a5aa4 00489a3c 00c31614 00000401 00000388 hfs+0x89a13
000a5acc 0051150d 042e6e60 000a5c6c 00511ebc hfs+0x89a3c
000a5ad8 00511ebc 000a5cc4 000a5c78 00512089 hfs+0x11150d
000a5c6c 00512255 000a5cc4 000a5c84 00512281 hfs+0x111ebc
000a5cc4 00516989 00000000 00000001 ffffffff hfs+0x112255
000a5ee0 0051c787 000a5f20 043b3510 000a5f70 hfs+0x116989
000a5f64 0051cf7a 0 |
|---|
| المصدر | ⚠️ https://www.malvuln.com/advisory/9f80c3b1e7f5f6f7d0c8aea25fe83551_C.txt |
|---|
| المستخدم | malvuln (UID 14984) |
|---|
| ارسال | 08/04/2021 02:54 AM (5 سنوات منذ) |
|---|
| الاعتدال | 08/04/2021 07:50 AM (5 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 172595 [Trojan.Win32.Sharer.h HFS HTTP File Server تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|