إرسال #6124: EMAIL-WORM.WIN32.AGENT.GI / Remote Stack Buffer Overflow - (UDP Datagram)المعلومات

عنوان	EMAIL-WORM.WIN32.AGENT.GI / Remote Stack Buffer Overflow - (UDP Datagram)
الوصف	Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/74e65773735f977185f6a09f1472ea46.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Email-Worm.Win32.Agent.gi Vulnerability: Remote Stack Buffer Overflow - (UDP Datagram) Description: Creates a service "Microsoft ASPI Manager" and listens on TCP ports 80, 81 and UDP 53. The service process is a dropped executable named aspimgr.exe that runs with SYSTEM integrity. Third party attackers can send 332 bytes to UDP port 53 to overwrite the instruction pointer (EIP) and possibly gain SYSTEM privileges. The Exploit PoC uses the typical 41414141 pattern and 52525252 "R" character for EIP overwrite. Type: PE32 MD5: 74e65773735f977185f6a09f1472ea46 Vuln ID: MVID-2021-0036 Dropped files: aspimgr.exe ASLR: False DEP: False Safe SEH: True Disclosure: 01/18/2021 Memory Dump: (1a78.e44): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=52525252 edx=773e9d70 esi=00000000 edi=00000000 eip=52525252 esp=03291450 ebp=03291470 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 52525252 ?? ??? 0:007> !exchain 03291464: ntdll!ExecuteHandler2+44 (773e9d70) 03291a14: ntdll!ExecuteHandler2+44 (773e9d70) 03291fc4: ntdll!ExecuteHandler2+44 (773e9d70) 03292574: ntdll!ExecuteHandler2+44 (773e9d70) 03292b24: ntdll!ExecuteHandler2+44 (773e9d70) 032930d4: ntdll!ExecuteHandler2+44 (773e9d70) 03293684: ntdll!ExecuteHandler2+44 (773e9d70) 03293c34: ntdll!ExecuteHandler2+44 (773e9d70) 032941e4: ntdll!ExecuteHandler2+44 (773e9d70) 03294794: ntdll!ExecuteHandler2+44 (773e9d70) 03294d44: ntdll!ExecuteHandler2+44 (773e9d70) 032952f4: ntdll!ExecuteHandler2+44 (773e9d70) 032958a4: ntdll!ExecuteHandler2+44 (773e9d70) 03295e54: ntdll!ExecuteHandler2+44 (773e9d70) 03296404: ntdll!ExecuteHandler2+44 (773e9d70) 032969b4: ntdll!ExecuteHandler2+44 (773e9d70) 03296f64: ntdll!ExecuteHandler2+44 (773e9d70) 03297514: ntdll!ExecuteHandler2+44 (773e9d70) 03297ac4: ntdll!ExecuteHandler2+44 (773e9d70) 03298074: ntdll!ExecuteHandler2+44 (773e9d70) 03298624: ntdll!ExecuteHandler2+44 (773e9d70) 03298bd4: ntdll!ExecuteHandler2+44 (773e9d70) 03299184: ntdll!ExecuteHandler2+44 (773e9d70) 03299734: ntdll!ExecuteHandler2+44 (773e9d70) 03299ce4: ntdll!ExecuteHandler2+44 (773e9d70) 0329a294: ntdll!ExecuteHandler2+44 (773e9d70) 0329a844: ntdll!ExecuteHandler2+44 (773e9d70) 0329adf4: ntdll!ExecuteHandler2+44 (773e9d70) 0329b3a4: ntdll!ExecuteHandler2+44 (773e9d70) 0329b954: ntdll!ExecuteHandler2+44 (773e9d70) 0329bf04: ntdll!ExecuteHandler2+44 (773e9d70) 0329c4b4: ntdll!ExecuteHandler2+44 (773e9d70) 0329ca64: ntdll!ExecuteHandler2+44 (773e9d70) 0329d014: ntdll!ExecuteHandler2+44 (773e9d70) 0329d5c4: ntdll!ExecuteHandler2+44 (773e9d70) 0329db74: ntdll!ExecuteHandler2+44 (773e9d70) 0329e124: ntdll!ExecuteHandler2+44 (773e9d70) 0329e6d4: ntdll!ExecuteHandler2+44 (773e9d70) 0329ec84: ntdll!ExecuteHandler2+44 (773e9d70) 0329f234: ntdll!ExecuteHandler2+44 (773e9d70) 0329f7e4: ntdll!ExecuteHandler2+44 (773e9d70) 0329fd94: ntdll!ExecuteHandler2+44 (773e9d70) 032a0344: ntdll!ExecuteHandler2+44 (773e9d70) 032a08f4: ntdll!ExecuteHandler2+44 (773e9d70) 032a0ea4: ntdll!ExecuteHandler2+44 (773e9d70) 032a1454: ntdll!ExecuteHandler2+44 (773e9d70) 032a1a04: ntdll!ExecuteHandler2+44 (773e9d70) 032a1fb4: ntdll!ExecuteHandler2+44 (773e9d70) 032a2564: ntdll!ExecuteHandler2+44 (773e9d70) 032a2b14: ntdll!ExecuteHandler2+44 (773e9d70) 032a30c4: ntdll!ExecuteHandler2+44 (773e9d70) 032a3674: ntdll!ExecuteHandler2+44 (773e9d70) 032a3c24: ntdll!ExecuteHandler2+44 (773e9d70) 032a41d4: ntdll!ExecuteHandler2+44 (773e9d70) 032a4784: ntdll!ExecuteHandler2+44 (773e9d70) 032a4d34: ntdll!ExecuteHandler2+44 (773e9d70) 032a52e4: ntdll!ExecuteHandler2+44 (773e9d70) 032a5894: ntdll!ExecuteHandler2+44 (773e9d70) 032a5e44: ntdll!ExecuteHandler2+44 (773e9d70) 032a63f4: ntdll!ExecuteHandler2+44 (773e9d70) 032a69a4: ntdll!ExecuteHandler2+44 (773e9d70) 032a6f54: ntdll!ExecuteHandler2+44 (773e9d70) 032a7504: ntdll!ExecuteHandler2+44 (773e9d70) 032a7ab4: ntdll!ExecuteHandler2+44 (773e9d70) 032a8064: ntdll!ExecuteHandler2+44 (773e9d70) 032a8614: ntdll!ExecuteHandler2+44 (773e9d70) 032a8bc4: ntdll!ExecuteHandler2+44 (773e9d70) 032a9174: ntdll!ExecuteHandler2+44 (773e9d70) 032a9724: ntdll!ExecuteHandler2+44 (773e9d70) 032a9cd4: ntdll!ExecuteHandler2+44 (773e9d70) 032aa284: ntdll!ExecuteHandler2+44 (773e9d70) 032aa834: ntdll!ExecuteHandler2+44 (773e9d70) 032aade4: ntdll!ExecuteHandler2+44 (773e9d70) 032ab394: ntdll!ExecuteHandler2+44 (773e9d70) 032ab944: ntdll!ExecuteHandler2+44 (773e9d70) 032abef4: ntdll!ExecuteHandler2+44 (773e9d70) 032ac4a4: ntdll!ExecuteHandler2+44 (773e9d70) 032aca54: ntdll!ExecuteHandler2+44 (773e9d70) 032ad004: ntdll!ExecuteHandler2+44 (773e9d70) 032ad5b4: ntdll!ExecuteHandler2+44 (773e9d70) 032adb64: ntdll!ExecuteHandler2+44 (773e9d70) 032ae114: ntdll!ExecuteHandler2+44 (773e9d70) 032ae6c4: ntdll!ExecuteHandler2+44 (773e9d70) 032aec74: ntdll!ExecuteHandler2+44 (773e9d70) 032af224: ntdll!ExecuteHandler2+44 (773e9d70) 032af7d4: ntdll!ExecuteHandler2+44 (773e9d70) 032afd84: ntdll!ExecuteHandler2+44 (773e9d70) 032b0334: ntdll!ExecuteHandler2+44 (773e9d70) 032b08e4: ntdll!ExecuteHandler2+44 (773e9d70) 032b0e94: ntdll!ExecuteHandler2+44 (773e9d70) 032b1444: ntdll!ExecuteHandler2+44 (773e9d70) 032b19f4: ntdll!ExecuteHandler2+44 (773e9d70) 032b1fa4: ntdll!ExecuteHandler2+44 (773e9d70) 032b2554: ntdll!ExecuteHandler2+44 (773e9d70) 032b2b04: ntdll!ExecuteHandler2+44 (773e9d70) 032b30b4: ntdll!ExecuteHandler2+44 (773e9d70) 032b3664: ntdll!ExecuteHandler2+44 (773e9d70) 032b3c14: ntdll!ExecuteHandler2+44 (773e9d70) 032b41c4: ntdll!ExecuteHandler2+44 (773e9d70) 032b4774: ntdll!ExecuteHandler2+44 (773e9d70) 032b4d24: ntdll!ExecuteHandler2+44 (773e9d70) 032b52d4: ntdll!ExecuteHandler2+44 (773e9d70) 032b5884: ntdll!ExecuteHandler2+44 (773e9d70) 032b5e34: ntdll!ExecuteHandler2+44 (773e9d70) 032b63e4: ntdll!ExecuteHandler2+44 (773e9d70) 032b6994: ntdll!ExecuteHandler2+44 (773e9d70) 032b6f44: ntdll!ExecuteHandler2+44 (773e9d70) 032b74f4: ntdll!ExecuteHandler2+44 (773e9d70) 032b7aa4: ntdll!ExecuteHandler2+44 (773e9d70) 032b8054: ntdll!ExecuteHandler2+44 (773e9d70) 032b8604: ntdll!ExecuteHandler2+44 (773e9d70) 032b8bb4: ntdll!ExecuteHandler2+44 (773e9d70) 032b9164: ntdll!ExecuteHandler2+44 (773e9d70) 032b9714: ntdll!ExecuteHandler2+44 (773e9d70) 032b9cc4: ntdll!ExecuteHandler2+44 (773e9d70) 032ba274: ntdll!ExecuteHandler2+44 (773e9d70) 032ba824: ntdll!ExecuteHandler2+44 (773e9d70) 032badd4: ntdll!ExecuteHandler2+44 (773e9d70) 032bb384: ntdll!ExecuteHandler2+44 (773e9d70) 032bb934: ntdll!ExecuteHandler2+44 (773e9d70) 032bbee4: ntdll!ExecuteHandler2+44 (773e9d70) 032bc494: ntdll!ExecuteHandler2+44 (773e9d70) 032bca44: ntdll!ExecuteHandler2+44 (773e9d70) 032bcff4: ntdll!ExecuteHandler2+44 (773e9d70) 032bd5a4: ntdll!ExecuteHandler2+44 (773e9d70) 032bdb54: ntdll!ExecuteHandler2+44 (773e9d70) 032be104: ntdll!ExecuteHandler2+44 (773e9d70) 032be6b4: ntdll!ExecuteHandler2+44 (773e9d70) 032bec64: ntdll!ExecuteHandler2+44 (773e9d70) 032bf214: ntdll!ExecuteHandler2+44 (773e9d70) 032bf7c4: ntdll!ExecuteHandler2+44 (773e9d70) 032bfd74: ntdll!ExecuteHandler2+44 (773e9d70) 032c0324: ntdll!ExecuteHandler2+44 (773e9d70) 032c08d4: ntdll!ExecuteHandler2+44 (773e9d70) 032c0e84: ntdll!ExecuteHandler2+44 (773e9d70) 032c1434: ntdll!ExecuteHandler2+44 (773e9d70) 032c19e4: ntdll!ExecuteHandler2+44 (773e9d70) 032c1f94: ntdll!ExecuteHandler2+44 (773e9d70) 032c2544: ntdll!ExecuteHandler2+44 (773e9d70) 032c2af4: ntdll!ExecuteHandler2+44 (773e9d70) 032c30a4: ntdll!ExecuteHandler2+44 (773e9d70) 032c3654: ntdll!ExecuteHandler2+44 (773e9d70) 032c3c04: ntdll!ExecuteHandler2+44 (773e9d70) 032c41b4: ntdll!ExecuteHandler2+44 (773e9d70) 032c4764: ntdll!ExecuteHandler2+44 (773e9d70) 032c4d14: ntdll!ExecuteHandler2+44 (773e9d70) 032c52c4: ntdll!ExecuteHandler2+44 (773e9d70) 032c5874: ntdll!ExecuteHandler2+44 (773e9d70) 032c5e24: ntdll!ExecuteHandler2+44 (773e9d70) 032c63d4: ntdll!ExecuteHandler2+44 (773e9d70) 032c6984: ntdll!ExecuteHandler2+44 (773e9d70) 032c6f34: ntdll!ExecuteHandler2+44 (773e9d70) 032c74e4: ntdll!ExecuteHandler2+44 (773e9d70) 032c7a94: ntdll!ExecuteHandler2+44 (773e9d70) 032c8044: ntdll!ExecuteHandler2+44 (773e9d70) 032c85f4: ntdll!ExecuteHandler2+44 (773e9d70) 032c8ba4: ntdll!ExecuteHandler2+44 (773e9d70) 032c9154: ntdll!ExecuteHandler2+44 (773e9d70) 032c9704: ntdll!ExecuteHandler2+44 (773e9d70) 032c9cb4: ntdll!ExecuteHandler2+44 (773e9d70) 032ca264: ntdll!ExecuteHandler2+44 (773e9d70) 032ca814: ntdll!ExecuteHandler2+44 (773e9d70) 032cadc4: ntdll!ExecuteHandler2+44 (773e9d70) 032cb374: ntdll!ExecuteHandler2+44 (773e9d70) 032cb924: ntdll!ExecuteHandler2+44 (773e9d70) 032cbed4: ntdll!ExecuteHandler2+44 (773e9d70) 032cc484: ntdll!ExecuteHandler2+44 (773e9d70) 032cca34: ntdll!ExecuteHandler2+44 (773e9d70) 032ccfe4: ntdll!ExecuteHandler2+44 (773e9d70) 032cd594: ntdll!ExecuteHandler2+44 (773e9d70) 032cdb44: ntdll!ExecuteHandler2+44 (773e9d70) 032ce0f4: ntdll!ExecuteHandler2+44 (773e9d70) 032ce6a4: ntdll!ExecuteHandler2+44 (773e9d70) 032cec54: ntdll!ExecuteHandler2+44 (773e9d70) 032cf204: ntdll!ExecuteHandler2+44 (773e9d70) 032cf7b4: ntdll!ExecuteHandler2+44 (773e9d70) 032cfd64: ntdll!ExecuteHandler2+44 (773e9d70) 032d0314: ntdll!ExecuteHandler2+44 (773e9d70) 032d08c4: ntdll!ExecuteHandler2+44 (773e9d70) 032d0e74: ntdll!ExecuteHandler2+44 (773e9d70) 032d1424: ntdll!ExecuteHandler2+44 (773e9d70) 032d19d4: ntdll!ExecuteHandler2+44 (773e9d70) 032d1f84: ntdll!ExecuteHandler2+44 (773e9d70) 032d2534: ntdll!ExecuteHandler2+44 (773e9d70) 032d2ae4: ntdll!ExecuteHandler2+44 (773e9d70) 032d3094: ntdll!ExecuteHand
المصدر	⚠️ https://www.malvuln.com/advisory/74e65773735f977185f6a09f1472ea46.txt
المستخدم	malvuln (UID 14984)
ارسال	18/01/2021 09:08 PM (5 سنوات منذ)
الاعتدال	19/01/2021 07:09 AM (10 hours later)
الحالة	تمت الموافقة
إدخال VulDB	168079 [Email-Worm.Win32.Agent.gi Microsoft ASPI Manager aspimgr.exe تلف الذاكرة]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Interested in the pricing of exploits?

See the underground prices here!