Enviar #13709: Backdoor.Win32.Whirlpool.a / Remote Buffer Overflow - UDP Datagraminformación

TítuloBackdoor.Win32.Whirlpool.a / Remote Buffer Overflow - UDP Datagram
DescripciónDiscovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/90171763d1cc62102b08482bac54ea8b.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Whirlpool.a Vulnerability: Remote Buffer Overflow - UDP Datagram Description: The malware listens on UDP Datagram ports 8848 and 8864. Sending a 192 byte payload to port 8864 triggers a classic stack buffer overflow overwriting ECX, EIP registers. This can allow third party attackers to further compromise already infected systems. Type: PE32 MD5: 90171763d1cc62102b08482bac54ea8b Vuln ID: MVID-2021-0232 ASLR: False DEP: False Safe SEH: True Disclosure: 05/30/2021 Memory Dump: (7a4.1b98): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000 eip=41414141 esp=000a13f8 ebp=000a1418 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.Whirlpool.a.90171763d1cc62102b08482bac54ea8b.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Whirlpool.a.90171763d1cc62102b08482bac54ea8b.exe FAULTING_IP: Backdoor_Win32_Whirlpool_a_90171763d1cc62102b08482bac54ea8b+28ff 004028ff f3a5 rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: 0019f788 -- (.exr 0x19f788) ExceptionAddress: 004028ff (Backdoor_Win32_Whirlpool_a_90171763d1cc62102b08482bac54ea8b+0x000028ff) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: Backdoor.Win32.Whirlpool.a.90171763d1cc62102b08482bac54ea8b.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: Backdoor_Win32_Whirlpool_a_90171763d1cc62102b08482bac54ea8b+28ff 004028ff f3a5 rep movs dword ptr es:[edi],dword ptr [esi] FAILED_INSTRUCTION_ADDRESS: +28ff 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 CONTEXT: 0019f7d8 -- (.cxr 0x19f7d8) eax=000003cc ebx=041d29b8 ecx=00000013 edx=0019fc80 esi=041d2d68 edi=001a0000 eip=004028ff esp=0019fc38 ebp=0019fc48 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 Backdoor_Win32_Whirlpool_a_90171763d1cc62102b08482bac54ea8b+0x28ff: 004028ff f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 0048f6cd to 004028ff STACK_TEXT: 0019fc38 004028ff backdoor_win32_whirlpool_a+0x28ff 0019fc50 0048f6cd backdoor_win32_whirlpool_a+0x8f6cd 0019fcf8 41414141 unknown!printable+0x0 0019fcfc 41414141 unknown!printable+0x0 0019fd00 41414141 unknown!printable+0x0 0019fd04 41414141 unknown!printable+0x0 0019fd08 41414141 unknown!printable+0x0 0019fd0c 41414141 unknown!printable+0x0 0019fd10 41414141 unknown!printable+0x0 0019fd14 41414141 unknown!printable+0x0 0019fd18 41414141 unknown!printable+0x0 0019fd1c 41414141 unknown!printable+0x0 0019fd20 41414141 unknown!printable+0x0 0019fd24 41414141 unknown!printable+0x0 0019fd28 41414141 unknown!printable+0x0 0019fd2c 41414141 unknown!printable+0x0 0019fd30 41414141 unknown!printable+0x0 0019fd34 41414141 unknown!printable+0x0 0019fd38 41414141 unknown!printable+0x0 0019fd3c 41414141 unknown!printable+0x0 0019fd40 41414141 unknown!printable+0x0 0019fd44 41414141 unknown!printable+0x0 0019fd48 41414141 unknown!printable+0x0 0019fd4c 41414141 unknown!printable+0x0 0019fd50 41414141 unknown!printable+0x0 0019fd54 41414141 unknown!printable+0x0 0019fd58 41414141 unknown!printable+0x0 0019fd5c 41414141 unknown!printable+0x0 0019fd60 41414141 unknown!printable+0x0 0019fd64 41414141 unknown!printable+0x0 0019fd68 41414141 unknown!printable+0x0 0019fd6c 41414141 unknown!printable+0x0 0019fd70 41414141 unknown!printable+0x0 0019fd74 41414141 unknown!printable+0x0 0019fd78 41414141 unknown!printable+0x0 0019fd7c 41414141 unknown!printable+0x0 0019fd80 41414141 unknown!printable+0x0 0019fd84 41414141 unknown!printable+0x0 0019fd88 41414141 unknown!printable+0x0 0019fd8c 41414141 unknown!printable+0x0 0019fd90 41414141 unknown!printable+0x0 0019fd94 41414141 unknown!printable+0x0 0019fd98 41414141 unknown!printable+0x0 0019fd9c 41414141 unknown!printable+0x0 0019fda0 41414141 unknown!printable+0x0 0019fda4 41414141 unknown!printable+0x0 0019fda8 41414141 unknown!printable+0x0 0019fdac 41414141 unknown!printable+0x0 0019fdb0 41414141 unknown!printable+0x0 0019fdb4 41414141 unknown!printable+0x0 0019fdb8 41414141 unknown!printable+0x0 0019fdbc 41414141 unknown!printable+0x0 0019fdc0 41414141 unknown!printable+0x0 0019fdc4 41414141 unknown!printable+0x0 0019fdc8 41414141 unknown!printable+0x0 0019fdcc 41414141 unknown!printable+0x0 0019fdd0 41414141 unknown!printable+0x0 0019fdd4 41414141 unknown!printable+0x0 0019fdd8 41414141 unknown!printable+0x0 0019fddc 41414141 unknown!printable+0x0 0019fde0 41414141 unknown!printable+0x0 0019fde4 41414141 unknown!printable+0x0 0019fde8 41414141 unknown!printable+0x0 0019fdec 41414141 unknown!printable+0x0 0019fdf0 41414141 unknown!printable+0x0 0019fdf4 41414141 unknown!printable+0x0 0019fdf8 41414141 unknown!printable+0x0 0019fdfc 41414141 unknown!printable+0x0 0019fe00 41414141 unknown!printable+0x0 0019fe04 41414141 unknown!printable+0x0 0019fe08 41414141 unknown!printable+0x0 0019fe0c 41414141 unknown!printable+0x0 0019fe10 41414141 unknown!printable+0x0 0019fe14 41414141 unknown!printable+0x0 0019fe18 41414141 unknown!printable+0x0 0019fe1c 41414141 unknown!printable+0x0 0019fe20 41414141 unknown!printable+0x0 0019fe24 41414141 unknown!printable+0x0 0019fe28 41414141 unknown!printable+0x0 0019fe2c 41414141 unknown!printable+0x0 0019fe30 41414141 unknown!printable+0x0 0019fe34 41414141 unknown!printable+0x0 0019fe38 41414141 unknown!printable+0x0 0019fe3c 41414141 unknown!printable+0x0 0019fe40 41414141 unknown!printable+0x0 0019fe44 41414141 unknown!printable+0x0 0019fe48 41414141 unknown!printable+0x0 0019fe4c 41414141 unknown!printable+0x0 0019fe50 41414141 unknown!printable+0x0 0019fe54 41414141 unknown!printable+0x0 0019fe58 41414141 unknown!printable+0x0 0019fe5c 41414141 unknown!printable+0x0 0019fe60 41414141 unknown!printable+0x0 0019fe64 41414141 unknown!printable+0x0 0019fe68 41414141 unknown!printable+0x0 0019fe6c 41414141 unknown!printable+0x0 0019fe70 41414141 unknown!printable+0x0 0019fe74 41414141 unknown!printable+0x0 0019fe78 41414141 unknown!printable+0x0 0019fe7c 41414141 unknown!printable+0x0 0019fe80 41414141 unknown!printable+0x0 0019fe84 41414141 unknown!printable+0x0 0019fe88 41414141 unknown!printable+0x0 0019fe8c 41414141 unknown!printable+0x0 0019fe90 41414141 unknown!printable+0x0 0019fe94 41414141 unknown!printable+0x0 0019fe98 41414141 unknown!printable+0x0 0019fe9c 41414141 unknown!printable+0x0 0019fea0 41414141 unknown!printable+0x0 0019fea4 41414141 unknown!printable+0x0 0019fea8 41414141 unknown!printable+0x0 0019feac 41414141 unknown!printable+0x0 0019feb0 41414141 unknown!printable+0x0 0019feb4 41414141 unknown!printable+0x0 0019feb8 41414141 unknown!printable+0x0 0019febc 41414141 unknown!printable+0x0 0019fec0 41414141 unknown!printable+0x0 0019fec4 41414141 unknown!printable+0x0 0019fec8 41414141 unknown!printable+0x0 0019fecc 41414141 unknown!printable+0x0 0019fed0 41414141 unknown!printable+0x0 0019fed4 41414141 unknown!printable+0x0 0019fed8 41414141 unknown!printable+0x0 0019fedc 41414141 unknown!printable+0x0 0019fee0 41414141 unknown!printable+0x0 0019fee4 41414141 unknown!printable+0x0 0019fee8 41414141 unknown!printable+0x0 0019feec 41414141 unknown!printable+0x0 0019fef0 41414141 unknown!printable+0x0 0019fef4 41414141 unknown!printable+0x0 0019fef8 41414141 unknown!printable+0x0 0019fefc 41414141 unknown!printable+0x0 0019ff00 41414141 unknown!printable+0x0 0019ff04 41414141 unknown!printable+0x0 0019ff08 41414141 unknown!printable+0x0 0019ff0c 41414141 unknown!printable+0x0 0019ff10 41414141 unknown!printable+0x0 0019ff14 41414141 unknown!printable+0x0 0019ff18 41414141 unknown!printable+0x0 0019ff1c 41414141 unknown!printable+0x0 0019ff20 41414141 unknown!printable+0x0 0019ff24 41414141 unknown!printable+0x0 0019ff28 41414141 unknown!printable+0x0 0019ff2c 41414141 unknown!printable+0x0 0019ff30 41414141 unknown!printable+0x0 0019ff34 4
Fuente⚠️ https://www.malvuln.com/advisory/90171763d1cc62102b08482bac54ea8b.txt
Usuario
 malvuln (UID 14984)
Sumisión2021-05-31 02:04 (hace 5 años)
Moderación2021-05-31 16:56 (15 hours later)
EstadoAceptado
Entrada de VulDB176105 [Backdoor.Win32.Whirlpool.a Service Port 8848 desbordamiento de búfer]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you know our Splunk app?

Download it now for free!