| Título | TROJAN.WIN32.GOFOT.HTX / Local File Buffer Overflow |
|---|
| Descripción | Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/ae062bfe4abd59ac1b9be693fbc45f60.txt
Contact: [email protected]
Media: twitter.com/malvuln
Threat: Trojan.Win32.Gofot.htx
Vulnerability: Local File Buffer Overflow
Description: HackerJLY PE Parser tool V1.0.1.8 doesnt properly check the files it loads which triggers a local buffer overflow. Analyzing the crash we can see an overwrite of the CX (16-bit) part of the ECX register with our 41414141 exploit pattern.
Type: PE32
MD5: ae062bfe4abd59ac1b9be693fbc45f60
Vuln ID: MVID-2021-0110
Dropped files:
ASLR: True
DEP: True
Safe SEH: True
Disclosure: 02/25/2021
Memory Dump:
0:000> dd cx
00004141 ???????? ???????? ???????? ????????
(1f60.100): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=45d84141 edx=0057e577 esi=00000003 edi=00000003
eip=7710ed3c esp=0057d9c8 ebp=0057db58 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!ZwWaitForMultipleObjects+0xc:
7710ed3c c21400 ret 14h
0:000> .ecxr
eax=04970001 ebx=00000000 ecx=45d84141 edx=0057e577 esi=0057e3a0 edi=0057e570
eip=00dca142 esp=0057e34c ebp=0057e34c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
*** WARNING: Unable to verify checksum for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
*** ERROR: Module load completed but symbols could not be loaded for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142:
00dca142 813950450000 cmp dword ptr [ecx],4550h ds:002b:45d84141=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for SkinH.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SkinH.dll -
FAULTING_IP:
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
00dca142 813950450000 cmp dword ptr [ecx],4550h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00dca142 (Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x0000a142)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 45d84141
Attempt to read from address 45d84141
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
OVERLAPPED_MODULE: Address regions for 'd3d10warp' and 'resourcepolicyclient.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 45d84141
READ_ADDRESS: 45d84141
FOLLOWUP_IP:
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
00dca142 813950450000 cmp dword ptr [ecx],4550h
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000100
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 00dcab0f to 00dca142
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0057e34c 00dcab0f 0057e570 097c119a 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142
0057e37c 00dd0af8 046acc58 0057e577 097c1746 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xab0f
0057e5a0 00dd1d78 046acc58 097c1756 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10af8
0057e928 00df676d 00f2fe28 0057f7f0 0057e968 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x11d78
0057e938 00df697c 0057f7f0 000003e9 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3676d
0057e968 00ecb1a4 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3697c
0057e98c 00df3e09 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10b1a4
0057e9dc 00df96fe 00000000 0080072c 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x33e09
0057e9f0 00df4771 000003e9 0080072c 097c184e Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396fe
0057eaa8 00defe3e 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x34771
0057eac8 00df32bb 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe3e
0057eb3c 00df334a 0057f7f0 00d802be 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb
0057eb5c 76eee0bb 00d802be 00000111 000003e9 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a
0057eb88 76ef8849 00df3314 00d802be 00000111 user32!_InternalCallWinProc+0x2b
0057ebac 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20
0057ec7c 76ef833a 00df3314 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be
0057ecc0 76edf38b 00000111 000003e9 0080072c user32!CallWindowProcAorW+0xd4
0057ecd8 1002285c ffff04db 00d802be 00000111 user32!CallWindowProcA+0x1b
0057ed34 76ef8849 1001f2d0 00d802be 00000111 SkinH+0x2285c
0057ed58 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20
0057ee28 76ee8503 1001f2d0 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be
0057ee90 76ee8aa0 03027740 00000000 00000111 user32!DispatchClientMessage+0x1b3
0057eed8 77110bcd 0057eef4 00000020 0057f184 user32!__fnDWORD+0x50
0057ef10 73ee2a4c 76efa9fd 00d802be 00000111 ntdll!KiUserCallbackDispatcher+0x4d
0057ef14 76efa9fd 00d802be 00000111 000003e9 win32u!NtUserMessageCall+0xc
0057ef80 76edb95b 03027740 00000000 0080072c user32!SendMessageWorker+0x860
0057efa8 73836934 00d802be 00000111 000003e9 user32!SendMessageW+0x5b
0057efc8 738368f9 007286c0 00000202 00000000 comctl32!Button_NotifyParent+0x39
0057efe0 7384c14b 7384b890 0080072c 00000000 comctl32!Button_ReleaseCapture+0x9b
0057f074 76eee0bb 0080072c 00000202 00000000 comctl32!Button_WndProc+0x8bb
0057f0a0 76ef8849 7384b890 0080072c 00000202 user32!_InternalCallWinProc+0x2b
0057f0c4 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f194 76ef833a 7384b890 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f1d8 76edfbab 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4
0057f1f0 73a676f5 7384b890 0080072c 00000202 user32!CallWindowProcW+0x1b
0057f214 00defcc9 7384b890 0080072c 00000202 apphelp!DWM8AND16BitHook_CallWindowProcW+0x35
0057f234 00defe55 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fcc9
0057f250 00df32bb 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe55
0057f2c4 00df334a 0057f924 0080072c 00000202 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb
0057f2e4 76eee0bb 0080072c 00000202 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a
0057f310 76ef8849 00df3314 0080072c 00000202 user32!_InternalCallWinProc+0x2b
0057f334 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f404 76ef833a 00df3314 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f44c 76edf38b 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4
0057f464 10007514 ffff039b 0080072c 00000202 user32!CallWindowProcA+0x1b
0057f4d8 76ef8849 10011fd0 0080072c 00000202 SkinH+0x7514
0057f4fc 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f5cc 76ee90dc 10011fd0 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f638 76edb2ee 006f0588 00000000 00000100 user32!DispatchMessageWorker+0x4ac
0057f66c 00e0a996 00d802be 006f0588 097c0426 user32!IsDialogMessageW+0x17e
0057f6c0 00df5c7c 0057f7f0 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x4a996
0057f6d4 00df0cb5 006f0588 0057f6f4 00dee82c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x35c7c
0057f6e0 00dee82c 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x30cb5
0057f6f4 00df96b9 006f0588 00d802be 0057f718 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2e82c
0057f704 00df289a 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396b9
0057f718 00df7765 00d802be 006f0588 006f0558 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3289a
0057f730 00df78bf 006f0588 0057f748 00df77b0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x37765
0057f73c 00df77b0 006f0588 0057f780 00df790c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x378bf
0057f748 00df790c 006f0588 00000000 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x377b0
0057f780 00deeed5 00000004 097c052a 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3790c
0057f7cc 00dcf1f9 097c053e 00f61b48 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2eed5
0057fb44 00e20c1d 00fc7b10 00000000 00353000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xf1f9
0057fb58 00dd59c4 00dc0000 00000000 006e1eb8 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x60c1d
0057fbe8 76198654 00353000 76198630 1507c2ff Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x159c4
0057fbfc 77104a77 00353000 1fe72005 00000000 kernel32!BaseThreadInitThunk+0x24
0057fc44 77104a47 ffffffff 77129ece 00000000 ntdll!__RtlUserThrea |
|---|
| Fuente | ⚠️ https://www.malvuln.com/advisory/ae062bfe4abd59ac1b9be693fbc45f60.txt |
|---|
| Usuario | malvuln (UID 14984) |
|---|
| Sumisión | 2021-02-25 23:33 (hace 5 años) |
|---|
| Moderación | 2021-02-26 08:14 (9 hours later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 170429 [Trojan.Win32.Gofot.htx SkinH.dll desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|