| Titre | TROJAN.WIN32.CAFELOM.BU / Heap Corruption |
|---|
| Description | Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/146ce177ab03b8f62a9fc6e7bbf40dc1.txt
Contact: [email protected]
Media: twitter.com/malvuln
Threat: Trojan.Win32.Cafelom.bu
Vulnerability: Heap Corruption
Description: This malware drops two executables DNF-II.exe and xx.exe, then looks for and loads a text-file named "GamePath.txt" under c:\ drive. Placing a corrupt text-file with long string of junk characters results in Heap Corruption of DNF-II.exe.
Type: PE32
MD5: 146ce177ab03b8f62a9fc6e7bbf40dc1
Vuln ID: MVID-2021-0080
Dropped files: DNF-II.exe, xx.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 02/08/2021
Memory Dump:
(1afc.187c): Access violation - code c0000005 (first/second chance not available)
eax=02b53f98 ebx=02b5cc28 ecx=00000000 edx=00000000 esi=02b53f90 edi=02a80000
eip=773a029d esp=0019a268 ebp=0019a3c0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ntdll!RtlpFreeHeap+0x81d:
773a029d 8b09 mov ecx,dword ptr [ecx] ds:002b:00000000=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for DNF-II.exe
*** ERROR: Module load completed but symbols could not be loaded for DNF-II.exe
FAULTING_IP:
ntdll!RtlpFreeHeap+81d
773a029d 8b09 mov ecx,dword ptr [ecx]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 773a029d (ntdll!RtlpFreeHeap+0x0000081d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000001
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
PROCESS_NAME: DNF-II.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
V0_15+218f
0709218f ebef jmp V0_15+0x2180 (07092180)
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 0000187c
BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_NULL_POINTER_READ
PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption
DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption
LAST_CONTROL_TRANSFER: from 7739fa0d to 773a029d
STACK_TEXT:
0019a3c0 7739fa0d 02b5cc28 02b5cc30 0019a448 ntdll!RtlpFreeHeap+0x81d
0019a410 73f6f0eb 02a80000 00000000 02b5cc30 ntdll!RtlFreeHeap+0x7cd
0019a42c 0709218f 02b5cc30 02b29102 0019a5b4 combase!CoTaskMemFree+0x3b [onecore\com\combase\class\memapi.cxx @ 467]
WARNING: Stack unwind information not available. Following frames may be wrong.
0019a43c 72dfd674 02b5cc30 02b59198 02b29270 V0_15+0x218f
0019a5b4 72dfd198 0000000d 00001270 00001270 urlmon!CTransaction::DispatchReport+0x4b4 [onecoreuap\inetcore\urlmon\trans\common\ctransaction.cpp @ 1974]
0019a5dc 72dded33 72ddec70 02b29288 02b29138 urlmon!CTransaction::DispatchPacket+0x42 [onecoreuap\inetcore\urlmon\trans\common\ctransaction.cpp @ 2079]
0019a5fc 72dfd0a8 00000000 02b29138 02b29288 urlmon!LegacyTransaction::OnINetCallback+0xc3 [onecoreuap\inetcore\urlmon\trans\legacy\legacytransaction.cpp @ 1137]
0019a654 72ddf136 00000000 0019a688 72ddf020 urlmon!CTransaction::EnsureINetCallback+0x39 [onecoreuap\inetcore\urlmon\trans\common\ctransaction.cpp @ 2213]
0019a670 6dd7d8a7 02b29138 00000000 00000000 urlmon!LegacyTransaction::ReportResult+0x116 [onecoreuap\inetcore\urlmon\trans\legacy\legacytransaction.cpp @ 331]
0019a964 6dd7cbe6 06f902b0 06f902b4 06f902a4 mshtml!CResProtocol::DoParseAndBind+0x5f7
0019a978 6dd7cba8 0019a9c0 6dd7cb20 6df5c750 mshtml!CResProtocol::ParseAndBind+0x26
0019a9a0 72df8bd6 06f9022c 02b30588 02b29138 mshtml!CResProtocol::Start+0x88
0019a9e0 72ddeba7 02b29308 02b63278 02b29138 urlmon!COInetProt::StartEx+0x246 [onecoreuap\inetcore\urlmon\trans\common\coinetprot.cpp @ 472]
0019aa50 72dea0ac 02b29150 02b63278 02b4cb90 urlmon!LegacyTransaction::StartEx+0x357 [onecoreuap\inetcore\urlmon\trans\legacy\legacytransaction.cpp @ 1467]
0019aad8 72de7e3a 02b63278 02b04868 6dbdc98c urlmon!CBinding::StartBinding+0x45c [onecoreuap\inetcore\urlmon\trans\common\cbinding.cpp @ 2689]
0019ab30 72de7f2c 02b04868 00000000 6dbdc98c urlmon!CUrlMon::StartBinding+0xeb [onecoreuap\inetcore\urlmon\trans\common\curlmon.cpp @ 1020]
0019ab5c 6dd80b0a 02b04968 02b04868 00000000 urlmon!CUrlMon::BindToStorage+0x6c [onecoreuap\inetcore\urlmon\trans\common\curlmon.cpp @ 892]
0019ab94 6ddeca7f 02b308f8 00000000 02b04968 mshtml!CTridentFilterHost::BindToMoniker+0xc2
0019ae40 6dda422e 0019afd8 00000000 00000003 mshtml!CDwnBindData::Bind+0xa5f
0019ae7c 6ddeaf2b 00000000 00000003 0019af04 mshtml!NewDwnBindData+0x1ee
0019aed4 6de8e8d0 0019afd8 06fde000 00001fe7 mshtml!CDwnLoad::_InitDwnLoad+0x131
0019aef4 6de8e7b3 0019afd8 06fde000 014d0000 mshtml!CBitsLoad::_InitWithFlags+0x47
0019af18 6dd9f940 0019afd8 06fde000 00000001 mshtml!CScriptLoad::Init+0x63
0019af48 6dd9f7bd 06f94cc0 00000001 00000000 mshtml!CDwnInfo::SetLoad+0x150
0019af74 6e09057a 00000001 0019afd8 00000000 mshtml!CDwnCtx::SetLoad+0x4d
0019b050 6df6e974 00000005 02b63500 06fd80d0 mshtml!CDoc::NewDwnCtx2+0x34d
0019b090 6e08b576 00000005 02b304d8 06fd80d0 mshtml!CDoc::NewDwnCtx+0x62
0019b100 6e089133 0000000d 00000001 0019b160 mshtml!CScriptData::DownLoadScript+0x296
0019b134 6e088f90 0019b160 0019b154 06fd80d0 mshtml!CScriptData::ScriptData_OnEnterTree+0x18a
0019b148 6ddbfc33 0019b160 06fc0f00 00000000 mshtml!CScriptElement::Notify+0x40
0019b194 6ddbfb25 06fd80d0 00000001 06fc0f00 mshtml!CHtmRootParseCtx::SendEnterTreeNotification+0xd3
0019b1e8 6dd9c39d 0019b1f8 6dd9c38d 00000001 mshtml!CHtmRootParseCtx::FlushNotifications+0x95
0019b1f0 6dd9c38d 00000001 8000ffff 06f94540 mshtml!CHtmRootParseCtxRouter::Commit+0xd
0019b210 6dd9f394 069d1464 06f94540 00000000 mshtml!CHtmParse::Commit+0x9d
0019b22c 6dd9eb52 00000001 06fda000 6e0781e0 mshtml!CHtmPost::Broadcast+0x124
0019b35c 6e07814d 069d1464 06f80400 06f94540 mshtml!CHtmPost::Exec+0x152
0019b37c 6e078045 069d1464 06f94540 06f80400 mshtml!CHtmPost::Run+0x3d
0019b394 76e8d047 0019b3e0 6e077f23 06f94540 mshtml!PostManExecute+0x60
0019b39c 6e077f23 06f94540 06f94540 6dc496f8 kernel32!GetTickCountStub+0x7
0019b3b0 6e0779f9 6e0779c0 0019b3f0 06f80400 mshtml!PostManResume+0x7b
0019b3e0 6e08535e 06fa8180 06f94540 0019b408 mshtml!CHtmPost::OnDwnChanCallback+0x39
0019b3f8 6ddedacb 06fa8180 00000000 0000000c mshtml!CDwnChan::OnMethodCall+0x3e
0019b470 6de0b014 e28aac16 6de0af30 012907d4 mshtml!GlobalWndOnMethodCall+0x22b
0019b4bc 764ee0bb 012907d4 00008002 00000000 mshtml!GlobalWndProc+0xe4
0019b4e8 764f8849 6de0af30 012907d4 00008002 user32!_InternalCallWinProc+0x2b
0019b50c 764fb145 00008002 00000000 00000000 user32!InternalCallWinProc+0x20
0019b5dc 764e90dc 6de0af30 00000000 00008002 user32!UserCallWinProcCheckWow+0x1be
0019b648 764e8c20 8d5b837a 0019b698 76505ff6 user32!DispatchMessageWorker+0x4ac
0019b654 76505ff6 0019b66c 0034074a 00000000 user32!DispatchMessageW+0x10
0019b698 7650655a 00000008 00000000 00000000 user32!DialogBox2+0x170
0019b6c8 7654043b 0034074a 76521760 0019b918 user32!InternalDialogBox+0xef
0019b794 768339ec 0019b900 76522093 0019b918 user32!SoftModalMessageBox+0x72b
0019b79c 76522093 0019b918 02b1a268 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc
0019b988 7653fb1b 0034074a 02b1a268 02b3ac48 user32!MessageBoxWorker+0x29a
0019b9bc 7653f8ca 0034074a 0451a724 0451a788 user32!MessageBoxTimeoutA+0x7b
0019b9dc 00469d7b 0034074a 0451a724 0451a788 user32!MessageBoxA+0x1a
0019ba60 00469e92 00000010 0019fcd0 00469eb3 DNF_II+0x69d7b
0019bb88 00469c77 00000000 00477715 00477724 DNF_II+0x69e92
0019fcec 00424e32 00000700 00000000 02b07bb0 DNF_II+0x69c77
0019fd04 764ee0bb 000c08e2 00000700 00000000 DNF_II+0x24e32
0019fd30 764f8849 02930fc8 000c08e2 00000700 user32!_InternalCallWinProc+0x2b
0019fd54 764fb145 00000700 00000000 02b07bb0 user32!InternalCallWinProc+0x20
0019fe24 764e90dc 02930fc8 00000000 00000700 user32!UserCallWinProcCheckWow+0x1be
0019fe90 764e38c0 0019ff04 0046995c 0019feb8 user32!DispatchMessageWorker+0x4ac
0019fe98 0046995c 0019feb8 0019ff00 00000000 user32!DispatchMessageA+0x10
0019ff04 00401667 00000000 0048e034 02a83728 DNF_II+0x6995c
0019ff48 00488013 00400000 00000000 02a83728 DNF_II+0x1667
0019ff80 76e38654 0039b000 76e38630 7de2932f DNF_II+0x88013
0019ff94 773c4a77 0039b000 a30c1184 00000000 kernel32!BaseThreadInitThunk+0x24
0019ffdc 773c4a47 ffffffff 773e9ebc 00000000 ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 00604747 0039b000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: !heap ; ~0s; .ecxr ; kb
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: V0_15+218f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: V0_15
IMAGE_NAME: V0.15.dat
DEBUG_FLR_IMAGE_TIMESTAMP: 401c6484
FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_c0000005_V0.15.dat!Unknown
BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_NULL_POINTER_READ_V0_15+218f
Exploit/PoC:
python -c "print('A'*1000000)" > c:\GamePath.txt
Disclaimer: The information contained within this advisory is supplied "as-is" with |
|---|
| La source | ⚠️ https://www.malvuln.com/advisory/146ce177ab03b8f62a9fc6e7bbf40dc1.txt |
|---|
| Utilisateur | malvuln (UID 14984) |
|---|
| Soumission | 10/02/2021 06:23 (il y a 5 ans) |
|---|
| Modérer | 10/02/2021 12:40 (6 hours later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 169659 [Trojan.Win32.Cafelom.bu DNF-II.exe buffer overflow] |
|---|
| Points | 20 |
|---|