Submit #5851: BACKDOOR.WIN32.KETCH.I / SEH Remote Stack Buffer Overflowinfo

TitleBACKDOOR.WIN32.KETCH.I / SEH Remote Stack Buffer Overflow
DescriptionDiscovery / credits: malvuln - Malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ee314e1b913a09ec86c63d7186d8f0b8.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Ketch.i Vulnerability: SEH Remote Stack Buffer Overflow Description: Ketch makes HTTP request to port 80 for a file named script.dat, upon processing the server response of 1,612 bytes or more we can trigger SEH buffer overflow. Our exploit pattern if using "AAAAAAAAA" will get XOR'd with the value 30 and convert it to 71717171 instead of 41414141, so use "q" for exploit pattern 41414141. Reason is first it gets converted so uppercase becomes lowercase and is XOR'd with value 30. The character "A" becomes "q" 71 so it is difficult to control chars. Therefore, if we want to see the typical 41414141 exploit pattern use lowercase "q" character. Then when 71 (q) gets XOR with 30 it will become 41 (A). Type: PE32 MD5: ee314e1b913a09ec86c63d7186d8f0b8 Vuln ID: MVID-2021-0024 Dropped files: ASLR: False DEP: False Safe SEH: True Disclosure: 01/13/2021 Memory Dump: This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (95c.11f0): Stack overflow - code c00000fd (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=000a3848 edi=000a3d0c eip=773ce916 esp=000a3790 ebp=000a3830 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 ntdll!ZwQueryInformationProcess+0x26: 773ce916 c21400 ret 14h 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe FAULTING_IP: Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+50f9 004050f9 8802 mov byte ptr [edx],al EXCEPTION_RECORD: 0019f30c -- (.exr 0x19f30c) ExceptionAddress: 004050f9 (Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+0x000050f9) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe ERROR_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created. EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 000a2fe8 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAILED_INSTRUCTION_ADDRESS: +50f9 41414141 ?? ??? CONTEXT: 0019f35c -- (.cxr 0x19f35c) eax=00000041 ebx=02851dbc ecx=02854285 edx=001a0000 esi=0000064f edi=02853ca0 eip=004050f9 esp=0019f7bc ebp=0019f954 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+0x50f9: 004050f9 8802 mov byte ptr [edx],al ds:002b:001a0000=41 Resetting default scope READ_ADDRESS: 41414141 FOLLOWUP_IP: Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+50f9 004050f9 8802 mov byte ptr [edx],al WRITE_ADDRESS: 001a0000 LAST_CONTROL_TRANSFER: from 02852ff0 to 004050f9 FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_FILL_PATTERN_41414141 IP_ON_HEAP: 02852ff0 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 FRAME_ONE_INVALID: 1 STACK_TEXT: 0019f7bc 004050f9 backdoor_win32_ketch_i+0x50f9 0019f95c 02852ff0 unknown!unknown+0x0 0019f964 773a2abf ntdll!RtlpAllocateHeap+0xcf 0019fb30 41414141 unknown!printable+0x0 0019fb44 41414141 unknown!printable+0x0 0019fb48 41414141 unknown!printable+0x0 0019fb4c 41414141 unknown!printable+0x0 0019fb50 41414141 unknown!printable+0x0 0019fb54 41414141 unknown!printable+0x0 0019fb58 41414141 unknown!printable+0x0 0019fb5c 41414141 unknown!printable+0x0 0019fb60 41414141 unknown!printable+0x0 0019fb64 41414141 unknown!printable+0x0 0019fb68 41414141 unknown!printable+0x0 0019fb6c 41414141 unknown!printable+0x0 0019fb70 41414141 unknown!printable+0x0 0019fb74 41414141 unknown!printable+0x0 0019fb78 41414141 unknown!printable+0x0 0019fb7c 41414141 unknown!printable+0x0 0019fb80 41414141 unknown!printable+0x0 0019fb84 41414141 unknown!printable+0x0 0019fb88 41414141 unknown!printable+0x0 0019fb8c 41414141 unknown!printable+0x0 0019fb90 41414141 unknown!printable+0x0 0019fb94 41414141 unknown!printable+0x0 0019fb98 41414141 unknown!printable+0x0 0019fb9c 41414141 unknown!printable+0x0 0019fba0 41414141 unknown!printable+0x0 0019fba4 41414141 unknown!printable+0x0 0019fba8 41414141 unknown!printable+0x0 0019fbac 41414141 unknown!printable+0x0 0019fbb0 41414141 unknown!printable+0x0 0019fbb4 41414141 unknown!printable+0x0 0019fbb8 41414141 unknown!printable+0x0 0019fbbc 41414141 unknown!printable+0x0 0019fbc0 41414141 unknown!printable+0x0 0019fbc4 41414141 unknown!printable+0x0 0019fbc8 41414141 unknown!printable+0x0 0019fbcc 41414141 unknown!printable+0x0 0019fbd0 41414141 unknown!printable+0x0 0019fbd4 41414141 unknown!printable+0x0 0019fbd8 41414141 unknown!printable+0x0 0019fbdc 41414141 unknown!printable+0x0 0019fbe0 41414141 unknown!printable+0x0 0019fbe4 41414141 unknown!printable+0x0 0019fbe8 41414141 unknown!printable+0x0 0019fbec 41414141 unknown!printable+0x0 0019fbf0 41414141 unknown!printable+0x0 0019fbf4 41414141 unknown!printable+0x0 0019fbf8 41414141 unknown!printable+0x0 0019fbfc 41414141 unknown!printable+0x0 0019fc00 41414141 unknown!printable+0x0 0019fc04 41414141 unknown!printable+0x0 0019fc08 41414141 unknown!printable+0x0 0019fc0c 41414141 unknown!printable+0x0 0019fc10 41414141 unknown!printable+0x0 0019fc14 41414141 unknown!printable+0x0 0019fc18 41414141 unknown!printable+0x0 0019fc1c 41414141 unknown!printable+0x0 0019fc20 41414141 unknown!printable+0x0 0019fc24 41414141 unknown!printable+0x0 0019fc28 41414141 unknown!printable+0x0 0019fc2c 41414141 unknown!printable+0x0 0019fc30 41414141 unknown!printable+0x0 0019fc34 41414141 unknown!printable+0x0 0019fc38 41414141 unknown!printable+0x0 0019fc3c 41414141 unknown!printable+0x0 0019fc40 41414141 unknown!printable+0x0 0019fc44 41414141 unknown!printable+0x0 0019fc48 41414141 unknown!printable+0x0 0019fc4c 41414141 unknown!printable+0x0 0019fc50 41414141 unknown!printable+0x0 0019fc54 41414141 unknown!printable+0x0 0019fc58 41414141 unknown!printable+0x0 0019fc5c 41414141 unknown!printable+0x0 0019fc60 41414141 unknown!printable+0x0 0019fc64 41414141 unknown!printable+0x0 0019fc68 41414141 unknown!printable+0x0 0019fc6c 41414141 unknown!printable+0x0 0019fc70 41414141 unknown!printable+0x0 0019fc74 41414141 unknown!printable+0x0 0019fc78 41414141 unknown!printable+0x0 0019fc7c 41414141 unknown!printable+0x0 0019fc80 41414141 unknown!printable+0x0 0019fc84 41414141 unknown!printable+0x0 0019fc88 41414141 unknown!printable+0x0 0019fc8c 41414141 unknown!printable+0x0 0019fc90 41414141 unknown!printable+0x0 0019fc94 41414141 unknown!printable+0x0 0019fc98 41414141 unknown!printable+0x0 0019fc9c 41414141 unknown!printable+0x0 0019fca0 41414141 unknown!printable+0x0 0019fca4 41414141 unknown!printable+0x0 0019fca8 41414141 unknown!printable+0x0 0019fcac 41414141 unknown!printable+0x0 0019fcb0 41414141 unknown!printable+0x0 0019fcb4 41414141 unknown!printable+0x0 0019fcb8 41414141 unknown!printable+0x0 0019fcbc 41414141 unknown!printable+0x0 0019fcc0 41414141 unknown!printable+0x0 0019fcc4 41414141 unknown!printable+0x0 0019fcc8 41414141 unknown!printable+0x0 0019fccc 41414141 unknown!printable+0x0 0019fcd0 41414141 unknown!printable+0x0 0019fcd4 41414141 unknown!printable+0x0 0019fcd8 41414141 unknown!printable+0x0 0019fcdc 41414141 unknown!printable+0x0 0019fce0 41414141 unknown!printable+0x0 0019fce4 41414141 unknown!printable+0x0 0019fce8 41414141 unknown!printable+0x0 0019fcec 41414141 unknown!printable+0x0 0019fcf0 41414141 unknown!printable+0x0 0019fcf4 41414141 unknown!printable+0x0 0019fcf8 41414141 unknown!printable+0x0 0019fcfc 41414141 unknown!printable+0x0 0019fd00 41414141 unknown!printable+0x0 0019fd04 41414141 unknown!printable+0x0 0019fd08 41414141 unknown!printable+0x0 0019fd0c 41414141 unknown!printable+0x0 0019fd10 41414141 unknown!printable+0x0 0019fd14 41414141 unknown!printable+0x0 0019fd18 41414141 unknown!printable+0x0 0019fd1c 41414141 unknown!printable+0x0 0019fd20 41414141 unknown!printable+0x0 0019fd24 41414141 unknown!printable+0x0 0019fd28 41414141 unknown!printable+0x0 0019fd2c 41414141 unknown!printable+0x0 0019fd30 41414141 unknown!printable+0x0 0019fd34 41414141 unknown!printable+0x0 0019fd38 41414141 unknown!printable+0x0 0019fd3c 41414141 unknown!printable+0x0 0019fd40 41414141 unknown!printable+0x0 0019fd44 41414141 unknown!printable+0x0 0019fd48 41414141 unknown!printable+0x0 0019fd4c 41414141 unknown!printable+0x0 0019fd
Source⚠️ https://www.malvuln.com/advisory/ee314e1b913a09ec86c63d7186d8f0b8.txt
Usermalvuln (ID 14984)
Submission14/01/2021 05:01 (3 years ago)
Moderation14/01/2021 07:36 (3 hours later)
Accepted
Accettato
VulDB EntryVDB-167808

PrecedenteVisione D'insiemeIl prossimo

Do you know our Splunk app?

Download it now for free!