제출 #5852: BACKDOOR.WIN32.KETCH.A / Remote SEH Stack Buffer Overflow정보

제목	BACKDOOR.WIN32.KETCH.A / Remote SEH Stack Buffer Overflow
설명	Discovery / credits: malvuln - Malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/1149c42fd8cf3ca7d00ef55a6337befe.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Ketch.a Vulnerability: Remote SEH Stack Buffer Overflow Description: Ketch makes HTTP request to port 80 for a file named script.dat, upon processing the server response of 1,612 bytes or more we can trigger SEH buffer overflow. Our exploit pattern if using "AAAAAAAAA" will get XOR'd with the value 30 and convert it to 71717171 instead of 41414141, so use "q" for exploit pattern 41414141. Reason is first it gets converted so uppercase becomes lowercase and is XOR'd with value 30. The character "A" becomes "q" 71 so it is difficult to control chars. Therefore, if we want to see the typical 41414141 exploit pattern use lowercase "q" character. Then when 71 (q) gets XOR with 30 it will become 41 (A). Type: PE32 MD5: 1149c42fd8cf3ca7d00ef55a6337befe Vuln ID: MVID-2021-0025 Dropped files: ASLR: False DEP: False Safe SEH: True Disclosure: 01/13/2021 Memory Dump: This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (248.1890): Stack overflow - code c00000fd (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=000a3850 edi=000a3d14 eip=773ce916 esp=000a3798 ebp=000a3838 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwQueryInformationProcess+0x26: 773ce916 c21400 ret 14h 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ***************************************************************************** * WARNING: Unable to verify checksum for Backdoor.Win32.Ketch.a.1149c42fd8cf3ca7d00ef55a6337befe.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Ketch.a.1149c42fd8cf3ca7d00ef55a6337befe.exe FAULTING_IP: Backdoor_Win32_Ketch_a_1149c42fd8cf3ca7d00ef55a6337befe+4689 00404689 8802 mov byte ptr [edx],al EXCEPTION_RECORD: 0019f310 -- (.exr 0x19f310) ExceptionAddress: 00404689 (Backdoor_Win32_Ketch_a_1149c42fd8cf3ca7d00ef55a6337befe+0x00004689) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: Backdoor.Win32.Ketch.a.1149c42fd8cf3ca7d00ef55a6337befe.exe ERROR_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created. EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 000a2fe8 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAILED_INSTRUCTION_ADDRESS: +4689 41414141 ?? ??? CONTEXT: 0019f360 -- (.cxr 0x19f360) eax=00000041 ebx=028b1dac ecx=028b4281 edx=001a0000 esi=0000064f edi=028b3ca0 eip=00404689 esp=0019f7c0 ebp=0019f958 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 Backdoor_Win32_Ketch_a_1149c42fd8cf3ca7d00ef55a6337befe+0x4689: 00404689 8802 mov byte ptr [edx],al ds:002b:001a0000=41 Resetting default scope READ_ADDRESS: 41414141 FOLLOWUP_IP: Backdoor_Win32_Ketch_a_1149c42fd8cf3ca7d00ef55a6337befe+4689 00404689 8802 mov byte ptr [edx],al WRITE_ADDRESS: 001a0000 LAST_CONTROL_TRANSFER: from 028b2ff0 to 00404689 FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_FILL_PATTERN_41414141 IP_ON_HEAP: 028b2ff0 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 FRAME_ONE_INVALID: 1 STACK_TEXT: 0019f7c0 00404689 backdoor_win32_ketch_a+0x4689 0019f960 028b2ff0 unknown!unknown+0x0 0019f96c 773a2abf ntdll!RtlpAllocateHeap+0xcf 0019fb38 41414141 unknown!printable+0x0 0019fb4c 41414141 unknown!printable+0x0 0019fb50 41414141 unknown!printable+0x0 0019fb54 41414141 unknown!printable+0x0 0019fb58 41414141 unknown!printable+0x0 0019fb5c 41414141 unknown!printable+0x0 0019fb60 41414141 unknown!printable+0x0 0019fb64 41414141 unknown!printable+0x0 0019fb68 41414141 unknown!printable+0x0 0019fb6c 41414141 unknown!printable+0x0 0019fb70 41414141 unknown!printable+0x0 0019fb74 41414141 unknown!printable+0x0 0019fb78 41414141 unknown!printable+0x0 0019fb7c 41414141 unknown!printable+0x0 0019fb80 41414141 unknown!printable+0x0 0019fb84 41414141 unknown!printable+0x0 0019fb88 41414141 unknown!printable+0x0 0019fb8c 41414141 unknown!printable+0x0 0019fb90 41414141 unknown!printable+0x0 0019fb94 41414141 unknown!printable+0x0 0019fb98 41414141 unknown!printable+0x0 0019fb9c 41414141 unknown!printable+0x0 0019fba0 41414141 unknown!printable+0x0 0019fba4 41414141 unknown!printable+0x0 0019fba8 41414141 unknown!printable+0x0 0019fbac 41414141 unknown!printable+0x0 0019fbb0 41414141 unknown!printable+0x0 0019fbb4 41414141 unknown!printable+0x0 0019fbb8 41414141 unknown!printable+0x0 0019fbbc 41414141 unknown!printable+0x0 0019fbc0 41414141 unknown!printable+0x0 0019fbc4 41414141 unknown!printable+0x0 0019fbc8 41414141 unknown!printable+0x0 0019fbcc 41414141 unknown!printable+0x0 0019fbd0 41414141 unknown!printable+0x0 0019fbd4 41414141 unknown!printable+0x0 0019fbd8 41414141 unknown!printable+0x0 0019fbdc 41414141 unknown!printable+0x0 0019fbe0 41414141 unknown!printable+0x0 0019fbe4 41414141 unknown!printable+0x0 0019fbe8 41414141 unknown!printable+0x0 0019fbec 41414141 unknown!printable+0x0 0019fbf0 41414141 unknown!printable+0x0 0019fbf4 41414141 unknown!printable+0x0 0019fbf8 41414141 unknown!printable+0x0 0019fbfc 41414141 unknown!printable+0x0 0019fc00 41414141 unknown!printable+0x0 0019fc04 41414141 unknown!printable+0x0 0019fc08 41414141 unknown!printable+0x0 0019fc0c 41414141 unknown!printable+0x0 0019fc10 41414141 unknown!printable+0x0 0019fc14 41414141 unknown!printable+0x0 0019fc18 41414141 unknown!printable+0x0 0019fc1c 41414141 unknown!printable+0x0 0019fc20 41414141 unknown!printable+0x0 0019fc24 41414141 unknown!printable+0x0 0019fc28 41414141 unknown!printable+0x0 0019fc2c 41414141 unknown!printable+0x0 0019fc30 41414141 unknown!printable+0x0 0019fc34 41414141 unknown!printable+0x0 0019fc38 41414141 unknown!printable+0x0 0019fc3c 41414141 unknown!printable+0x0 0019fc40 41414141 unknown!printable+0x0 0019fc44 41414141 unknown!printable+0x0 0019fc48 41414141 unknown!printable+0x0 0019fc4c 41414141 unknown!printable+0x0 0019fc50 41414141 unknown!printable+0x0 0019fc54 41414141 unknown!printable+0x0 0019fc58 41414141 unknown!printable+0x0 0019fc5c 41414141 unknown!printable+0x0 0019fc60 41414141 unknown!printable+0x0 0019fc64 41414141 unknown!printable+0x0 0019fc68 41414141 unknown!printable+0x0 0019fc6c 41414141 unknown!printable+0x0 0019fc70 41414141 unknown!printable+0x0 0019fc74 41414141 unknown!printable+0x0 0019fc78 41414141 unknown!printable+0x0 0019fc7c 41414141 unknown!printable+0x0 0019fc80 41414141 unknown!printable+0x0 0019fc84 41414141 unknown!printable+0x0 0019fc88 41414141 unknown!printable+0x0 0019fc8c 41414141 unknown!printable+0x0 0019fc90 41414141 unknown!printable+0x0 0019fc94 41414141 unknown!printable+0x0 0019fc98 41414141 unknown!printable+0x0 0019fc9c 41414141 unknown!printable+0x0 0019fca0 41414141 unknown!printable+0x0 0019fca4 41414141 unknown!printable+0x0 0019fca8 41414141 unknown!printable+0x0 0019fcac 41414141 unknown!printable+0x0 0019fcb0 41414141 unknown!printable+0x0 0019fcb4 41414141 unknown!printable+0x0 0019fcb8 41414141 unknown!printable+0x0 0019fcbc 41414141 unknown!printable+0x0 0019fcc0 41414141 unknown!printable+0x0 0019fcc4 41414141 unknown!printable+0x0 0019fcc8 41414141 unknown!printable+0x0 0019fccc 41414141 unknown!printable+0x0 0019fcd0 41414141 unknown!printable+0x0 0019fcd4 41414141 unknown!printable+0x0 0019fcd8 41414141 unknown!printable+0x0 0019fcdc 41414141 unknown!printable+0x0 0019fce0 41414141 unknown!printable+0x0 0019fce4 41414141 unknown!printable+0x0 0019fce8 41414141 unknown!printable+0x0 0019fcec 41414141 unknown!printable+0x0 0019fcf0 41414141 unknown!printable+0x0 0019fcf4 41414141 unknown!printable+0x0 0019fcf8 41414141 unknown!printable+0x0 0019fcfc 41414141 unknown!printable+0x0 0019fd00 41414141 unknown!printable+0x0 0019fd04 41414141 unknown!printable+0x0 0019fd08 41414141 unknown!printable+0x0 0019fd0c 41414141 unknown!printable+0x0 0019fd10 41414141 unknown!printable+0x0 0019fd14 41414141 unknown!printable+0x0 0019fd18 41414141 unknown!printable+0x0 0019fd1c 41414141 unknown!printable+0x0 0019fd20 41414141 unknown!printable+0x0 0019fd24 41414141 unknown!printable+0x0 0019fd28 41414141 unknown!printable+0x0 0019fd2c 41414141 unknown!printable+0x0 0019fd30 41414141 unknown!printable+0x0 0019fd34 41414141 unknown!printable+0x0 0019fd38 41414141 unknown!printable+0x0 0019fd3c 41414141 unknown!printable+0x0 0019fd40 41414141 unknown!printable+0x0 0019fd44 41414141 unknown!printable+0x0 0019fd48 41414141 unknown!printable+0x0 0019fd4c 41414141 unknown!printable+0x0 0019fd50 41414141 unknown!printable+0x0 0019fd54 41414141 unknown!printable+0x0 0019fd58
원천	⚠️ https://www.malvuln.com/advisory/1149c42fd8cf3ca7d00ef55a6337befe.txt
사용자	malvuln (UID 14984)
제출	2021. 01. 14. AM 05:23 (5 연령 ago)
모더레이션	2021. 01. 14. AM 07:37 (2 hours later)
상태	수락
VulDB 항목	167809 [Backdoor.Win32.Ketch.a Server Response 메모리 손상]
포인트들	20

◂ 이전 개요 다음 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!