Submeter #6124: EMAIL-WORM.WIN32.AGENT.GI / Remote Stack Buffer Overflow - (UDP Datagram)informação

Título	EMAIL-WORM.WIN32.AGENT.GI / Remote Stack Buffer Overflow - (UDP Datagram)
Descrição	Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/74e65773735f977185f6a09f1472ea46.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Email-Worm.Win32.Agent.gi Vulnerability: Remote Stack Buffer Overflow - (UDP Datagram) Description: Creates a service "Microsoft ASPI Manager" and listens on TCP ports 80, 81 and UDP 53. The service process is a dropped executable named aspimgr.exe that runs with SYSTEM integrity. Third party attackers can send 332 bytes to UDP port 53 to overwrite the instruction pointer (EIP) and possibly gain SYSTEM privileges. The Exploit PoC uses the typical 41414141 pattern and 52525252 "R" character for EIP overwrite. Type: PE32 MD5: 74e65773735f977185f6a09f1472ea46 Vuln ID: MVID-2021-0036 Dropped files: aspimgr.exe ASLR: False DEP: False Safe SEH: True Disclosure: 01/18/2021 Memory Dump: (1a78.e44): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=52525252 edx=773e9d70 esi=00000000 edi=00000000 eip=52525252 esp=03291450 ebp=03291470 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 52525252 ?? ??? 0:007> !exchain 03291464: ntdll!ExecuteHandler2+44 (773e9d70) 03291a14: ntdll!ExecuteHandler2+44 (773e9d70) 03291fc4: ntdll!ExecuteHandler2+44 (773e9d70) 03292574: ntdll!ExecuteHandler2+44 (773e9d70) 03292b24: ntdll!ExecuteHandler2+44 (773e9d70) 032930d4: ntdll!ExecuteHandler2+44 (773e9d70) 03293684: ntdll!ExecuteHandler2+44 (773e9d70) 03293c34: ntdll!ExecuteHandler2+44 (773e9d70) 032941e4: ntdll!ExecuteHandler2+44 (773e9d70) 03294794: ntdll!ExecuteHandler2+44 (773e9d70) 03294d44: ntdll!ExecuteHandler2+44 (773e9d70) 032952f4: ntdll!ExecuteHandler2+44 (773e9d70) 032958a4: ntdll!ExecuteHandler2+44 (773e9d70) 03295e54: ntdll!ExecuteHandler2+44 (773e9d70) 03296404: ntdll!ExecuteHandler2+44 (773e9d70) 032969b4: ntdll!ExecuteHandler2+44 (773e9d70) 03296f64: ntdll!ExecuteHandler2+44 (773e9d70) 03297514: ntdll!ExecuteHandler2+44 (773e9d70) 03297ac4: ntdll!ExecuteHandler2+44 (773e9d70) 03298074: ntdll!ExecuteHandler2+44 (773e9d70) 03298624: ntdll!ExecuteHandler2+44 (773e9d70) 03298bd4: ntdll!ExecuteHandler2+44 (773e9d70) 03299184: ntdll!ExecuteHandler2+44 (773e9d70) 03299734: ntdll!ExecuteHandler2+44 (773e9d70) 03299ce4: ntdll!ExecuteHandler2+44 (773e9d70) 0329a294: ntdll!ExecuteHandler2+44 (773e9d70) 0329a844: ntdll!ExecuteHandler2+44 (773e9d70) 0329adf4: ntdll!ExecuteHandler2+44 (773e9d70) 0329b3a4: ntdll!ExecuteHandler2+44 (773e9d70) 0329b954: ntdll!ExecuteHandler2+44 (773e9d70) 0329bf04: ntdll!ExecuteHandler2+44 (773e9d70) 0329c4b4: ntdll!ExecuteHandler2+44 (773e9d70) 0329ca64: ntdll!ExecuteHandler2+44 (773e9d70) 0329d014: ntdll!ExecuteHandler2+44 (773e9d70) 0329d5c4: ntdll!ExecuteHandler2+44 (773e9d70) 0329db74: ntdll!ExecuteHandler2+44 (773e9d70) 0329e124: ntdll!ExecuteHandler2+44 (773e9d70) 0329e6d4: ntdll!ExecuteHandler2+44 (773e9d70) 0329ec84: ntdll!ExecuteHandler2+44 (773e9d70) 0329f234: ntdll!ExecuteHandler2+44 (773e9d70) 0329f7e4: ntdll!ExecuteHandler2+44 (773e9d70) 0329fd94: ntdll!ExecuteHandler2+44 (773e9d70) 032a0344: ntdll!ExecuteHandler2+44 (773e9d70) 032a08f4: ntdll!ExecuteHandler2+44 (773e9d70) 032a0ea4: ntdll!ExecuteHandler2+44 (773e9d70) 032a1454: ntdll!ExecuteHandler2+44 (773e9d70) 032a1a04: ntdll!ExecuteHandler2+44 (773e9d70) 032a1fb4: ntdll!ExecuteHandler2+44 (773e9d70) 032a2564: ntdll!ExecuteHandler2+44 (773e9d70) 032a2b14: ntdll!ExecuteHandler2+44 (773e9d70) 032a30c4: ntdll!ExecuteHandler2+44 (773e9d70) 032a3674: ntdll!ExecuteHandler2+44 (773e9d70) 032a3c24: ntdll!ExecuteHandler2+44 (773e9d70) 032a41d4: ntdll!ExecuteHandler2+44 (773e9d70) 032a4784: ntdll!ExecuteHandler2+44 (773e9d70) 032a4d34: ntdll!ExecuteHandler2+44 (773e9d70) 032a52e4: ntdll!ExecuteHandler2+44 (773e9d70) 032a5894: ntdll!ExecuteHandler2+44 (773e9d70) 032a5e44: ntdll!ExecuteHandler2+44 (773e9d70) 032a63f4: ntdll!ExecuteHandler2+44 (773e9d70) 032a69a4: ntdll!ExecuteHandler2+44 (773e9d70) 032a6f54: ntdll!ExecuteHandler2+44 (773e9d70) 032a7504: ntdll!ExecuteHandler2+44 (773e9d70) 032a7ab4: ntdll!ExecuteHandler2+44 (773e9d70) 032a8064: ntdll!ExecuteHandler2+44 (773e9d70) 032a8614: ntdll!ExecuteHandler2+44 (773e9d70) 032a8bc4: ntdll!ExecuteHandler2+44 (773e9d70) 032a9174: ntdll!ExecuteHandler2+44 (773e9d70) 032a9724: ntdll!ExecuteHandler2+44 (773e9d70) 032a9cd4: ntdll!ExecuteHandler2+44 (773e9d70) 032aa284: ntdll!ExecuteHandler2+44 (773e9d70) 032aa834: ntdll!ExecuteHandler2+44 (773e9d70) 032aade4: ntdll!ExecuteHandler2+44 (773e9d70) 032ab394: ntdll!ExecuteHandler2+44 (773e9d70) 032ab944: ntdll!ExecuteHandler2+44 (773e9d70) 032abef4: ntdll!ExecuteHandler2+44 (773e9d70) 032ac4a4: ntdll!ExecuteHandler2+44 (773e9d70) 032aca54: ntdll!ExecuteHandler2+44 (773e9d70) 032ad004: ntdll!ExecuteHandler2+44 (773e9d70) 032ad5b4: ntdll!ExecuteHandler2+44 (773e9d70) 032adb64: ntdll!ExecuteHandler2+44 (773e9d70) 032ae114: ntdll!ExecuteHandler2+44 (773e9d70) 032ae6c4: ntdll!ExecuteHandler2+44 (773e9d70) 032aec74: ntdll!ExecuteHandler2+44 (773e9d70) 032af224: ntdll!ExecuteHandler2+44 (773e9d70) 032af7d4: ntdll!ExecuteHandler2+44 (773e9d70) 032afd84: ntdll!ExecuteHandler2+44 (773e9d70) 032b0334: ntdll!ExecuteHandler2+44 (773e9d70) 032b08e4: ntdll!ExecuteHandler2+44 (773e9d70) 032b0e94: ntdll!ExecuteHandler2+44 (773e9d70) 032b1444: ntdll!ExecuteHandler2+44 (773e9d70) 032b19f4: ntdll!ExecuteHandler2+44 (773e9d70) 032b1fa4: ntdll!ExecuteHandler2+44 (773e9d70) 032b2554: ntdll!ExecuteHandler2+44 (773e9d70) 032b2b04: ntdll!ExecuteHandler2+44 (773e9d70) 032b30b4: ntdll!ExecuteHandler2+44 (773e9d70) 032b3664: ntdll!ExecuteHandler2+44 (773e9d70) 032b3c14: ntdll!ExecuteHandler2+44 (773e9d70) 032b41c4: ntdll!ExecuteHandler2+44 (773e9d70) 032b4774: ntdll!ExecuteHandler2+44 (773e9d70) 032b4d24: ntdll!ExecuteHandler2+44 (773e9d70) 032b52d4: ntdll!ExecuteHandler2+44 (773e9d70) 032b5884: ntdll!ExecuteHandler2+44 (773e9d70) 032b5e34: ntdll!ExecuteHandler2+44 (773e9d70) 032b63e4: ntdll!ExecuteHandler2+44 (773e9d70) 032b6994: ntdll!ExecuteHandler2+44 (773e9d70) 032b6f44: ntdll!ExecuteHandler2+44 (773e9d70) 032b74f4: ntdll!ExecuteHandler2+44 (773e9d70) 032b7aa4: ntdll!ExecuteHandler2+44 (773e9d70) 032b8054: ntdll!ExecuteHandler2+44 (773e9d70) 032b8604: ntdll!ExecuteHandler2+44 (773e9d70) 032b8bb4: ntdll!ExecuteHandler2+44 (773e9d70) 032b9164: ntdll!ExecuteHandler2+44 (773e9d70) 032b9714: ntdll!ExecuteHandler2+44 (773e9d70) 032b9cc4: ntdll!ExecuteHandler2+44 (773e9d70) 032ba274: ntdll!ExecuteHandler2+44 (773e9d70) 032ba824: ntdll!ExecuteHandler2+44 (773e9d70) 032badd4: ntdll!ExecuteHandler2+44 (773e9d70) 032bb384: ntdll!ExecuteHandler2+44 (773e9d70) 032bb934: ntdll!ExecuteHandler2+44 (773e9d70) 032bbee4: ntdll!ExecuteHandler2+44 (773e9d70) 032bc494: ntdll!ExecuteHandler2+44 (773e9d70) 032bca44: ntdll!ExecuteHandler2+44 (773e9d70) 032bcff4: ntdll!ExecuteHandler2+44 (773e9d70) 032bd5a4: ntdll!ExecuteHandler2+44 (773e9d70) 032bdb54: ntdll!ExecuteHandler2+44 (773e9d70) 032be104: ntdll!ExecuteHandler2+44 (773e9d70) 032be6b4: ntdll!ExecuteHandler2+44 (773e9d70) 032bec64: ntdll!ExecuteHandler2+44 (773e9d70) 032bf214: ntdll!ExecuteHandler2+44 (773e9d70) 032bf7c4: ntdll!ExecuteHandler2+44 (773e9d70) 032bfd74: ntdll!ExecuteHandler2+44 (773e9d70) 032c0324: ntdll!ExecuteHandler2+44 (773e9d70) 032c08d4: ntdll!ExecuteHandler2+44 (773e9d70) 032c0e84: ntdll!ExecuteHandler2+44 (773e9d70) 032c1434: ntdll!ExecuteHandler2+44 (773e9d70) 032c19e4: ntdll!ExecuteHandler2+44 (773e9d70) 032c1f94: ntdll!ExecuteHandler2+44 (773e9d70) 032c2544: ntdll!ExecuteHandler2+44 (773e9d70) 032c2af4: ntdll!ExecuteHandler2+44 (773e9d70) 032c30a4: ntdll!ExecuteHandler2+44 (773e9d70) 032c3654: ntdll!ExecuteHandler2+44 (773e9d70) 032c3c04: ntdll!ExecuteHandler2+44 (773e9d70) 032c41b4: ntdll!ExecuteHandler2+44 (773e9d70) 032c4764: ntdll!ExecuteHandler2+44 (773e9d70) 032c4d14: ntdll!ExecuteHandler2+44 (773e9d70) 032c52c4: ntdll!ExecuteHandler2+44 (773e9d70) 032c5874: ntdll!ExecuteHandler2+44 (773e9d70) 032c5e24: ntdll!ExecuteHandler2+44 (773e9d70) 032c63d4: ntdll!ExecuteHandler2+44 (773e9d70) 032c6984: ntdll!ExecuteHandler2+44 (773e9d70) 032c6f34: ntdll!ExecuteHandler2+44 (773e9d70) 032c74e4: ntdll!ExecuteHandler2+44 (773e9d70) 032c7a94: ntdll!ExecuteHandler2+44 (773e9d70) 032c8044: ntdll!ExecuteHandler2+44 (773e9d70) 032c85f4: ntdll!ExecuteHandler2+44 (773e9d70) 032c8ba4: ntdll!ExecuteHandler2+44 (773e9d70) 032c9154: ntdll!ExecuteHandler2+44 (773e9d70) 032c9704: ntdll!ExecuteHandler2+44 (773e9d70) 032c9cb4: ntdll!ExecuteHandler2+44 (773e9d70) 032ca264: ntdll!ExecuteHandler2+44 (773e9d70) 032ca814: ntdll!ExecuteHandler2+44 (773e9d70) 032cadc4: ntdll!ExecuteHandler2+44 (773e9d70) 032cb374: ntdll!ExecuteHandler2+44 (773e9d70) 032cb924: ntdll!ExecuteHandler2+44 (773e9d70) 032cbed4: ntdll!ExecuteHandler2+44 (773e9d70) 032cc484: ntdll!ExecuteHandler2+44 (773e9d70) 032cca34: ntdll!ExecuteHandler2+44 (773e9d70) 032ccfe4: ntdll!ExecuteHandler2+44 (773e9d70) 032cd594: ntdll!ExecuteHandler2+44 (773e9d70) 032cdb44: ntdll!ExecuteHandler2+44 (773e9d70) 032ce0f4: ntdll!ExecuteHandler2+44 (773e9d70) 032ce6a4: ntdll!ExecuteHandler2+44 (773e9d70) 032cec54: ntdll!ExecuteHandler2+44 (773e9d70) 032cf204: ntdll!ExecuteHandler2+44 (773e9d70) 032cf7b4: ntdll!ExecuteHandler2+44 (773e9d70) 032cfd64: ntdll!ExecuteHandler2+44 (773e9d70) 032d0314: ntdll!ExecuteHandler2+44 (773e9d70) 032d08c4: ntdll!ExecuteHandler2+44 (773e9d70) 032d0e74: ntdll!ExecuteHandler2+44 (773e9d70) 032d1424: ntdll!ExecuteHandler2+44 (773e9d70) 032d19d4: ntdll!ExecuteHandler2+44 (773e9d70) 032d1f84: ntdll!ExecuteHandler2+44 (773e9d70) 032d2534: ntdll!ExecuteHandler2+44 (773e9d70) 032d2ae4: ntdll!ExecuteHandler2+44 (773e9d70) 032d3094: ntdll!ExecuteHand
Fonte	⚠️ https://www.malvuln.com/advisory/74e65773735f977185f6a09f1472ea46.txt
Utilizador	malvuln (UID 14984)
Submissão	18/01/2021 21h08 (há 5 anos)
Moderação	19/01/2021 07h09 (10 hours later)
Estado	Aceite
Entrada VulDB	168079 [Email-Worm.Win32.Agent.gi Microsoft ASPI Manager aspimgr.exe Excesso de tampão]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!