| Название | BACKDOOR.WIN32.APHEXDOOR.LITESOCK / Remote Stack Buffer Overflow |
|---|
| Описание | Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/a8bb1744bedf43849ed808b7dfa32da4.txt
Contact: [email protected]
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Aphexdoor.LiteSock
Vulnerability: Remote Stack Buffer Overflow
Description: Aphexdoor.LiteSock drops an extensionless executable named "moo" in the Windows dir and listens on TCP ports 113 and 1415. Sending a specially crafted packet to port 1415 we can trigger a classic stack buffer overflow overwriting SEH.
Type: PE32
MD5: a8bb1744bedf43849ed808b7dfa32da4
Vuln ID: MVID-2021-0082
Dropped files: moo
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 02/09/2021
Memory Dump:
(dc.c18): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=41414141 edx=77129d70 esi=02d51848 edi=02d51d0c
eip=7710e916 esp=02d51790 ebp=02d51830 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!ZwQueryInformationProcess+0x26:
7710e916 c21400 ret 14h
0:004> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for moo
*** ERROR: Module load completed but symbols could not be loaded for moo
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
+1141
48272057 ?? ???
EXCEPTION_RECORD: 02e4fadc -- (.exr 0x2e4fadc)
ExceptionAddress: 48272057
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 48272057
Attempt to read from address 48272057
PROCESS_NAME: moo
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 02d50fe8
WRITE_ADDRESS: 02d50fe8
FOLLOWUP_IP:
moo+1141
00401141 8d85f0feffff lea eax,[ebp-110h]
FAILED_INSTRUCTION_ADDRESS:
+1141
41414141 ?? ???
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: 02e4fb2c -- (.cxr 0x2e4fb2c)
eax=00000001 ebx=000001c0 ecx=819b7373 edx=00000001 esi=004011a8 edi=004011a8
eip=48272057 esp=02e4ff8c ebp=413a4e34 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
48272057 ?? ???
Resetting default scope
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 39312720 to 48272057
IP_ON_HEAP: 39312720
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 39312720
FRAME_ONE_INVALID: 1
STACK_TEXT:
02e4ff8c 48272057 unknown!printable+0x0
02e4ff90 39312720 unknown!printable+0x0
02e4ff94 36312e32 unknown!printable+0x0
02e4ff98 38382e38 unknown!printable+0x0
02e4ff9c 3832312e unknown!printable+0x0
02e4ffa0 585c0a0d unknown!unknown+0x0
02e4ffa4 7165522d unknown!printable+0x0
02e4ffa8 74736575 unknown!printable+0x0
02e4ffac 3a44492d unknown!printable+0x0
02e4ffb0 41414120 unknown!printable+0x0
02e4ffb4 41414141 unknown!printable+0x0
02e4ffb8 41414141 unknown!printable+0x0
02e4ffbc 41414141 unknown!printable+0x0
02e4ffc0 41414141 unknown!printable+0x0
02e4ffc4 41414141 unknown!printable+0x0
02e4ffc8 41414141 unknown!printable+0x0
02e4ffcc 41414141 unknown!printable+0x0
02e4ffd0 41414141 unknown!printable+0x0
02e4ffd4 41414141 unknown!printable+0x0
02e4ffd8 41414141 unknown!printable+0x0
02e4ffdc 41414141 unknown!printable+0x0
02e4ffe0 41414141 unknown!printable+0x0
02e4ffe4 41414141 unknown!printable+0x0
02e4ffe8 41414141 unknown!printable+0x0
02e4ffec 41414141 unknown!printable+0x0
02e4fff0 41414141 unknown!printable+0x0
02e4fff4 41414141 unknown!printable+0x0
02e4fff8 00401141 moo+0x1141
STACK_COMMAND: .cxr 0000000002E4FB2C ; kb ; dds 2e4ff8c ; kb
SYMBOL_STACK_INDEX: 1b
SYMBOL_NAME: moo+1141
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: moo
IMAGE_NAME: moo
DEBUG_FLR_IMAGE_TIMESTAMP: 3da2c58a
FAILURE_BUCKET_ID: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_moo!Unknown
BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_moo+1141
---------
0:004> !exchain
02d5175c: ntdll!ExecuteHandler2+44 (77129d70)
02d51d0c: ntdll!ExecuteHandler2+44 (77129d70)
02d522bc: ntdll!ExecuteHandler2+44 (77129d70)
02d5286c: ntdll!ExecuteHandler2+44 (77129d70)
02d52e1c: ntdll!ExecuteHandler2+44 (77129d70)
02d533cc: ntdll!ExecuteHandler2+44 (77129d70)
02d5397c: ntdll!ExecuteHandler2+44 (77129d70)
02d53f2c: ntdll!ExecuteHandler2+44 (77129d70)
02d544dc: ntdll!ExecuteHandler2+44 (77129d70)
02d54a8c: ntdll!ExecuteHandler2+44 (77129d70)
02d5503c: ntdll!ExecuteHandler2+44 (77129d70)
02d555ec: ntdll!ExecuteHandler2+44 (77129d70)
02d55b9c: ntdll!ExecuteHandler2+44 (77129d70)
02d5614c: ntdll!ExecuteHandler2+44 (77129d70)
02d566fc: ntdll!ExecuteHandler2+44 (77129d70)
02d56cac: ntdll!ExecuteHandler2+44 (77129d70)
02d5725c: ntdll!ExecuteHandler2+44 (77129d70)
02d5780c: ntdll!ExecuteHandler2+44 (77129d70)
02d57dbc: ntdll!ExecuteHandler2+44 (77129d70)
02d5836c: ntdll!ExecuteHandler2+44 (77129d70)
02d5891c: ntdll!ExecuteHandler2+44 (77129d70)
02d58ecc: ntdll!ExecuteHandler2+44 (77129d70)
02d5947c: ntdll!ExecuteHandler2+44 (77129d70)
02d59a2c: ntdll!ExecuteHandler2+44 (77129d70)
02d59fdc: ntdll!ExecuteHandler2+44 (77129d70)
02d5a58c: ntdll!ExecuteHandler2+44 (77129d70)
02d5ab3c: ntdll!ExecuteHandler2+44 (77129d70)
02d5b0ec: ntdll!ExecuteHandler2+44 (77129d70)
02d5b69c: ntdll!ExecuteHandler2+44 (77129d70)
02d5bc4c: ntdll!ExecuteHandler2+44 (77129d70)
02d5c1fc: ntdll!ExecuteHandler2+44 (77129d70)
02d5c7ac: ntdll!ExecuteHandler2+44 (77129d70)
02d5cd5c: ntdll!ExecuteHandler2+44 (77129d70)
02d5d30c: ntdll!ExecuteHandler2+44 (77129d70)
02d5d8bc: ntdll!ExecuteHandler2+44 (77129d70)
02d5de6c: ntdll!ExecuteHandler2+44 (77129d70)
02d5e41c: ntdll!ExecuteHandler2+44 (77129d70)
02d5e9cc: ntdll!ExecuteHandler2+44 (77129d70)
02d5ef7c: ntdll!ExecuteHandler2+44 (77129d70)
02d5f52c: ntdll!ExecuteHandler2+44 (77129d70)
02d5fadc: ntdll!ExecuteHandler2+44 (77129d70)
02d6008c: ntdll!ExecuteHandler2+44 (77129d70)
02d6063c: ntdll!ExecuteHandler2+44 (77129d70)
02d60bec: ntdll!ExecuteHandler2+44 (77129d70)
02d6119c: ntdll!ExecuteHandler2+44 (77129d70)
02d6174c: ntdll!ExecuteHandler2+44 (77129d70)
02d61cfc: ntdll!ExecuteHandler2+44 (77129d70)
02d622ac: ntdll!ExecuteHandler2+44 (77129d70)
02d6285c: ntdll!ExecuteHandler2+44 (77129d70)
02d62e0c: ntdll!ExecuteHandler2+44 (77129d70)
02d633bc: ntdll!ExecuteHandler2+44 (77129d70)
02d6396c: ntdll!ExecuteHandler2+44 (77129d70)
02d63f1c: ntdll!ExecuteHandler2+44 (77129d70)
02d644cc: ntdll!ExecuteHandler2+44 (77129d70)
02d64a7c: ntdll!ExecuteHandler2+44 (77129d70)
02d6502c: ntdll!ExecuteHandler2+44 (77129d70)
02d655dc: ntdll!ExecuteHandler2+44 (77129d70)
02d65b8c: ntdll!ExecuteHandler2+44 (77129d70)
02d6613c: ntdll!ExecuteHandler2+44 (77129d70)
02d666ec: ntdll!ExecuteHandler2+44 (77129d70)
02d66c9c: ntdll!ExecuteHandler2+44 (77129d70)
02d6724c: ntdll!ExecuteHandler2+44 (77129d70)
02d677fc: ntdll!ExecuteHandler2+44 (77129d70)
02d67dac: ntdll!ExecuteHandler2+44 (77129d70)
02d6835c: ntdll!ExecuteHandler2+44 (77129d70)
02d6890c: ntdll!ExecuteHandler2+44 (77129d70)
02d68ebc: ntdll!ExecuteHandler2+44 (77129d70)
02d6946c: ntdll!ExecuteHandler2+44 (77129d70)
02d69a1c: ntdll!ExecuteHandler2+44 (77129d70)
02d69fcc: ntdll!ExecuteHandler2+44 (77129d70)
02d6a57c: ntdll!ExecuteHandler2+44 (77129d70)
02d6ab2c: ntdll!ExecuteHandler2+44 (77129d70)
02d6b0dc: ntdll!ExecuteHandler2+44 (77129d70)
02d6b68c: ntdll!ExecuteHandler2+44 (77129d70)
02d6bc3c: ntdll!ExecuteHandler2+44 (77129d70)
02d6c1ec: ntdll!ExecuteHandler2+44 (77129d70)
02d6c79c: ntdll!ExecuteHandler2+44 (77129d70)
02d6cd4c: ntdll!ExecuteHandler2+44 (77129d70)
02d6d2fc: ntdll!ExecuteHandler2+44 (77129d70)
02d6d8ac: ntdll!ExecuteHandler2+44 (77129d70)
02d6de5c: ntdll!ExecuteHandler2+44 (77129d70)
02d6e40c: ntdll!ExecuteHandler2+44 (77129d70)
02d6e9bc: ntdll!ExecuteHandler2+44 (77129d70)
02d6ef6c: ntdll!ExecuteHandler2+44 (77129d70)
02d6f51c: ntdll!ExecuteHandler2+44 (77129d70)
02d6facc: ntdll!ExecuteHandler2+44 (77129d70)
02d7007c: ntdll!ExecuteHandler2+44 (77129d70)
02d7062c: ntdll!ExecuteHandler2+44 (77129d70)
02d70bdc: ntdll!ExecuteHandler2+44 (77129d70)
02d7118c: ntdll!ExecuteHandler2+44 (77129d70)
02d7173c: ntdll!ExecuteHandler2+44 (77129d70)
02d71cec: ntdll!ExecuteHandler2+44 (77129d70)
02d7229c: ntdll!ExecuteHandler2+44 (77129d70)
02d7284c: ntdll!ExecuteHandler2+44 (77129d70)
02d72dfc: ntdll!ExecuteHandler2+44 (77129d70)
02d733ac: ntdll!ExecuteHandler2+44 (77129d70)
02d7395c: ntdll!ExecuteHandler2+44 (77129d70)
02d73f0c: ntdll!ExecuteHandler2+44 (77129d70)
02d744bc: ntdll!ExecuteHandler2+44 (77129d70)
02d74a6c: ntdll!ExecuteHandler2+44 (77129d70)
02d7501c: ntdll!ExecuteHandler2+44 (77129d70)
02d755cc: ntdll!ExecuteHan |
|---|
| Источник | ⚠️ https://www.malvuln.com/advisory/a8bb1744bedf43849ed808b7dfa32da4.txt |
|---|
| Пользователь | malvuln (UID 14984) |
|---|
| Представление | 10.02.2021 06:24 (5 лет назад) |
|---|
| Модерация | 10.02.2021 12:42 (6 hours later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 169661 [Backdoor.Win32.Aphexdoor.LiteSock Service Port 113 moo повреждение памяти] |
|---|
| Баллы | 20 |
|---|