Отправить #8380: BACKDOOR.WIN32.KETCH.H / Remote Stack Buffer Overflow (SEH)Информация

Название	BACKDOOR.WIN32.KETCH.H / Remote Stack Buffer Overflow (SEH)
Описание	Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/63c55ad21e0771c7f9ca71ec3bfcea0f.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Ketch.h Vulnerability: Remote Stack Buffer Overflow (SEH) Description: Ketch makes HTTP request to port 80 for a file named script.dat, after process the server response of 1,612 bytes or more it triggers an SEH buffer overflow. Our exploit pattern "AAAAAAAAA" will get XOR'd with the value 30 and convert it to 71717171 instead of 41414141, so use "q" for exploit pattern 41414141. This happens because it first gets converted to lowercase and is then XOR'd with value 30. The character "A" becomes "q" 71 so it is difficult to control chars. Therefore, if we want to see the typical 41414141 exploit pattern use lowercase "q" character. Then when 71 (q) gets XOR with 30 it will become \x41 (A). Type: PE32 MD5: 63c55ad21e0771c7f9ca71ec3bfcea0f Vuln ID: MVID-2021-0101 Dropped files: ASLR: False DEP: False Safe SEH: True Disclosure: 02/19/2021 Memory Dump: 0:000> !exchain 0019f1c0: ntdll!_except_handler4+0 (77116a50) CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (771557ad) 0019f808: Backdoor_Win32_Ketch_h_63c55ad21e0771c7f9ca71ec3bfcea0f+36370 (00436370) 0019fe20: 41414141 Invalid exception stack at 41414141 0:000> .ecxr eax=00000041 ebx=02961e4c ecx=02964285 edx=001a0000 esi=0000064f edi=02963ca0 eip=004050f9 esp=0019f7bc ebp=0019f954 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 Backdoor_Win32_Ketch_h_63c55ad21e0771c7f9ca71ec3bfcea0f+0x50f9: 004050f9 8802 mov byte ptr [edx],al ds:002b:001a0000=41 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: Backdoor_Win32_Ketch_h_63c55ad21e0771c7f9ca71ec3bfcea0f+50f9 004050f9 8802 mov byte ptr [edx],al EXCEPTION_RECORD: 0019f30c -- (.exr 0x19f30c) ExceptionAddress: 004050f9 (Backdoor_Win32_Ketch_h_63c55ad21e0771c7f9ca71ec3bfcea0f+0x000050f9) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000008 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: Backdoor.Win32.Ketch.h.63c55ad21e0771c7f9ca71ec3bfcea0f.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 00000015 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 0019f35c -- (.cxr 0x19f35c) eax=00000041 ebx=02961e4c ecx=02964285 edx=001a0000 esi=0000064f edi=02963ca0 eip=004050f9 esp=0019f7bc ebp=0019f954 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 Backdoor_Win32_Ketch_h_63c55ad21e0771c7f9ca71ec3bfcea0f+0x50f9: 004050f9 8802 mov byte ptr [edx],al ds:002b:001a0000=41 Resetting default scope WRITE_ADDRESS: 001a0000 FOLLOWUP_IP: Backdoor_Win32_Ketch_h_63c55ad21e0771c7f9ca71ec3bfcea0f+50f9 004050f9 8802 mov byte ptr [edx],al FAULTING_THREAD: 00000c80 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE IP_ON_HEAP: 02962ff0 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 02962ff0 to 004050f9 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0019f954 02962ff0 0019fb28 770e2abf 770e334d Backdoor_Win32_Ketch_h_63c55ad21e0771c7f9ca71ec3bfcea0f+0x50f9 0019f95c 770e2abf 770e334d 0000064c 0000064f 0x2962ff0 0019fb28 41414141 41414141 41414141 41414141 ntdll!RtlpAllocateHeap+0xcf 0019fb3c 41414141 41414141 41414141 41414141 0x41414141 0019fb40 41414141 41414141 41414141 41414141 0x41414141 0019fb44 41414141 41414141 41414141 41414141 0x41414141 0019fb48 41414141 41414141 41414141 41414141 0x41414141 0019fb4c 41414141 41414141 41414141 41414141 0x41414141 0019fb50 41414141 41414141 41414141 41414141 0x41414141 0019fb54 41414141 41414141 41414141 41414141 0x41414141 0019fb58 41414141 41414141 41414141 41414141 0x41414141 0019fb5c 41414141 41414141 41414141 41414141 0x41414141 0019fb60 41414141 41414141 41414141 41414141 0x41414141 0019fb64 41414141 41414141 41414141 41414141 0x41414141 0019fb68 41414141 41414141 41414141 41414141 0x41414141 0019fb6c 41414141 41414141 41414141 41414141 0x41414141 0019fb70 41414141 41414141 41414141 41414141 0x41414141 0019fb74 41414141 41414141 41414141 41414141 0x41414141 0019fb78 41414141 41414141 41414141 41414141 0x41414141 0019fb7c 41414141 41414141 41414141 41414141 0x41414141 0019fb80 41414141 41414141 41414141 41414141 0x41414141 0019fb84 41414141 41414141 41414141 41414141 0x41414141 0019fb88 41414141 41414141 41414141 41414141 0x41414141 0019fb8c 41414141 41414141 41414141 41414141 0x41414141 0019fb90 41414141 41414141 41414141 41414141 0x41414141 0019fb94 41414141 41414141 41414141 41414141 0x41414141 0019fb98 41414141 41414141 41414141 41414141 0x41414141 0019fb9c 41414141 41414141 41414141 41414141 0x41414141 0019fba0 41414141 41414141 41414141 41414141 0x41414141 0019fba4 41414141 41414141 41414141 41414141 0x41414141 0019fba8 41414141 41414141 41414141 41414141 0x41414141 0019fbac 41414141 41414141 41414141 41414141 0x41414141 0019fbb0 41414141 41414141 41414141 41414141 0x41414141 0019fbb4 41414141 41414141 41414141 41414141 0x41414141 0019fbb8 41414141 41414141 41414141 41414141 0x41414141 0019fbbc 41414141 41414141 41414141 41414141 0x41414141 0019fbc0 41414141 41414141 41414141 41414141 0x41414141 0019fbc4 41414141 41414141 41414141 41414141 0x41414141 0019fbc8 41414141 41414141 41414141 41414141 0x41414141 0019fbcc 41414141 41414141 41414141 41414141 0x41414141 0019fbd0 41414141 41414141 41414141 41414141 0x41414141 0019fbd4 41414141 41414141 41414141 41414141 0x41414141 0019fbd8 41414141 41414141 41414141 41414141 0x41414141 0019fbdc 41414141 41414141 41414141 41414141 0x41414141 0019fbe0 41414141 41414141 41414141 41414141 0x41414141 0019fbe4 41414141 41414141 41414141 41414141 0x41414141 0019fbe8 41414141 41414141 41414141 41414141 0x41414141 0019fbec 41414141 41414141 41414141 41414141 0x41414141 0019fbf0 41414141 41414141 41414141 41414141 0x41414141 0019fbf4 41414141 41414141 41414141 41414141 0x41414141 0019fbf8 41414141 41414141 41414141 41414141 0x41414141 0019fbfc 41414141 41414141 41414141 41414141 0x41414141 0019fc00 41414141 41414141 41414141 41414141 0x41414141 0019fc04 41414141 41414141 41414141 41414141 0x41414141 0019fc08 41414141 41414141 41414141 41414141 0x41414141 0019fc0c 41414141 41414141 41414141 41414141 0x41414141 0019fc10 41414141 41414141 41414141 41414141 0x41414141 0019fc14 41414141 41414141 41414141 41414141 0x41414141 0019fc18 41414141 41414141 41414141 41414141 0x41414141 0019fc1c 41414141 41414141 41414141 41414141 0x41414141 0019fc20 41414141 41414141 41414141 41414141 0x41414141 0019fc24 41414141 41414141 41414141 41414141 0x41414141 0019fc28 41414141 41414141 41414141 41414141 0x41414141 0019fc2c 41414141 41414141 41414141 41414141 0x41414141 0019fc30 41414141 41414141 41414141 41414141 0x41414141 0019fc34 41414141 41414141 41414141 41414141 0x41414141 0019fc38 41414141 41414141 41414141 41414141 0x41414141 0019fc3c 41414141 41414141 41414141 41414141 0x41414141 0019fc40 41414141 41414141 41414141 41414141 0x41414141 0019fc44 41414141 41414141 41414141 41414141 0x41414141 0019fc48 41414141 41414141 41414141 41414141 0x41414141 0019fc4c 41414141 41414141 41414141 41414141 0x41414141 0019fc50 41414141 41414141 41414141 41414141 0x41414141 0019fc54 41414141 41414141 41414141 41414141 0x41414141 0019fc58 41414141 41414141 41414141 41414141 0x41414141 0019fc5c 41414141 41414141 41414141 41414141 0x41414141 0019fc60 41414141 41414141 41414141 41414141 0x41414141 0019fc64 41414141 41414141 41414141 41414141 0x41414141 0019fc68 41414141 41414141 41414141 41414141 0x41414141 0019fc6c 41414141 41414141 41414141 41414141 0x41414141 0019fc70 41414141 41414141 41414141 41414141 0x41414141 0019fc74 41414141 41414141 41414141 41414141 0x41414141 0019fc78 41414141 41414141 41414141 41414141 0x41414141 0019fc7c 41414141 41414141 41414141 41414141 0x41414141 0019fc80 41414141 41414141 41414141 41414141 0x41414141 0019fc84 41414141 41414141 41414141 41414141 0x41414141 0019fc88 41414141 41414141 41414141 41414141 0x41414141 0019fc8c 41414141 41414141 41414141 41414141 0x41414141 0019fc90 41414141 41414141 41414141 41414141 0x41414141 0019fc94 41414141 41414141 41414141 41414141 0x41414141 0019fc98 41414141 41414141 41414141 41414141 0x41414141 0019fc9c 41414141 41414141 41414141 41414141 0x41414141 0019fca0 41414141 41414141 41414141 41414141 0x41414141 0019fca4 41414141 41414141 41414141 41414141 0x41414141 0019fca8 41414141 41414141 41414141 41414141 0x4
Источник	⚠️ https://www.malvuln.com/advisory/63c55ad21e0771c7f9ca71ec3bfcea0f.txt
Пользователь	malvuln (UID 14984)
Представление	25.02.2021 23:28 (5 лет назад)
Модерация	26.02.2021 08:07 (9 hours later)
Статус	принято
Запись VulDB	170420 [Backdoor.Win32.Ketch.h Web Server повреждение памяти]
Баллы	20

◂ Предыдущий Обзор Далее ▸

Want to know what is going to be exploited?

We predict KEV entries!