Submit #13722: Backdoor.Win32.Delf.acz / Remote Stack Buffer Overflow - SEHinfo

TitleBackdoor.Win32.Delf.acz / Remote Stack Buffer Overflow - SEH
DescriptionDiscovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/065d89c63fa1057de98c727d4b044b98.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Delf.acz Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware listens on TCP ports 6060,6161,6262,6363,6464,6565,6767,6868,6969,7070,7171,7373. Attackers who can reach the infected system can send a specially crafted packet to TCP port 6262 and trigger an stack buffer overflow overwriting ECX register and the structured exception handler (SEH). Type: PE32 MD5: 065d89c63fa1057de98c727d4b044b98 Vuln ID: MVID-2021-0236 ASLR: False DEP: False Safe SEH: True Disclosure: 06/01/2021 Memory Dump: (11e0.f0): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=77229d70 esi=000a1870 edi=000a1d34 eip=7720e916 esp=000a17b8 ebp=000a1858 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 ntdll!ZwQueryInformationProcess+0x26: 7720e916 c21400 ret 14h 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: Backdoor_Win32_Delf_acz_065d89c63fa1057de98c727d4b044b98+93c5 004093c5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: 0019efa4 -- (.exr 0x19efa4) ExceptionAddress: 004093c5 (Backdoor_Win32_Delf_acz_065d89c63fa1057de98c727d4b044b98+0x000093c5) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: Backdoor.Win32.Delf.acz.065d89c63fa1057de98c727d4b044b98.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 000a0fe8 WRITE_ADDRESS: 000a0fe8 FOLLOWUP_IP: Backdoor_Win32_Delf_acz_065d89c63fa1057de98c727d4b044b98+93c5 004093c5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] FAILED_INSTRUCTION_ADDRESS: +93c5 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 0019eff4 -- (.cxr 0x19eff4) eax=0019f400 ebx=00002a05 ecx=000007a3 edx=0019f486 esi=0418f194 edi=0019fffe eip=004093c5 esp=0019f454 ebp=0019f470 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 Backdoor_Win32_Delf_acz_065d89c63fa1057de98c727d4b044b98+0x93c5: 004093c5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_WRONG_SYMBOLS_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 0046c5bf to 004093c5 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 STACK_TEXT: 0019f454 004093c5 backdoor_win32_delf_acz+0x93c5 0019f478 0046c5bf backdoor_win32_delf_acz+0x6c5bf 0019fc98 41414141 unknown!printable+0x0 0019fc9c 41414141 unknown!printable+0x0 0019fca0 41414141 unknown!printable+0x0 0019fca4 41414141 unknown!printable+0x0 0019fca8 41414141 unknown!printable+0x0 0019fcac 41414141 unknown!printable+0x0 0019fcb0 41414141 unknown!printable+0x0 0019fcb4 41414141 unknown!printable+0x0 0019fcb8 41414141 unknown!printable+0x0 0019fcbc 41414141 unknown!printable+0x0 0019fcc0 41414141 unknown!printable+0x0 0019fcc4 41414141 unknown!printable+0x0 0019fcc8 41414141 unknown!printable+0x0 0019fccc 41414141 unknown!printable+0x0 0019fcd0 41414141 unknown!printable+0x0 0019fcd4 41414141 unknown!printable+0x0 0019fcd8 41414141 unknown!printable+0x0 0019fcdc 41414141 unknown!printable+0x0 0019fce0 41414141 unknown!printable+0x0 0019fce4 41414141 unknown!printable+0x0 0019fce8 41414141 unknown!printable+0x0 0019fcec 41414141 unknown!printable+0x0 0019fcf0 41414141 unknown!printable+0x0 0019fcf4 41414141 unknown!printable+0x0 0019fcf8 41414141 unknown!printable+0x0 0019fcfc 41414141 unknown!printable+0x0 0019fd00 41414141 unknown!printable+0x0 0019fd04 41414141 unknown!printable+0x0 0019fd08 41414141 unknown!printable+0x0 0019fd0c 41414141 unknown!printable+0x0 0019fd10 41414141 unknown!printable+0x0 0019fd14 41414141 unknown!printable+0x0 0019fd18 41414141 unknown!printable+0x0 0019fd1c 41414141 unknown!printable+0x0 0019fd20 41414141 unknown!printable+0x0 0019fd24 41414141 unknown!printable+0x0 0019fd28 41414141 unknown!printable+0x0 0019fd2c 41414141 unknown!printable+0x0 0019fd30 41414141 unknown!printable+0x0 0019fd34 41414141 unknown!printable+0x0 0019fd38 41414141 unknown!printable+0x0 0019fd3c 41414141 unknown!printable+0x0 0019fd40 41414141 unknown!printable+0x0 0019fd44 41414141 unknown!printable+0x0 0019fd48 41414141 unknown!printable+0x0 0019fd4c 41414141 unknown!printable+0x0 0019fd50 41414141 unknown!printable+0x0 0019fd54 41414141 unknown!printable+0x0 0019fd58 41414141 unknown!printable+0x0 0019fd5c 41414141 unknown!printable+0x0 0019fd60 41414141 unknown!printable+0x0 0019fd64 41414141 unknown!printable+0x0 0019fd68 41414141 unknown!printable+0x0 0019fd6c 41414141 unknown!printable+0x0 0019fd70 41414141 unknown!printable+0x0 0019fd74 41414141 unknown!printable+0x0 0019fd78 41414141 unknown!printable+0x0 0019fd7c 41414141 unknown!printable+0x0 0019fd80 41414141 unknown!printable+0x0 0019fd84 41414141 unknown!printable+0x0 0019fd88 41414141 unknown!printable+0x0 0019fd8c 41414141 unknown!printable+0x0 0019fd90 41414141 unknown!printable+0x0 0019fd94 41414141 unknown!printable+0x0 0019fd98 41414141 unknown!printable+0x0 0019fd9c 41414141 unknown!printable+0x0 0019fda0 41414141 unknown!printable+0x0 0019fda4 41414141 unknown!printable+0x0 0019fda8 41414141 unknown!printable+0x0 0019fdac 41414141 unknown!printable+0x0 0019fdb0 41414141 unknown!printable+0x0 0019fdb4 41414141 unknown!printable+0x0 0019fdb8 41414141 unknown!printable+0x0 0019fdbc 41414141 unknown!printable+0x0 0019fdc0 41414141 unknown!printable+0x0 0019fdc4 41414141 unknown!printable+0x0 0019fdc8 41414141 unknown!printable+0x0 0019fdcc 41414141 unknown!printable+0x0 0019fdd0 41414141 unknown!printable+0x0 0019fdd4 41414141 unknown!printable+0x0 0019fdd8 41414141 unknown!printable+0x0 0019fddc 41414141 unknown!printable+0x0 0019fde0 41414141 unknown!printable+0x0 0019fde4 41414141 unknown!printable+0x0 0019fde8 41414141 unknown!printable+0x0 0019fdec 41414141 unknown!printable+0x0 0019fdf0 41414141 unknown!printable+0x0 0019fdf4 41414141 unknown!printable+0x0 0019fdf8 41414141 unknown!printable+0x0 0019fdfc 41414141 unknown!printable+0x0 0019fe00 41414141 unknown!printable+0x0 0019fe04 41414141 unknown!printable+0x0 0019fe08 41414141 unknown!printable+0x0 0019fe0c 41414141 unknown!printable+0x0 0019fe10 41414141 unknown!printable+0x0 0019fe14 41414141 unknown!printable+0x0 0019fe18 41414141 unknown!printable+0x0 0019fe1c 41414141 unknown!printable+0x0 0019fe20 41414141 unknown!printable+0x0 0019fe24 41414141 unknown!printable+0x0 0019fe28 41414141 unknown!printable+0x0 0019fe2c 41414141 unknown!printable+0x0 0019fe30 41414141 unknown!printable+0x0 0019fe34 41414141 unknown!printable+0x0 0019fe38 41414141 unknown!printable+0x0 0019fe3c 41414141 unknown!printable+0x0 0019fe40 41414141 unknown!printable+0x0 0019fe44 41414141 unknown!printable+0x0 0019fe48 41414141 unknown!printable+0x0 0019fe4c 41414141 unknown!printable+0x0 0019fe50 41414141 unknown!printable+0x0 0019fe54 41414141 unknown!printable+0x0 0019fe58 41414141 unknown!printable+0x0 0019fe5c 41414141 unknown!printable+0x0 0019fe60 41414141 unknown!printable+0x0 0019fe64 41414141 unknown!printable+0x0 0019fe68 41414141 unknown!printable+0x0 0019fe6c 41414141 unknown!printable+0x0 0019fe70 41414141 unknown!printable+0x0 0019fe74 41414141 unknown!printable+0x0 0019fe78 41414141 unknown!printable+0x0 0019fe7c 41414141 unknown!printable+0x0 0019fe80 41414141 unknown!printable+0x0 0019fe84 41414141 unknown!printable+0x0 0019fe88 41414141 unknown!printable+0x0 0019fe8c 41414141 unknown!printable+0x0 0019fe90 41414141 unknown!printable+0x0 0019fe94 41414141 unknown!printable+0x0 0019fe98 41414141 unknown!printable+0x0 0019fe9c 41414141 unknown!printable+0x0 0019fea0 41414141 unknown!printable+0x0 0019fea4 41414141 unknown!printable+0x0 0019fea8 41414141 unknown!printable+0x0 0019feac 41414141 unknown!printable+0x0 0019feb0 41414141 unknown!printable+0x0 0019feb4 41414141 unknown!printable+0x0 0019feb8 41414141 unknown!printable+0x0 0019febc 41414141 unknown!printable+0x0 0019fec0 41414141 unknown!printable+0x0 0019fec4 41414141 unknown!printable+0x0 0019fec8 41414141 unknown!printable+0x0 0019fecc 41414141 unknown!printable+0x0 0019fed0 41414141 unknown!printable+0x0 0019fed4 41414141 unknown!printable+0x0 0019fed8 41414141 unknown!printable+0x0 0019fedc 41414141 unknown!printable+0x0 0019fee0 41414141 unknown!printable+0x0 0019fee4 41
Source⚠️ https://www.malvuln.com/advisory/065d89c63fa1057de98c727d4b044b98.txt
User
 malvuln (UID 14984)
Submission06/02/2021 05:00 (5 years ago)
Moderation06/02/2021 05:24 (24 minutes later)
StatusAccepted
VulDB entry176119 [Backdoor.Win32.Delf.acz Service Port 6060 stack-based overflow]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!