Gửi #7590: BACKDOOR.WIN32.APHEXDOOR.LITESOCK / Remote Stack Buffer Overflowthông tin

tiêu đềBACKDOOR.WIN32.APHEXDOOR.LITESOCK / Remote Stack Buffer Overflow
Mô tảDiscovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/a8bb1744bedf43849ed808b7dfa32da4.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Aphexdoor.LiteSock Vulnerability: Remote Stack Buffer Overflow Description: Aphexdoor.LiteSock drops an extensionless executable named "moo" in the Windows dir and listens on TCP ports 113 and 1415. Sending a specially crafted packet to port 1415 we can trigger a classic stack buffer overflow overwriting SEH. Type: PE32 MD5: a8bb1744bedf43849ed808b7dfa32da4 Vuln ID: MVID-2021-0082 Dropped files: moo ASLR: False DEP: False Safe SEH: True Disclosure: 02/09/2021 Memory Dump: (dc.c18): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=77129d70 esi=02d51848 edi=02d51d0c eip=7710e916 esp=02d51790 ebp=02d51830 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 ntdll!ZwQueryInformationProcess+0x26: 7710e916 c21400 ret 14h 0:004> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for moo *** ERROR: Module load completed but symbols could not be loaded for moo Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: +1141 48272057 ?? ??? EXCEPTION_RECORD: 02e4fadc -- (.exr 0x2e4fadc) ExceptionAddress: 48272057 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 48272057 Attempt to read from address 48272057 PROCESS_NAME: moo ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 02d50fe8 WRITE_ADDRESS: 02d50fe8 FOLLOWUP_IP: moo+1141 00401141 8d85f0feffff lea eax,[ebp-110h] FAILED_INSTRUCTION_ADDRESS: +1141 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 02e4fb2c -- (.cxr 0x2e4fb2c) eax=00000001 ebx=000001c0 ecx=819b7373 edx=00000001 esi=004011a8 edi=004011a8 eip=48272057 esp=02e4ff8c ebp=413a4e34 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 48272057 ?? ??? Resetting default scope FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 39312720 to 48272057 IP_ON_HEAP: 39312720 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 39312720 FRAME_ONE_INVALID: 1 STACK_TEXT: 02e4ff8c 48272057 unknown!printable+0x0 02e4ff90 39312720 unknown!printable+0x0 02e4ff94 36312e32 unknown!printable+0x0 02e4ff98 38382e38 unknown!printable+0x0 02e4ff9c 3832312e unknown!printable+0x0 02e4ffa0 585c0a0d unknown!unknown+0x0 02e4ffa4 7165522d unknown!printable+0x0 02e4ffa8 74736575 unknown!printable+0x0 02e4ffac 3a44492d unknown!printable+0x0 02e4ffb0 41414120 unknown!printable+0x0 02e4ffb4 41414141 unknown!printable+0x0 02e4ffb8 41414141 unknown!printable+0x0 02e4ffbc 41414141 unknown!printable+0x0 02e4ffc0 41414141 unknown!printable+0x0 02e4ffc4 41414141 unknown!printable+0x0 02e4ffc8 41414141 unknown!printable+0x0 02e4ffcc 41414141 unknown!printable+0x0 02e4ffd0 41414141 unknown!printable+0x0 02e4ffd4 41414141 unknown!printable+0x0 02e4ffd8 41414141 unknown!printable+0x0 02e4ffdc 41414141 unknown!printable+0x0 02e4ffe0 41414141 unknown!printable+0x0 02e4ffe4 41414141 unknown!printable+0x0 02e4ffe8 41414141 unknown!printable+0x0 02e4ffec 41414141 unknown!printable+0x0 02e4fff0 41414141 unknown!printable+0x0 02e4fff4 41414141 unknown!printable+0x0 02e4fff8 00401141 moo+0x1141 STACK_COMMAND: .cxr 0000000002E4FB2C ; kb ; dds 2e4ff8c ; kb SYMBOL_STACK_INDEX: 1b SYMBOL_NAME: moo+1141 FOLLOWUP_NAME: MachineOwner MODULE_NAME: moo IMAGE_NAME: moo DEBUG_FLR_IMAGE_TIMESTAMP: 3da2c58a FAILURE_BUCKET_ID: STACK_OVERFLOW_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_moo!Unknown BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_moo+1141 --------- 0:004> !exchain 02d5175c: ntdll!ExecuteHandler2+44 (77129d70) 02d51d0c: ntdll!ExecuteHandler2+44 (77129d70) 02d522bc: ntdll!ExecuteHandler2+44 (77129d70) 02d5286c: ntdll!ExecuteHandler2+44 (77129d70) 02d52e1c: ntdll!ExecuteHandler2+44 (77129d70) 02d533cc: ntdll!ExecuteHandler2+44 (77129d70) 02d5397c: ntdll!ExecuteHandler2+44 (77129d70) 02d53f2c: ntdll!ExecuteHandler2+44 (77129d70) 02d544dc: ntdll!ExecuteHandler2+44 (77129d70) 02d54a8c: ntdll!ExecuteHandler2+44 (77129d70) 02d5503c: ntdll!ExecuteHandler2+44 (77129d70) 02d555ec: ntdll!ExecuteHandler2+44 (77129d70) 02d55b9c: ntdll!ExecuteHandler2+44 (77129d70) 02d5614c: ntdll!ExecuteHandler2+44 (77129d70) 02d566fc: ntdll!ExecuteHandler2+44 (77129d70) 02d56cac: ntdll!ExecuteHandler2+44 (77129d70) 02d5725c: ntdll!ExecuteHandler2+44 (77129d70) 02d5780c: ntdll!ExecuteHandler2+44 (77129d70) 02d57dbc: ntdll!ExecuteHandler2+44 (77129d70) 02d5836c: ntdll!ExecuteHandler2+44 (77129d70) 02d5891c: ntdll!ExecuteHandler2+44 (77129d70) 02d58ecc: ntdll!ExecuteHandler2+44 (77129d70) 02d5947c: ntdll!ExecuteHandler2+44 (77129d70) 02d59a2c: ntdll!ExecuteHandler2+44 (77129d70) 02d59fdc: ntdll!ExecuteHandler2+44 (77129d70) 02d5a58c: ntdll!ExecuteHandler2+44 (77129d70) 02d5ab3c: ntdll!ExecuteHandler2+44 (77129d70) 02d5b0ec: ntdll!ExecuteHandler2+44 (77129d70) 02d5b69c: ntdll!ExecuteHandler2+44 (77129d70) 02d5bc4c: ntdll!ExecuteHandler2+44 (77129d70) 02d5c1fc: ntdll!ExecuteHandler2+44 (77129d70) 02d5c7ac: ntdll!ExecuteHandler2+44 (77129d70) 02d5cd5c: ntdll!ExecuteHandler2+44 (77129d70) 02d5d30c: ntdll!ExecuteHandler2+44 (77129d70) 02d5d8bc: ntdll!ExecuteHandler2+44 (77129d70) 02d5de6c: ntdll!ExecuteHandler2+44 (77129d70) 02d5e41c: ntdll!ExecuteHandler2+44 (77129d70) 02d5e9cc: ntdll!ExecuteHandler2+44 (77129d70) 02d5ef7c: ntdll!ExecuteHandler2+44 (77129d70) 02d5f52c: ntdll!ExecuteHandler2+44 (77129d70) 02d5fadc: ntdll!ExecuteHandler2+44 (77129d70) 02d6008c: ntdll!ExecuteHandler2+44 (77129d70) 02d6063c: ntdll!ExecuteHandler2+44 (77129d70) 02d60bec: ntdll!ExecuteHandler2+44 (77129d70) 02d6119c: ntdll!ExecuteHandler2+44 (77129d70) 02d6174c: ntdll!ExecuteHandler2+44 (77129d70) 02d61cfc: ntdll!ExecuteHandler2+44 (77129d70) 02d622ac: ntdll!ExecuteHandler2+44 (77129d70) 02d6285c: ntdll!ExecuteHandler2+44 (77129d70) 02d62e0c: ntdll!ExecuteHandler2+44 (77129d70) 02d633bc: ntdll!ExecuteHandler2+44 (77129d70) 02d6396c: ntdll!ExecuteHandler2+44 (77129d70) 02d63f1c: ntdll!ExecuteHandler2+44 (77129d70) 02d644cc: ntdll!ExecuteHandler2+44 (77129d70) 02d64a7c: ntdll!ExecuteHandler2+44 (77129d70) 02d6502c: ntdll!ExecuteHandler2+44 (77129d70) 02d655dc: ntdll!ExecuteHandler2+44 (77129d70) 02d65b8c: ntdll!ExecuteHandler2+44 (77129d70) 02d6613c: ntdll!ExecuteHandler2+44 (77129d70) 02d666ec: ntdll!ExecuteHandler2+44 (77129d70) 02d66c9c: ntdll!ExecuteHandler2+44 (77129d70) 02d6724c: ntdll!ExecuteHandler2+44 (77129d70) 02d677fc: ntdll!ExecuteHandler2+44 (77129d70) 02d67dac: ntdll!ExecuteHandler2+44 (77129d70) 02d6835c: ntdll!ExecuteHandler2+44 (77129d70) 02d6890c: ntdll!ExecuteHandler2+44 (77129d70) 02d68ebc: ntdll!ExecuteHandler2+44 (77129d70) 02d6946c: ntdll!ExecuteHandler2+44 (77129d70) 02d69a1c: ntdll!ExecuteHandler2+44 (77129d70) 02d69fcc: ntdll!ExecuteHandler2+44 (77129d70) 02d6a57c: ntdll!ExecuteHandler2+44 (77129d70) 02d6ab2c: ntdll!ExecuteHandler2+44 (77129d70) 02d6b0dc: ntdll!ExecuteHandler2+44 (77129d70) 02d6b68c: ntdll!ExecuteHandler2+44 (77129d70) 02d6bc3c: ntdll!ExecuteHandler2+44 (77129d70) 02d6c1ec: ntdll!ExecuteHandler2+44 (77129d70) 02d6c79c: ntdll!ExecuteHandler2+44 (77129d70) 02d6cd4c: ntdll!ExecuteHandler2+44 (77129d70) 02d6d2fc: ntdll!ExecuteHandler2+44 (77129d70) 02d6d8ac: ntdll!ExecuteHandler2+44 (77129d70) 02d6de5c: ntdll!ExecuteHandler2+44 (77129d70) 02d6e40c: ntdll!ExecuteHandler2+44 (77129d70) 02d6e9bc: ntdll!ExecuteHandler2+44 (77129d70) 02d6ef6c: ntdll!ExecuteHandler2+44 (77129d70) 02d6f51c: ntdll!ExecuteHandler2+44 (77129d70) 02d6facc: ntdll!ExecuteHandler2+44 (77129d70) 02d7007c: ntdll!ExecuteHandler2+44 (77129d70) 02d7062c: ntdll!ExecuteHandler2+44 (77129d70) 02d70bdc: ntdll!ExecuteHandler2+44 (77129d70) 02d7118c: ntdll!ExecuteHandler2+44 (77129d70) 02d7173c: ntdll!ExecuteHandler2+44 (77129d70) 02d71cec: ntdll!ExecuteHandler2+44 (77129d70) 02d7229c: ntdll!ExecuteHandler2+44 (77129d70) 02d7284c: ntdll!ExecuteHandler2+44 (77129d70) 02d72dfc: ntdll!ExecuteHandler2+44 (77129d70) 02d733ac: ntdll!ExecuteHandler2+44 (77129d70) 02d7395c: ntdll!ExecuteHandler2+44 (77129d70) 02d73f0c: ntdll!ExecuteHandler2+44 (77129d70) 02d744bc: ntdll!ExecuteHandler2+44 (77129d70) 02d74a6c: ntdll!ExecuteHandler2+44 (77129d70) 02d7501c: ntdll!ExecuteHandler2+44 (77129d70) 02d755cc: ntdll!ExecuteHan
Nguồn⚠️ https://www.malvuln.com/advisory/a8bb1744bedf43849ed808b7dfa32da4.txt
Người dùng
 malvuln (UID 14984)
Đệ trình10/02/2021 06:24 (cách đây 5 những năm)
Kiểm duyệt10/02/2021 12:42 (6 hours later)
Trạng tháiđược chấp nhận
Mục VulDB169661 [Backdoor.Win32.Aphexdoor.LiteSock Service Port 113 moo tràn bộ đệm]
điểm20

Interested in the pricing of exploits?

See the underground prices here!