Title | EMAIL-WORM.WIN32.AGENT.GI / Remote Stack Buffer Overflow - (UDP Datagram) |
---|
Description | Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/74e65773735f977185f6a09f1472ea46.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Email-Worm.Win32.Agent.gi
Vulnerability: Remote Stack Buffer Overflow - (UDP Datagram)
Description: Creates a service "Microsoft ASPI Manager" and listens on TCP ports 80, 81 and UDP 53. The service process is a dropped executable named aspimgr.exe that runs with SYSTEM integrity. Third party attackers can send 332 bytes to UDP port 53 to overwrite the instruction pointer (EIP) and possibly gain SYSTEM privileges.
The Exploit PoC uses the typical 41414141 pattern and 52525252 "R" character for EIP overwrite.
Type: PE32
MD5: 74e65773735f977185f6a09f1472ea46
Vuln ID: MVID-2021-0036
Dropped files: aspimgr.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/18/2021
Memory Dump:
(1a78.e44): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=52525252 edx=773e9d70 esi=00000000 edi=00000000
eip=52525252 esp=03291450 ebp=03291470 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
52525252 ?? ???
0:007> !exchain
03291464: ntdll!ExecuteHandler2+44 (773e9d70)
03291a14: ntdll!ExecuteHandler2+44 (773e9d70)
03291fc4: ntdll!ExecuteHandler2+44 (773e9d70)
03292574: ntdll!ExecuteHandler2+44 (773e9d70)
03292b24: ntdll!ExecuteHandler2+44 (773e9d70)
032930d4: ntdll!ExecuteHandler2+44 (773e9d70)
03293684: ntdll!ExecuteHandler2+44 (773e9d70)
03293c34: ntdll!ExecuteHandler2+44 (773e9d70)
032941e4: ntdll!ExecuteHandler2+44 (773e9d70)
03294794: ntdll!ExecuteHandler2+44 (773e9d70)
03294d44: ntdll!ExecuteHandler2+44 (773e9d70)
032952f4: ntdll!ExecuteHandler2+44 (773e9d70)
032958a4: ntdll!ExecuteHandler2+44 (773e9d70)
03295e54: ntdll!ExecuteHandler2+44 (773e9d70)
03296404: ntdll!ExecuteHandler2+44 (773e9d70)
032969b4: ntdll!ExecuteHandler2+44 (773e9d70)
03296f64: ntdll!ExecuteHandler2+44 (773e9d70)
03297514: ntdll!ExecuteHandler2+44 (773e9d70)
03297ac4: ntdll!ExecuteHandler2+44 (773e9d70)
03298074: ntdll!ExecuteHandler2+44 (773e9d70)
03298624: ntdll!ExecuteHandler2+44 (773e9d70)
03298bd4: ntdll!ExecuteHandler2+44 (773e9d70)
03299184: ntdll!ExecuteHandler2+44 (773e9d70)
03299734: ntdll!ExecuteHandler2+44 (773e9d70)
03299ce4: ntdll!ExecuteHandler2+44 (773e9d70)
0329a294: ntdll!ExecuteHandler2+44 (773e9d70)
0329a844: ntdll!ExecuteHandler2+44 (773e9d70)
0329adf4: ntdll!ExecuteHandler2+44 (773e9d70)
0329b3a4: ntdll!ExecuteHandler2+44 (773e9d70)
0329b954: ntdll!ExecuteHandler2+44 (773e9d70)
0329bf04: ntdll!ExecuteHandler2+44 (773e9d70)
0329c4b4: ntdll!ExecuteHandler2+44 (773e9d70)
0329ca64: ntdll!ExecuteHandler2+44 (773e9d70)
0329d014: ntdll!ExecuteHandler2+44 (773e9d70)
0329d5c4: ntdll!ExecuteHandler2+44 (773e9d70)
0329db74: ntdll!ExecuteHandler2+44 (773e9d70)
0329e124: ntdll!ExecuteHandler2+44 (773e9d70)
0329e6d4: ntdll!ExecuteHandler2+44 (773e9d70)
0329ec84: ntdll!ExecuteHandler2+44 (773e9d70)
0329f234: ntdll!ExecuteHandler2+44 (773e9d70)
0329f7e4: ntdll!ExecuteHandler2+44 (773e9d70)
0329fd94: ntdll!ExecuteHandler2+44 (773e9d70)
032a0344: ntdll!ExecuteHandler2+44 (773e9d70)
032a08f4: ntdll!ExecuteHandler2+44 (773e9d70)
032a0ea4: ntdll!ExecuteHandler2+44 (773e9d70)
032a1454: ntdll!ExecuteHandler2+44 (773e9d70)
032a1a04: ntdll!ExecuteHandler2+44 (773e9d70)
032a1fb4: ntdll!ExecuteHandler2+44 (773e9d70)
032a2564: ntdll!ExecuteHandler2+44 (773e9d70)
032a2b14: ntdll!ExecuteHandler2+44 (773e9d70)
032a30c4: ntdll!ExecuteHandler2+44 (773e9d70)
032a3674: ntdll!ExecuteHandler2+44 (773e9d70)
032a3c24: ntdll!ExecuteHandler2+44 (773e9d70)
032a41d4: ntdll!ExecuteHandler2+44 (773e9d70)
032a4784: ntdll!ExecuteHandler2+44 (773e9d70)
032a4d34: ntdll!ExecuteHandler2+44 (773e9d70)
032a52e4: ntdll!ExecuteHandler2+44 (773e9d70)
032a5894: ntdll!ExecuteHandler2+44 (773e9d70)
032a5e44: ntdll!ExecuteHandler2+44 (773e9d70)
032a63f4: ntdll!ExecuteHandler2+44 (773e9d70)
032a69a4: ntdll!ExecuteHandler2+44 (773e9d70)
032a6f54: ntdll!ExecuteHandler2+44 (773e9d70)
032a7504: ntdll!ExecuteHandler2+44 (773e9d70)
032a7ab4: ntdll!ExecuteHandler2+44 (773e9d70)
032a8064: ntdll!ExecuteHandler2+44 (773e9d70)
032a8614: ntdll!ExecuteHandler2+44 (773e9d70)
032a8bc4: ntdll!ExecuteHandler2+44 (773e9d70)
032a9174: ntdll!ExecuteHandler2+44 (773e9d70)
032a9724: ntdll!ExecuteHandler2+44 (773e9d70)
032a9cd4: ntdll!ExecuteHandler2+44 (773e9d70)
032aa284: ntdll!ExecuteHandler2+44 (773e9d70)
032aa834: ntdll!ExecuteHandler2+44 (773e9d70)
032aade4: ntdll!ExecuteHandler2+44 (773e9d70)
032ab394: ntdll!ExecuteHandler2+44 (773e9d70)
032ab944: ntdll!ExecuteHandler2+44 (773e9d70)
032abef4: ntdll!ExecuteHandler2+44 (773e9d70)
032ac4a4: ntdll!ExecuteHandler2+44 (773e9d70)
032aca54: ntdll!ExecuteHandler2+44 (773e9d70)
032ad004: ntdll!ExecuteHandler2+44 (773e9d70)
032ad5b4: ntdll!ExecuteHandler2+44 (773e9d70)
032adb64: ntdll!ExecuteHandler2+44 (773e9d70)
032ae114: ntdll!ExecuteHandler2+44 (773e9d70)
032ae6c4: ntdll!ExecuteHandler2+44 (773e9d70)
032aec74: ntdll!ExecuteHandler2+44 (773e9d70)
032af224: ntdll!ExecuteHandler2+44 (773e9d70)
032af7d4: ntdll!ExecuteHandler2+44 (773e9d70)
032afd84: ntdll!ExecuteHandler2+44 (773e9d70)
032b0334: ntdll!ExecuteHandler2+44 (773e9d70)
032b08e4: ntdll!ExecuteHandler2+44 (773e9d70)
032b0e94: ntdll!ExecuteHandler2+44 (773e9d70)
032b1444: ntdll!ExecuteHandler2+44 (773e9d70)
032b19f4: ntdll!ExecuteHandler2+44 (773e9d70)
032b1fa4: ntdll!ExecuteHandler2+44 (773e9d70)
032b2554: ntdll!ExecuteHandler2+44 (773e9d70)
032b2b04: ntdll!ExecuteHandler2+44 (773e9d70)
032b30b4: ntdll!ExecuteHandler2+44 (773e9d70)
032b3664: ntdll!ExecuteHandler2+44 (773e9d70)
032b3c14: ntdll!ExecuteHandler2+44 (773e9d70)
032b41c4: ntdll!ExecuteHandler2+44 (773e9d70)
032b4774: ntdll!ExecuteHandler2+44 (773e9d70)
032b4d24: ntdll!ExecuteHandler2+44 (773e9d70)
032b52d4: ntdll!ExecuteHandler2+44 (773e9d70)
032b5884: ntdll!ExecuteHandler2+44 (773e9d70)
032b5e34: ntdll!ExecuteHandler2+44 (773e9d70)
032b63e4: ntdll!ExecuteHandler2+44 (773e9d70)
032b6994: ntdll!ExecuteHandler2+44 (773e9d70)
032b6f44: ntdll!ExecuteHandler2+44 (773e9d70)
032b74f4: ntdll!ExecuteHandler2+44 (773e9d70)
032b7aa4: ntdll!ExecuteHandler2+44 (773e9d70)
032b8054: ntdll!ExecuteHandler2+44 (773e9d70)
032b8604: ntdll!ExecuteHandler2+44 (773e9d70)
032b8bb4: ntdll!ExecuteHandler2+44 (773e9d70)
032b9164: ntdll!ExecuteHandler2+44 (773e9d70)
032b9714: ntdll!ExecuteHandler2+44 (773e9d70)
032b9cc4: ntdll!ExecuteHandler2+44 (773e9d70)
032ba274: ntdll!ExecuteHandler2+44 (773e9d70)
032ba824: ntdll!ExecuteHandler2+44 (773e9d70)
032badd4: ntdll!ExecuteHandler2+44 (773e9d70)
032bb384: ntdll!ExecuteHandler2+44 (773e9d70)
032bb934: ntdll!ExecuteHandler2+44 (773e9d70)
032bbee4: ntdll!ExecuteHandler2+44 (773e9d70)
032bc494: ntdll!ExecuteHandler2+44 (773e9d70)
032bca44: ntdll!ExecuteHandler2+44 (773e9d70)
032bcff4: ntdll!ExecuteHandler2+44 (773e9d70)
032bd5a4: ntdll!ExecuteHandler2+44 (773e9d70)
032bdb54: ntdll!ExecuteHandler2+44 (773e9d70)
032be104: ntdll!ExecuteHandler2+44 (773e9d70)
032be6b4: ntdll!ExecuteHandler2+44 (773e9d70)
032bec64: ntdll!ExecuteHandler2+44 (773e9d70)
032bf214: ntdll!ExecuteHandler2+44 (773e9d70)
032bf7c4: ntdll!ExecuteHandler2+44 (773e9d70)
032bfd74: ntdll!ExecuteHandler2+44 (773e9d70)
032c0324: ntdll!ExecuteHandler2+44 (773e9d70)
032c08d4: ntdll!ExecuteHandler2+44 (773e9d70)
032c0e84: ntdll!ExecuteHandler2+44 (773e9d70)
032c1434: ntdll!ExecuteHandler2+44 (773e9d70)
032c19e4: ntdll!ExecuteHandler2+44 (773e9d70)
032c1f94: ntdll!ExecuteHandler2+44 (773e9d70)
032c2544: ntdll!ExecuteHandler2+44 (773e9d70)
032c2af4: ntdll!ExecuteHandler2+44 (773e9d70)
032c30a4: ntdll!ExecuteHandler2+44 (773e9d70)
032c3654: ntdll!ExecuteHandler2+44 (773e9d70)
032c3c04: ntdll!ExecuteHandler2+44 (773e9d70)
032c41b4: ntdll!ExecuteHandler2+44 (773e9d70)
032c4764: ntdll!ExecuteHandler2+44 (773e9d70)
032c4d14: ntdll!ExecuteHandler2+44 (773e9d70)
032c52c4: ntdll!ExecuteHandler2+44 (773e9d70)
032c5874: ntdll!ExecuteHandler2+44 (773e9d70)
032c5e24: ntdll!ExecuteHandler2+44 (773e9d70)
032c63d4: ntdll!ExecuteHandler2+44 (773e9d70)
032c6984: ntdll!ExecuteHandler2+44 (773e9d70)
032c6f34: ntdll!ExecuteHandler2+44 (773e9d70)
032c74e4: ntdll!ExecuteHandler2+44 (773e9d70)
032c7a94: ntdll!ExecuteHandler2+44 (773e9d70)
032c8044: ntdll!ExecuteHandler2+44 (773e9d70)
032c85f4: ntdll!ExecuteHandler2+44 (773e9d70)
032c8ba4: ntdll!ExecuteHandler2+44 (773e9d70)
032c9154: ntdll!ExecuteHandler2+44 (773e9d70)
032c9704: ntdll!ExecuteHandler2+44 (773e9d70)
032c9cb4: ntdll!ExecuteHandler2+44 (773e9d70)
032ca264: ntdll!ExecuteHandler2+44 (773e9d70)
032ca814: ntdll!ExecuteHandler2+44 (773e9d70)
032cadc4: ntdll!ExecuteHandler2+44 (773e9d70)
032cb374: ntdll!ExecuteHandler2+44 (773e9d70)
032cb924: ntdll!ExecuteHandler2+44 (773e9d70)
032cbed4: ntdll!ExecuteHandler2+44 (773e9d70)
032cc484: ntdll!ExecuteHandler2+44 (773e9d70)
032cca34: ntdll!ExecuteHandler2+44 (773e9d70)
032ccfe4: ntdll!ExecuteHandler2+44 (773e9d70)
032cd594: ntdll!ExecuteHandler2+44 (773e9d70)
032cdb44: ntdll!ExecuteHandler2+44 (773e9d70)
032ce0f4: ntdll!ExecuteHandler2+44 (773e9d70)
032ce6a4: ntdll!ExecuteHandler2+44 (773e9d70)
032cec54: ntdll!ExecuteHandler2+44 (773e9d70)
032cf204: ntdll!ExecuteHandler2+44 (773e9d70)
032cf7b4: ntdll!ExecuteHandler2+44 (773e9d70)
032cfd64: ntdll!ExecuteHandler2+44 (773e9d70)
032d0314: ntdll!ExecuteHandler2+44 (773e9d70)
032d08c4: ntdll!ExecuteHandler2+44 (773e9d70)
032d0e74: ntdll!ExecuteHandler2+44 (773e9d70)
032d1424: ntdll!ExecuteHandler2+44 (773e9d70)
032d19d4: ntdll!ExecuteHandler2+44 (773e9d70)
032d1f84: ntdll!ExecuteHandler2+44 (773e9d70)
032d2534: ntdll!ExecuteHandler2+44 (773e9d70)
032d2ae4: ntdll!ExecuteHandler2+44 (773e9d70)
032d3094: ntdll!ExecuteHand |
---|
Source | ⚠️ https://www.malvuln.com/advisory/74e65773735f977185f6a09f1472ea46.txt |
---|
User | malvuln (ID 14984) |
---|
Submission | 2021-01-18 21時08分 (3 years ago) |
---|
Moderation | 2021-01-19 07時09分 (10 hours later) |
---|
Status | 已接受 |
---|
VulDB Entry | 168079 |
---|