{"id":37586,"date":"2023-02-14T19:10:06","date_gmt":"2023-02-14T16:10:06","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170981\/xworm21-dos.txt"},"modified":"2023-02-15T09:35:29","modified_gmt":"2023-02-15T06:05:29","slug":"xworm-trojan-2-1-null-pointer-dereference","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/xworm-trojan-2-1-null-pointer-dereference\/","title":{"rendered":"XWorm Trojan 2.1 NULL Pointer Dereference"},"content":{"rendered":"<p># Exploit Author: TOUHAMI KASBAOUI<br \/>\n# Vendor Homepage: https:\/\/blog.cyble.com\/2022\/08\/19\/evilcoder-project-selling-multiple-dangerous-tools-online\/<br \/>\n# Software Link: N\/A# Version: 2.1# Tested on: Windows 10<br \/>\n# CVE : N\/A<\/p>\n<p>==================================================================<br \/>\nTHE BUG : NULL pointer dereference -&gt; DOS crash<br \/>\n==================================================================<br \/>\nThe sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to make it more risky for victims. The Trojan assigned to victims suffers from a NULL pointer deference vulnerability, which could lead to a denial of service for the server builder of the threat actor by getting his IP address and port of command and control.<br \/>\n==================================================================<br \/>\nWINDBG ANALYSIS AFTER SENDING 1000 &#8216;A&#8217; BYTES<br \/>\n==================================================================<br \/>\n(160.b98): Access violation &#8211; code c0000005 (first chance)<br \/>\nFirst chance exceptions are reported before any exception handling.<br \/>\nThis exception may be expected and handled.<br \/>\neax=0330c234 ebx=0113e8d4 ecx=00000000 edx=018c0000 esi=0330c234 edi=0113e55c<br \/>\neip=078f5a59 esp=0113e4f8 ebp=0113e568 iopl=0 nv up ei pl zr na pe nc<br \/>\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br \/>\nbuilder!XWorm.Client.isDisconnected+0xa9:<br \/>\n078f5a59 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=????????<br \/>\n*******************************************************************************<br \/>\n* *<br \/>\n* Exception Analysis *<br \/>\n* *<br \/>\n*******************************************************************************<\/p>\n<p>MethodDesc: 055a86b4<br \/>\nMethod Name: XWorm.Client.isDisconnected()<br \/>\nClass: 09fe9634<br \/>\nMethodTable: 055a86d8<br \/>\nmdToken: 06000730<br \/>\nModule: 01464044<br \/>\nIsJitted: yes<br \/>\nCodeAddr: 078f59b0<br \/>\nTransparency: Critical<br \/>\nMethodDesc: 055a86b4<br \/>\nMethod Name: XWorm.Client.isDisconnected()<br \/>\nClass: 09fe9634<br \/>\nMethodTable: 055a86d8<br \/>\nmdToken: 06000730<br \/>\nModule: 01464044<br \/>\nIsJitted: yes<br \/>\nCodeAddr: 078f59b0<br \/>\nTransparency: Critical<br \/>\nFailed to request MethodData, not in JIT code range<\/p>\n<p>KEY_VALUES_STRING: 1<\/p>\n<p>Key : AV.Dereference<br \/>\nValue: NullPtr<\/p>\n<p>Key : AV.Fault<br \/>\nValue: Read<\/p>\n<p>Key : Analysis.CPU.mSec<br \/>\nValue: 6406<\/p>\n<p>Key : Analysis.DebugAnalysisManager<br \/>\nValue: Create<\/p>\n<p>Key : Analysis.Elapsed.mSec<br \/>\nValue: 12344<\/p>\n<p>Key : Analysis.IO.Other.Mb<br \/>\nValue: 152<\/p>\n<p>Key : Analysis.IO.Read.Mb<br \/>\nValue: 3<\/p>\n<p>Key : Analysis.IO.Write.Mb<br \/>\nValue: 181<\/p>\n<p>Key : Analysis.Init.CPU.mSec<br \/>\nValue: 48905<\/p>\n<p>Key : Analysis.Init.Elapsed.mSec<br \/>\nValue: 6346579<\/p>\n<p>Key : Analysis.Memory.CommitPeak.Mb<br \/>\nValue: 200<\/p>\n<p>Key : CLR.BuiltBy<br \/>\nValue: NET48REL1LAST_C<\/p>\n<p>Key : CLR.Engine<br \/>\nValue: CLR<\/p>\n<p>Key : CLR.Version<br \/>\nValue: 4.8.4515.0<\/p>\n<p>Key : Timeline.OS.Boot.DeltaSec<br \/>\nValue: 7496<\/p>\n<p>Key : Timeline.Process.Start.DeltaSec<br \/>\nValue: 6371<\/p>\n<p>Key : WER.OS.Branch<br \/>\nValue: vb_release<\/p>\n<p>Key : WER.OS.Timestamp<br \/>\nValue: 2019-12-06T14:06:00Z<\/p>\n<p>Key : WER.OS.Version<br \/>\nValue: 10.0.19041.1<\/p>\n<p>Key : WER.Process.Version<br \/>\nValue: 2.1.0.0<\/p>\n<p>NTGLOBALFLAG: 0<\/p>\n<p>PROCESS_BAM_CURRENT_THROTTLED: 0<\/p>\n<p>PROCESS_BAM_PREVIOUS_THROTTLED: 0<\/p>\n<p>APPLICATION_VERIFIER_FLAGS: 0<\/p>\n<p>EXCEPTION_RECORD: (.exr -1)<br \/>\nExceptionAddress: 078f5a59 (builder!XWorm.Client.isDisconnected+0x000000a9)<br \/>\nExceptionCode: c0000005 (Access violation)<br \/>\nExceptionFlags: 00000000<br \/>\nNumberParameters: 2<br \/>\nParameter[0]: 00000000<br \/>\nParameter[1]: 00000000<br \/>\nAttempt to read from address 00000000<\/p>\n<p>FAULTING_THREAD: 00000b98<\/p>\n<p>PROCESS_NAME: builder.exe<\/p>\n<p>READ_ADDRESS: 00000000<\/p>\n<p>ERROR_CODE: (NTSTATUS) 0xc0000005 &#8211; The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<\/p>\n<p>EXCEPTION_CODE_STR: c0000005<\/p>\n<p>EXCEPTION_PARAMETER1: 00000000<\/p>\n<p>EXCEPTION_PARAMETER2: 00000000<\/p>\n<p>IP_ON_HEAP: 078f5a59<br \/>\nThe fault address in not in any loaded module, please check your build&#8217;s rebase<br \/>\nlog at &lt;releasedir&gt;\\bin\\build_logs\\timebuild\\ntrebase.log for module which may<br \/>\ncontain the address if it were loaded.<\/p>\n<p>STACK_TEXT:<br \/>\n0113e568 73140556 00000000 00000000 00000000 builder!XWorm.Client.isDisconnected+0xa9<br \/>\n0113e574 7314373a 0113e8d4 0113e5b8 732dd3f0 clr!CallDescrWorkerInternal+0x34<br \/>\n0113e5c8 7321f0d1 c887551e 00000000 0335b7dc clr!CallDescrWorkerWithHandler+0x6b<br \/>\n0113e608 7321f1d6 731d7104 0335b7dc 055ab280 clr!CallDescrWorkerReflectionWrapper+0x55<br \/>\n0113e90c 7212853c 00000000 0330a1dc 00000000 clr!RuntimeMethodHandle::InvokeMethod+0x838<br \/>\n0113e930 72114a9d 00000000 00000000 00000000 mscorlib_ni!<br \/>\n0113e94c 6e14bf55 00000000 00000000 00000000 mscorlib_ni!<br \/>\n0113e968 6e14be68 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113e990 72118604 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113e9f4 72118537 00000000 00000000 00000000 mscorlib_ni!<br \/>\n0113ea08 721184f4 00000000 00000000 00000000 mscorlib_ni!<br \/>\n0113ea24 6e14bdfa 00000000 00000000 00000000 mscorlib_ni!<br \/>\n0113ea40 6e14bb9a 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113ea80 6e13b07f 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113eacc 6e144931 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113ead8 6e1445f7 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113eaec 6e13af53 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113eaf4 6e13aee5 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113eb08 6e13a820 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113eb58 0146d08e 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\nWARNING: Frame IP not in any known module. Following frames may be wrong.<br \/>\n0113eb8c 7650148b 000606f4 0000c250 00000000 0x146d08e<br \/>\n0113ebb8 764f844a 05823e56 000606f4 0000c250 USER32!_InternalCallWinProc+0x2b<br \/>\n0113ec9c 764f61ba 05823e56 00000000 0000c250 USER32!UserCallWinProcCheckWow+0x33a<br \/>\n0113ed10 764f5f80 0113ed98 0113ed58 6e19e5ed USER32!DispatchMessageWorker+0x22a<br \/>\n0113ed1c 6e19e5ed 0113ed98 c9b28348 731410fc USER32!DispatchMessageW+0x10<br \/>\n0113ed58 6e14b44f 00000000 00000000 00000000 System_Windows_Forms_ni+0x22e5ed<br \/>\n0113eddc 6e14b03d 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113ee30 6e14ae93 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113ee5c 014b2694 00000000 00000000 00000000 System_Windows_Forms_ni!<br \/>\n0113ee84 014b2211 00000000 00000000 00000000 0x14b2694<br \/>\n0113eeac 014b1871 00000000 00000000 00000000 0x14b2211<br \/>\n0113eef8 014b08b7 00000000 00000000 00000000 0x14b1871<br \/>\n0113ef28 73140556 00000000 00000000 00000000 builder!XWorm.My.MyApplication.Main+0x6f<br \/>\n0113ef34 7314373a 0113efc4 0113ef78 732dd3f0 clr!CallDescrWorkerInternal+0x34<br \/>\n0113ef88 73149adb 00000000 030622ec 73171e90 clr!CallDescrWorkerWithHandler+0x6b<br \/>\n0113eff0 732bff7b 0113f0cc c8874202 01466f94 clr!MethodDescCallSite::CallTargetWorker+0x16a<br \/>\n0113f114 732c065a 0113f158 00000000 c8874096 clr!RunMain+0x1b3<br \/>\n0113f380 732c0587 00000000 c8874b72 00700000 clr!Assembly::ExecuteMainMethod+0xf7<br \/>\n0113f864 732c0708 c8874baa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef<br \/>\n0113f8bc 732c082e c8874bea 00000000 732bc210 clr!ExecuteEXE+0x4c<br \/>\n0113f8fc 732bc235 c8874a2e 00000000 732bc210 clr!_CorExeMainInternal+0xdc<br \/>\n0113f938 7398fa84 84112dff 73a24330 7398fa20 clr!_CorExeMain+0x4d<br \/>\n0113f970 73a1e81e 73a24330 73980000 0113f998 mscoreei!_CorExeMain+0xd6<br \/>\n0113f980 73a24338 73a24330 76b600f9 00f94000 MSCOREE!ShellShim__CorExeMain+0x9e<br \/>\n0113f998 76b600f9 00f94000 76b600e0 0113f9f4 MSCOREE!_CorExeMain_Exported+0x8<br \/>\n0113f998 77997bbe 00f94000 3d39c64a 00000000 KERNEL32!BaseThreadInitThunk+0x19<br \/>\n0113f9f4 77997b8e ffffffff 779b8d3f 00000000 ntdll!__RtlUserThreadStart+0x2f<br \/>\n0113fa04 00000000 00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b<\/p>\n<p>STACK_COMMAND: ~0s ; .cxr ; kb<\/p>\n<p>SYMBOL_NAME: builder!XWorm.Client.isDisconnected+a9<\/p>\n<p>MODULE_NAME: builder<\/p>\n<p>IMAGE_NAME: builder.exe<\/p>\n<p>FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_builder.exe!XWorm.Client.isDisconnected<\/p>\n<p>OS_VERSION: 10.0.19041.1<\/p>\n<p>BUILDLAB_STR: vb_release<\/p>\n<p>OSPLATFORM_TYPE: x86<\/p>\n<p>OSNAME: Windows 10<\/p>\n<p>IMAGE_VERSION: 2.1.0.0<\/p>\n<p>FAILURE_ID_HASH: {ab0d02c5-881b-c628-2858-a241c5c41b1f}<\/p>\n<p>Followup: MachineOwner<br \/>\n&#8212;&#8212;&#8212;<\/p>\n<p>TS: Exploitable &#8211; Data from Faulting Address controls Code Flow starting at builder!XWorm.Client.isDisconnected+0x00000000000000a9 (Hash=0xc8c3bc2d.0x7badd95a)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Author: TOUHAMI KASBAOUI # Vendor Homepage: https:\/\/blog.cyble.com\/2022\/08\/19\/evilcoder-project-selling-multiple-dangerous-tools-online\/ # Software Link: N\/A# Version: 2.1# Tested on: Windows 10 # CVE : N\/A ================================================================== THE BUG : NULL pointer dereference -&gt; DOS crash ================================================================== The sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-37586","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/37586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=37586"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/37586\/revisions"}],"predecessor-version":[{"id":37609,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/37586\/revisions\/37609"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=37586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=37586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=37586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}