exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Trojan.Win32.Agent.xaamkd MVID-2021-0342 Insecure Permissions

Trojan.Win32.Agent.xaamkd MVID-2021-0342 Insecure Permissions
Posted Sep 21, 2021
Authored by malvuln | Site malvuln.com

Trojan.Win32.Agent.xaamkd malware suffers from an insecure permissions vulnerability.

tags | exploit, trojan
systems | windows
SHA-256 | d204a3c1cf0adf45e210469476678fc5b11dd8a9f81bee78d07ad955d1e522ae

Trojan.Win32.Agent.xaamkd MVID-2021-0342 Insecure Permissions

Change Mirror Download
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/095651e1704b501123b41ea2e9736820.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Agent.xaamkd
Vulnerability: Insecure Permissions
Description: The malware creates an dir with insecure permissions under c:\ drive and grants change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.
Type: PE32
MD5: 095651e1704b501123b41ea2e9736820
Vuln ID: MVID-2021-0342
Disclosure: 09/20/2021


Exploit/PoC:
C:\>cacls SangClub
C:\SangClub BUILTIN\Administrators:(OI)(CI)(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

C:\>dir SangClub
Volume in drive C has no label.

Directory of C:\SangClub

03/17/2015 06:08 AM 172,032 AniGIF.ocx
11/06/2009 07:56 AM 34,882 audioplay.swf
01/16/2009 09:06 AM 566,272 bsFileClientSDK.dll
06/24/2018 02:06 AM 177,525 CandleFormation.SS7
06/24/2018 02:06 AM 39,164 CandleFormUsers.SS7
11/02/2007 01:36 AM 1,337,264 Codejock.Controls.v11.2.1.ocx
04/22/2012 10:01 PM 1,931,256 Codejock.Controls.v15.2.1.0423.ocx
07/05/2012 09:28 AM 103 CommInfo.ini
09/17/2021 08:07 PM DIR dat
06/15/2003 09:05 AM 133,632 DWEASY36.OCX
06/15/2003 09:02 AM 115,712 DWSBC36.OCX
10/26/2003 12:02 AM 145,920 DWSHK36.OCX
09/14/2003 04:30 PM 77,824 DWSPY36.dll
04/22/1999 09:50 AM 14,848 dwspy5.dll
10/13/1999 01:00 AM 122,880 dwspyvb6.dll
02/22/2007 05:27 AM 344,064 FLICapture.dll
04/22/2011 11:44 AM 335,872 fmtkit60.dll
08/17/1999 08:54 PM 180,224 ijl11.dll
09/17/2021 08:07 PM DIR Image
07/21/1998 11:00 AM 13,824 INETKO.DLL
05/28/2019 10:02 AM 3,565,736 JetSound.exe
05/28/2019 09:49 AM 751,464 LiveStart.exe
03/08/2004 10:00 AM 132,880 MSINET.OCX
06/01/2011 02:58 AM 27 Regcom.bat
03/22/2009 03:47 AM 10,000 regsvr32.exe
11/16/2016 07:44 AM 515,064 SabuStart.exe
05/28/2019 09:49 AM 128,872 SangCapture.exe
06/22/2019 11:57 PM 12,318,776 SangClub.exe
03/28/2008 12:44 AM 143,360 Sangcomm.dll
05/28/2019 09:50 AM 4,081,512 SangPlayer.exe
05/29/2019 12:27 AM 3,629 ScoreList.SS7
03/17/2015 06:08 AM 77,824 Shape.ocx
02/01/2007 08:51 AM 626,688 SKComdCM.dll
02/01/2007 08:51 AM 53,248 SKComdEM.dll
02/01/2007 08:51 AM 503,808 SKComdIF.dll
02/01/2007 08:51 AM 73,728 SKComdSC.dll
12/26/2006 09:30 PM 65,536 SKCommIC.dll
04/07/2007 05:08 AM 63,120 skcommtm.exe
11/26/2006 08:42 PM 28,672 SKCommWB.exe
09/17/2021 08:07 PM DIR Skins
01/20/2006 02:00 AM 223,232 sqlite3.dll
09/17/2021 08:07 PM DIR Sys
05/28/2019 09:50 AM 4,970,344 VODPlayer.exe
03/21/2006 09:45 PM 292,696 XceedFtp.dll
01/10/2001 04:12 AM 147,456 XecureS.dll
01/05/2017 07:49 PM 237,568 XingAPI.dll
01/02/2017 06:30 AM 28,672 xingAPI4VB.dll
43 File(s) 34,787,210 bytes

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close