Authored by malvuln | Site malvuln.com

Backdoor.Win32.Surila.j malware suffers from a denial of service vulnerability.

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/b1cec4b806c71c82bbd9002bdaf21d1f_C.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Surila.j
Vulnerability: Remote Denial of Service
Description: The malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
Type: PE32
MD5: b1cec4b806c71c82bbd9002bdaf21d1f
Vuln ID: MVID-2021-0290
Dropped files: iexp1orer.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 07/12/2021

Memory Dump:
(758.c3c): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=00000000 edx=0040b5d4 esi=00000003 edi=00000003
eip=77dded3c esp=027ce28c ebp=027ce41c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!ZwWaitForMultipleObjects+0xc:
77dded3c c21400 ret 14h

0:005> .ecxr
eax=00000000 ebx=000002b4 ecx=00000000 edx=0040b5d4 esi=00404f4d edi=027cf628
eip=0040492e esp=027cebcc ebp=027cebd4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
*** WARNING: Unable to verify checksum for iexp1orer.exe
*** ERROR: Module load completed but symbols could not be loaded for iexp1orer.exe
iexp1orer+0x492e:
0040492e 8801 mov byte ptr [ecx],al ds:002b:00000000=??

0:005> !exchain
027ce40c: KERNELBASE!_except_handler4+0 (74e7fc20)
CRT scope 0, func: KERNELBASE!WaitForMultipleObjectsEx+31e15 (74ea2fe5)
027ce4d4: kernel32!_except_handler4+0 (7765d450)
CRT scope 0, func: kernel32!WerpReportFaultInternal+485 (7764f7db)
027ce598: KERNELBASE!_except_handler4+0 (74e7fc20)
CRT scope 1, filter: KERNELBASE!UnhandledExceptionFilter+2bf (74efd93f)
func: KERNELBASE!UnhandledExceptionFilter+2c5 (74efd945)
027ce62c: ntdll!ExecuteHandler2+44 (77df9d70)
027cffcc: ntdll!_except_handler4+0 (77de6a50)
CRT scope 0, filter: ntdll!__RtlUserThreadStart+3ed68 (77e137b0)
func: ntdll!__RtlUserThreadStart+3edaf (77e137f7)
027cffe4: ntdll!FinalExceptionHandlerPad14+0 (77df9eae)
Invalid exception stack at ffffffff

0:005> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:
iexp1orer+492e
0040492e 8801 mov byte ptr [ecx],al

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0040492e (iexp1orer+0x0000492e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000

PROCESS_NAME: iexp1orer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 00000000

WRITE_ADDRESS: 00000000

FOLLOWUP_IP:
iexp1orer+492e
0040492e 8801 mov byte ptr [ecx],al

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00000c3c

BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_WRITE_PROBABLYEXPLOITABLE

PRIMARY_PROBLEM_CLASS: NULL_POINTER_WRITE_PROBABLYEXPLOITABLE

DEFAULT_BUCKET_ID: NULL_POINTER_WRITE_PROBABLYEXPLOITABLE

LAST_CONTROL_TRANSFER: from 00403413 to 0040492e

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
027cebd4 00403413 00000000 0040b5d4 00000000 iexp1orer+0x492e
027cebe8 00405385 00000000 0040b5d4 00404f4d iexp1orer+0x3413
027cff80 77608654 000002b4 77608630 4da48a6e iexp1orer+0x5385
027cff94 77dd4a77 000002b4 4925826f 00000000 kernel32!BaseThreadInitThunk+0x24
027cffdc 77dd4a47 ffffffff 77df9eae 00000000 ntdll!__RtlUserThreadStart+0x2f
027cffec 00000000 00404f4d 000002b4 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND: ~5s; .ecxr ; kb

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: iexp1orer+492e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: iexp1orer

IMAGE_NAME: iexp1orer.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41417b55

FAILURE_BUCKET_ID: NULL_POINTER_WRITE_PROBABLYEXPLOITABLE_c0000005_iexp1orer.exe!Unknown

BUCKET_ID: APPLICATION_FAULT_NULL_POINTER_WRITE_PROBABLYEXPLOITABLE_iexp1orer+492e


Exploit/PoC:
from socket import *
import time

MALWARE_HOST="x.x.x.x"
PORT=19427

def chk_res(s):
res=""
while True:
res += s.recv(128)
print(res)
if "