Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68.txt
Contact: malvuln13@gmail.com
Media: twitter.co Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Trojan.Win32.Alien.erf
Vulnerability: Remote Denial of Service
Description: The malware deploys a SMTP server JAOSrv821.exe listening on TCP port 25. Third-party attackers who can reach an infected host can trigger a denial of service by sending a corrupted MAIL FROM: address packet.
Type: PE32
MD5: 57ab194d8c60ee97914eda22e4d71b68
Vuln ID: MVID-2021-0251
ASLR: False
DEP: True
Safe SEH: True
Disclosure: 06/16/2021
Memory Dump:
(a88.190): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=ffffffff edx=032f6f60 esi=00000003 edi=00000003
eip=7725ed3c esp=032f65e4 ebp=032f6774 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!ZwWaitForMultipleObjects+0xc:
7725ed3c c21400 ret 14h
0:005> .ecxr
eax=ffffffff ebx=ffffffff ecx=ffffffff edx=032f6f60 esi=00000001 edi=032f6f60
eip=00eb2bbc esp=032f6f20 ebp=032f70d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
*** ERROR: Module load completed but symbols could not be loaded for JAOSrv821.exe
JAOSrv821+0x2bbc:
00eb2bbc 8a06 mov al,byte ptr [esi] ds:002b:00000001=??
0:005> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
JAOSrv821+2bbc
00eb2bbc 8a06 mov al,byte ptr [esi]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00eb2bbc (JAOSrv821+0x00002bbc)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000001
Attempt to read from address 00000001
PROCESS_NAME: JAOSrv821.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000001
READ_ADDRESS: 00000001
FOLLOWUP_IP:
JAOSrv821+2bbc
00eb2bbc 8a06 mov al,byte ptr [esi]
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000190
BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_ffffffff
PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE_FILL_PATTERN_ffffffff
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER: from 00eb193b to 00eb2bbc
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
032f70d0 00eb193b 7500e250 00eb1384 00eb12a0 JAOSrv821+0x2bbc
0330f8f4 745b8654 00000234 745b8630 015f4608 JAOSrv821+0x193b
0330f908 77254a77 00000234 2c193258 00000000 kernel32!BaseThreadInitThunk+0x24
0330f950 77254a47 ffffffff 77279edf 00000000 ntdll!__RtlUserThreadStart+0x2f
0330f960 00000000 00eb12a0 00000234 00000000 ntdll!_RtlUserThreadStart+0x1b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: JAOSrv821+2bbc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: JAOSrv821
IMAGE_NAME: JAOSrv821.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 59fb4459
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~5s; .ecxr ; kb
FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_FILL_PATTERN_ffffffff_c0000005_JAOSrv821.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_ffffffff_JAOSrv821+2bbc
Exploit/PoC:
from socket import *
import time
MALWARE_HOST="x.x.x.x"
PORT=25
def chk_res(s):
res=""
while True:
res += s.recv(512)
if "
Trojan.Win32.Alien.erf Denial Of Service
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 116