Vulners
Lucene search
Trojan Poison Ivy 2.3.2 - Critical Null Pointer Vulnerability
🗓️ 08 Aug 2011 00:00:00Reported by Vulnerability Research LaboratoryType 
vulnerlab🔗 www.vulnerability-lab.com👁 14 Views
Document Title:
===============
Trojan Poison Ivy 2.3.2 - Critical Null Pointer Vulnerability
Release Date:
=============
2011-08-08
Vulnerability Laboratory ID (VL-ID):
====================================
113
Product & Service Introduction:
===============================
Poison Ivy is an advanced remote administration tool for Windows (the client is reported to run on WINE or other emulators on
various Linux/UNIX flavors), written in pure assembly (server), and Delphi (client). The server contains no dependencies of any
kind, and runs on 2000/XP/2003/Vista.Since version 2.3.0, the server size is dependent on the settings, which means additional
features (like key logger, etc.), will make the final server larger. Even so, the maximum size of the server is around 7KiB, unpacked.
Being independent code, the server builder can produce PEs, or shellcode(in the form of arrays for C, Delphi, Python, or
raw binary), depending on your needs. The most important features are encrypted communications (256bit Camellia), compressed communications,
full-featuredfile manager, registry manager, key logger, services manager, relay server, process manager, remote audio capture, screen
capture, web cam capture, multiple simultaneous transfers, password manager, and the ability to share servers, based on
privilege levels, and various other things that you will find useful.
Poison Ivy is also special compared to other similar tools, because the server doesn\'t need to be updated, even if new
features are added. Even though the server supports 3rd party plugins, it\'s important to know that all the features not listed in the “Plugins”
section are self-contained in the server, and no additional files are used at any time. The plugins (as well as the server and key logger file)
are stored encrypted in ADS (Alternative Data Stream) on NTFS partitions (they are stored normally on FAT32).
(Copy of the Vendor Homepage: http://www.poisonivy-rat.com/index.php?link=dev/)
Abstract Advisory Information:
==============================
Vulnerability-Lab discovered a Null Pointer dereference vulnerability on Poison Ivy 2.3.2 Trojan/Rat kit.
Vulnerability Disclosure Timeline:
==================================
2011-08-06: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Attackers can crash(AppCrash) or violate(access-violation) the software(Client & later Server) via null pointer write.
A remote attacker can crash the client software with zer0 or negative integer string when generating a server over gernal settings.
Later the corrupt generated file can be used to crash the poison ivy server on an infected system :)
WRITE_ADDRESS to any other Address.
Vulnerable Module(s):
[+] General Seetings
--- Debug Logs ---
0:000> g
(a00.b40): Access violation - code c0000005 (first chance)
eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000
eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
image00400000+0x21107d:
0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=????????
0:000> g
(a00.b40): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000
eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
image00400000+0x21107d:
0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=????????
0:000> !exchain
0018ffc4: +31 (772e041d)
FAULTING_IP:
image00400000+21107d
0061107d 8700 xchg eax,dword ptr [eax]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0061107d (image00400000+0x0021107d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000
FAULTING_THREAD: 00000b40
PROCESS_NAME: image00400000
FAULTING_MODULE: 76a90000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19
MODULE_NAME: image00400000
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
image00400000+21107d
0061107d 8700 xchg eax,dword ptr [eax]
BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_WRITE_
PRIMARY_PROBLEM_CLASS: NULL_POINTER_WRITE
DEFAULT_BUCKET_ID: NULL_POINTER_WRITE
LAST_CONTROL_TRANSFER: from 76aa3677 to 0061107d
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0018ff88 76aa3677 7efde000 0018ffd4 772a9d72 image00400000+0x21107d
0018ff94 772a9d72 7efde000 71eae27e 00000000 kernel32!BaseThreadInitThunk+0x12
0018ffd4 772a9d45 00611060 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0018ffec 00000000 00611060 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x36
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: image00400000+21107d
FOLLOWUP_NAME: MachineOwner
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\\Users\\Rem0ve\\Desktop\\PI2.3.2\\Poison Ivy 2.3.2.exe
FAILURE_BUCKET_ID: NULL_POINTER_WRITE_c0000005_C:_Users_Rem0ve_Desktop_PI2.3.2_Poison_Ivy_2.3.2.exe!Unknown
Pictures:
../1.png
../2.png
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers/cleaners. For demonstration or reproduce ...
Manually reproduce ...
1. Open program: Start Client & a generated running Server
2. Run Debugger on both executables
3. After: Switch to General Settings
4. Use an emtpy string on Save Path; Screen-Webcam capture path
5. Generate the server
6. Client crashs but generate the file
7. Start generated file on poison ivy infected server :)
(a00.b40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000
eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x21107d:
0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=????????
0:000> g
(a00.b40): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000
eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
image00400000+0x21107d:
0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=????????
0:000> !exchain
0018ffc4: +31 (772e041d)
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2012 | Vulnerability Laboratory
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Aug 2011 00:00Current
7.1High risk
Vulners AI Score7.1