bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/51265.txt
Exploit-DB d46ab98863 DB: 2023-04-06 
32 changes to exploits/shellcodes/ghdb

Answerdev 1.0.3 - Account Takeover

D-Link DIR-846 - Remote Command Execution (RCE) vulnerability

Dell EMC Networking PC5500 firmware versions 4.1.0.22 and  Cisco Sx / SMB - Information Disclosure

SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow

ERPNext 12.29 - Cross-Site Scripting (XSS)

Liferay Portal 6.2.5 - Insecure Permissions

GNU screen v4.9.0 - Privilege Escalation

Apache Tomcat 10.1 - Denial Of Service

PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)

BTCPay Server v1.7.4 - HTML Injection.

Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)

Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)

ImageMagick 7.1.0-49 - DoS

bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)

Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)

Calendar Event Multi View  1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)

CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)

Control Web Panel 7 (CWP7) v0.9.8.1147 -  Remote Code Execution (RCE)

Froxlor 2.0.3 Stable - Remote Code Execution (RCE)

ImageMagick 7.1.0-49 - Arbitrary File Read

itech TrainSmart r1044 - SQL injection

Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)

PhotoShow 3.0 - Remote Code Execution

projectSend r1605 - Remote Code Exectution RCE

Responsive FileManager 9.9.5 - Remote Code Execution (RCE)

zstore 6.6.0 - Cross-Site Scripting (XSS)

Binwalk v2.3.2 - Remote Command Execution (RCE)

XWorm Trojan 2.1 - Null Pointer Derefernce DoS

Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)

Linux/x86_64 - bash Shellcode with xor encoding
2023-04-06 00:16:31 +00:00

224 lines
No EOL
8.9 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#Exploit Author: XWorm Trojan 2.1 - Null Pointer Derefernce DoS
# Exploit Author: TOUHAMI KASBAOUI
# Vendor Homepage: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/
# Software Link: N/A# Version: 2.1# Tested on: Windows 10
# CVE : N/A
==================================================================
THE BUG : NULL pointer dereference -> DOS crash
==================================================================
The sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to make it more risky for victims. The Trojan assigned to victims suffers from a NULL pointer deference vulnerability, which could lead to a denial of service for the server builder of the threat actor by getting his IP address and port of command and control.
==================================================================
WINDBG ANALYSIS AFTER SENDING 1000 'A' BYTES
==================================================================
(160.b98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0330c234 ebx=0113e8d4 ecx=00000000 edx=018c0000 esi=0330c234 edi=0113e55c
eip=078f5a59 esp=0113e4f8 ebp=0113e568 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
builder!XWorm.Client.isDisconnected+0xa9:
078f5a59 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
MethodDesc:   055a86b4
Method Name:  XWorm.Client.isDisconnected()
Class:        09fe9634
MethodTable:  055a86d8
mdToken:      06000730
Module:       01464044
IsJitted:     yes
CodeAddr:     078f59b0
Transparency: Critical
MethodDesc:   055a86b4
Method Name:  XWorm.Client.isDisconnected()
Class:        09fe9634
MethodTable:  055a86d8
mdToken:      06000730
Module:       01464044
IsJitted:     yes
CodeAddr:     078f59b0
Transparency: Critical
Failed to request MethodData, not in JIT code range
KEY_VALUES_STRING: 1
    Key  : AV.Dereference
    Value: NullPtr
    Key  : AV.Fault
    Value: Read
    Key  : Analysis.CPU.mSec
    Value: 6406
    Key  : Analysis.DebugAnalysisManager
    Value: Create
    Key  : Analysis.Elapsed.mSec
    Value: 12344
    Key  : Analysis.IO.Other.Mb
    Value: 152
    Key  : Analysis.IO.Read.Mb
    Value: 3
    Key  : Analysis.IO.Write.Mb
    Value: 181
    Key  : Analysis.Init.CPU.mSec
    Value: 48905
    Key  : Analysis.Init.Elapsed.mSec
    Value: 6346579
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 200
    Key  : CLR.BuiltBy
    Value: NET48REL1LAST_C
    Key  : CLR.Engine
    Value: CLR
    Key  : CLR.Version
    Value: 4.8.4515.0
    Key  : Timeline.OS.Boot.DeltaSec
    Value: 7496
    Key  : Timeline.Process.Start.DeltaSec
    Value: 6371
    Key  : WER.OS.Branch
    Value: vb_release
    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z
    Key  : WER.OS.Version
    Value: 10.0.19041.1
    Key  : WER.Process.Version
    Value: 2.1.0.0
NTGLOBALFLAG:  0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS:  0
EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 078f5a59 (builder!XWorm.Client.isDisconnected+0x000000a9)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000
FAULTING_THREAD:  00000b98
PROCESS_NAME:  builder.exe
READ_ADDRESS:  00000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR:  c0000005
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  00000000
IP_ON_HEAP:  078f5a59
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
STACK_TEXT:  
0113e568 73140556     00000000 00000000 00000000 builder!XWorm.Client.isDisconnected+0xa9
0113e574 7314373a     0113e8d4 0113e5b8 732dd3f0 clr!CallDescrWorkerInternal+0x34
0113e5c8 7321f0d1     c887551e 00000000 0335b7dc clr!CallDescrWorkerWithHandler+0x6b
0113e608 7321f1d6     731d7104 0335b7dc 055ab280 clr!CallDescrWorkerReflectionWrapper+0x55
0113e90c 7212853c     00000000 0330a1dc 00000000 clr!RuntimeMethodHandle::InvokeMethod+0x838
0113e930 72114a9d     00000000 00000000 00000000 mscorlib_ni!
0113e94c 6e14bf55     00000000 00000000 00000000 mscorlib_ni!
0113e968 6e14be68     00000000 00000000 00000000 System_Windows_Forms_ni!
0113e990 72118604     00000000 00000000 00000000 System_Windows_Forms_ni!
0113e9f4 72118537     00000000 00000000 00000000 mscorlib_ni!
0113ea08 721184f4     00000000 00000000 00000000 mscorlib_ni!
0113ea24 6e14bdfa     00000000 00000000 00000000 mscorlib_ni!
0113ea40 6e14bb9a     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ea80 6e13b07f     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eacc 6e144931     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ead8 6e1445f7     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eaec 6e13af53     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eaf4 6e13aee5     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eb08 6e13a820     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eb58 0146d08e     00000000 00000000 00000000 System_Windows_Forms_ni!
WARNING: Frame IP not in any known module. Following frames may be wrong.
0113eb8c 7650148b     000606f4 0000c250 00000000 0x146d08e
0113ebb8 764f844a     05823e56 000606f4 0000c250 USER32!_InternalCallWinProc+0x2b
0113ec9c 764f61ba     05823e56 00000000 0000c250 USER32!UserCallWinProcCheckWow+0x33a
0113ed10 764f5f80     0113ed98 0113ed58 6e19e5ed USER32!DispatchMessageWorker+0x22a
0113ed1c 6e19e5ed     0113ed98 c9b28348 731410fc USER32!DispatchMessageW+0x10
0113ed58 6e14b44f     00000000 00000000 00000000 System_Windows_Forms_ni+0x22e5ed
0113eddc 6e14b03d     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee30 6e14ae93     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee5c 014b2694     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee84 014b2211     00000000 00000000 00000000 0x14b2694
0113eeac 014b1871     00000000 00000000 00000000 0x14b2211
0113eef8 014b08b7     00000000 00000000 00000000 0x14b1871
0113ef28 73140556     00000000 00000000 00000000 builder!XWorm.My.MyApplication.Main+0x6f
0113ef34 7314373a     0113efc4 0113ef78 732dd3f0 clr!CallDescrWorkerInternal+0x34
0113ef88 73149adb     00000000 030622ec 73171e90 clr!CallDescrWorkerWithHandler+0x6b
0113eff0 732bff7b     0113f0cc c8874202 01466f94 clr!MethodDescCallSite::CallTargetWorker+0x16a
0113f114 732c065a     0113f158 00000000 c8874096 clr!RunMain+0x1b3
0113f380 732c0587     00000000 c8874b72 00700000 clr!Assembly::ExecuteMainMethod+0xf7
0113f864 732c0708     c8874baa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
0113f8bc 732c082e     c8874bea 00000000 732bc210 clr!ExecuteEXE+0x4c
0113f8fc 732bc235     c8874a2e 00000000 732bc210 clr!_CorExeMainInternal+0xdc
0113f938 7398fa84     84112dff 73a24330 7398fa20 clr!_CorExeMain+0x4d
0113f970 73a1e81e     73a24330 73980000 0113f998 mscoreei!_CorExeMain+0xd6
0113f980 73a24338     73a24330 76b600f9 00f94000 MSCOREE!ShellShim__CorExeMain+0x9e
0113f998 76b600f9     00f94000 76b600e0 0113f9f4 MSCOREE!_CorExeMain_Exported+0x8
0113f998 77997bbe     00f94000 3d39c64a 00000000 KERNEL32!BaseThreadInitThunk+0x19
0113f9f4 77997b8e     ffffffff 779b8d3f 00000000 ntdll!__RtlUserThreadStart+0x2f
0113fa04 00000000     00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND:  ~0s ; .cxr ; kb
SYMBOL_NAME:  builder!XWorm.Client.isDisconnected+a9
MODULE_NAME: builder
IMAGE_NAME:  builder.exe
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_builder.exe!XWorm.Client.isDisconnected
OS_VERSION:  10.0.19041.1
BUILDLAB_STR:  vb_release
OSPLATFORM_TYPE:  x86
OSNAME:  Windows 10
IMAGE_VERSION:  2.1.0.0
FAILURE_ID_HASH:  {ab0d02c5-881b-c628-2858-a241c5c41b1f}
Followup:     MachineOwner
---------
TS: Exploitable - Data from Faulting Address controls Code Flow starting at builder!XWorm.Client.isDisconnected+0x00000000000000a9 (Hash=0xc8c3bc2d.0x7badd95a)
Reference in a new issue View git blame Copy permalink