Submit #30951: Backdoor.Win32.Zombam.b / Remote Stack Buffer Overflowinfo

TitelBackdoor.Win32.Zombam.b / Remote Stack Buffer Overflow
BeschreibungDiscovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/1e3665a67201209609ae493a2a590bee.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.Zombam.b Vulnerability: Remote Stack Buffer Overflow Description: z0mbie's HTTP RAT v0.1a listens on TCP port 80 to display an HTML Web UI for basic remote administration capability. Third-party attackers who can reach an infected system can trigger a buffer overflow overwriting the EBP and EIP registers by sending a specially crafted HTTP request. Type: PE32 MD5: 1e3665a67201209609ae493a2a590bee Vuln ID: MVID-2022-0487 ASLR: False DEP: False Safe SEH: True Disclosure: 02/16/2022 Memory Dump: (148c.dd4): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=9d082a1a edx=00000000 esi=00000003 edi=00000003 eip=7770ed3c esp=0538f194 ebp=0538f324 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 7770ed3c c21400 ret 14h 0:006> .ecxr eax=00000000 ebx=040202b0 ecx=9d082a1a edx=00000000 esi=0538fb51 edi=04020330 eip=41414141 esp=0538fab4 ebp=41414141 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 41414141 ?? ??? 0:006> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe FAULTING_IP: +3485 41414141 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 41414141 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 41414141 Attempt to read from address 41414141 PROCESS_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 41414141 READ_ADDRESS: 41414141 FOLLOWUP_IP: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485 00403485 50 push eax FAILED_INSTRUCTION_ADDRESS: +3485 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000dd4 BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 41414141 to 41414141 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0538fab0 41414141 41414141 41414141 41414141 0x41414141 0538fab4 41414141 41414141 41414141 41414141 0x41414141 0538fab8 41414141 41414141 41414141 41414141 0x41414141 0538fabc 41414141 41414141 41414141 41414141 0x41414141 0538fac0 41414141 41414141 41414141 41414141 0x41414141 0538fac4 41414141 41414141 41414141 41414141 0x41414141 0538fac8 41414141 41414141 41414141 41414141 0x41414141 0538facc 41414141 41414141 41414141 41414141 0x41414141 0538fad0 41414141 41414141 41414141 41414141 0x41414141 0538fad4 41414141 41414141 41414141 41414141 0x41414141 0538fad8 41414141 41414141 41414141 41414141 0x41414141 0538fadc 41414141 41414141 41414141 41414141 0x41414141 0538fae0 41414141 41414141 41414141 41414141 0x41414141 0538fae4 41414141 41414141 41414141 41414141 0x41414141 0538fae8 41414141 41414141 41414141 41414141 0x41414141 0538faec 41414141 41414141 41414141 41414141 0x41414141 0538faf0 41414141 41414141 41414141 41414141 0x41414141 0538faf4 41414141 41414141 41414141 41414141 0x41414141 0538faf8 41414141 41414141 41414141 41414141 0x41414141 0538fafc 41414141 41414141 41414141 41414141 0x41414141 0538fb00 41414141 41414141 41414141 41414141 0x41414141 0538fb04 41414141 41414141 41414141 41414141 0x41414141 0538fb08 41414141 41414141 41414141 41414141 0x41414141 0538fb0c 41414141 41414141 41414141 41414141 0x41414141 0538fb10 41414141 41414141 41414141 41414141 0x41414141 0538fb14 41414141 41414141 41414141 41414141 0x41414141 0538fb18 41414141 41414141 41414141 41414141 0x41414141 0538fb1c 41414141 41414141 41414141 41414141 0x41414141 0538fb20 41414141 41414141 41414141 41414141 0x41414141 0538fb24 41414141 41414141 41414141 41414141 0x41414141 0538fb28 41414141 41414141 41414141 41414141 0x41414141 0538fb2c 41414141 41414141 41414141 41414141 0x41414141 0538fb30 41414141 41414141 41414141 41414141 0x41414141 0538fb34 41414141 41414141 41414141 41414141 0x41414141 0538fb38 41414141 41414141 41414141 41414141 0x41414141 0538fb3c 41414141 41414141 41414141 41414141 0x41414141 0538fb40 41414141 41414141 41414141 41414141 0x41414141 0538fb44 41414141 41414141 41414141 41414141 0x41414141 0538fb48 41414141 41414141 41414141 41414141 0x41414141 0538fb4c 41414141 41414141 41414141 41414141 0x41414141 0538fb50 41414141 41414141 41414141 41414141 0x41414141 0538fb54 41414141 41414141 41414141 41414141 0x41414141 0538fb58 41414141 41414141 41414141 41414141 0x41414141 0538fb5c 41414141 41414141 41414141 41414141 0x41414141 0538fb60 41414141 41414141 41414141 41414141 0x41414141 0538fb64 41414141 41414141 41414141 41414141 0x41414141 0538fb68 41414141 41414141 41414141 41414141 0x41414141 0538fb6c 41414141 41414141 41414141 41414141 0x41414141 0538fb70 41414141 41414141 41414141 41414141 0x41414141 0538fb74 41414141 41414141 41414141 41414141 0x41414141 0538fb78 41414141 41414141 41414141 41414141 0x41414141 0538fb7c 41414141 41414141 41414141 41414141 0x41414141 0538fb80 41414141 41414141 41414141 41414141 0x41414141 0538fb84 41414141 41414141 41414141 41414141 0x41414141 0538fb88 41414141 41414141 41414141 41414141 0x41414141 0538fb8c 41414141 41414141 41414141 41414141 0x41414141 0538fb90 41414141 41414141 41414141 41414141 0x41414141 0538fb94 41414141 41414141 41414141 41414141 0x41414141 0538fb98 41414141 41414141 41414141 41414141 0x41414141 0538fb9c 41414141 41414141 41414141 41414141 0x41414141 0538fba0 41414141 41414141 41414141 41414141 0x41414141 0538fba4 41414141 41414141 41414141 41414141 0x41414141 0538fba8 41414141 41414141 41414141 41414141 0x41414141 0538fbac 41414141 41414141 41414141 41414141 0x41414141 0538fbb0 41414141 41414141 41414141 41414141 0x41414141 0538fbb4 41414141 41414141 41414141 41414141 0x41414141 0538fbb8 41414141 41414141 41414141 41414141 0x41414141 0538fbbc 41414141 41414141 41414141 41414141 0x41414141 0538fbc0 41414141 41414141 41414141 41414141 0x41414141 0538fbc4 41414141 41414141 41414141 41414141 0x41414141 0538fbc8 41414141 41414141 41414141 41414141 0x41414141 0538fbcc 41414141 41414141 41414141 41414141 0x41414141 0538fbd0 41414141 41414141 41414141 41414141 0x41414141 0538fbd4 41414141 41414141 41414141 41414141 0x41414141 0538fbd8 41414141 41414141 41414141 41414141 0x41414141 0538fbdc 41414141 41414141 41414141 41414141 0x41414141 0538fbe0 41414141 41414141 41414141 41414141 0x41414141 0538fbe4 41414141 41414141 41414141 41414141 0x41414141 0538fbe8 41414141 41414141 41414141 41414141 0x41414141 0538fbec 41414141 41414141 41414141 41414141 0x41414141 0538fbf0 41414141 41414141 41414141 41414141 0x41414141 0538fbf4 41414141 41414141 41414141 41414141 0x41414141 0538fbf8 41414141 41414141 41414141 41414141 0x41414141 0538fbfc 41414141 41414141 41414141 41414141 0x41414141 0538fc00 41414141 41414141 41414141 41414141 0x41414141 0538fc04 41414141 41414141 41414141 41414141 0x41414141 0538fc08 41414141 41414141 41414141 41414141 0x41414141 0538fc0c 41414141 41414141 41414141 41414141 0x41414141 0538fc10 41414141 41414141 41414141 41414141 0x41414141 0538fc14 41414141 41414141 41414141 41414141 0x41414141 0538fc18 41414141 41414141 41414141 41414141 0x41414141 0538fc1c 41414141 41414141 41414141 41414141 0x41414141 0538fc20 41414141 41414141 41414141 41414141 0x41414141 0538fc24 41414141 41414141 41414141 41414141 0x41414141 0538fc28 41414141 41414141 41414141 41414141 0x41414141 0538fc2c 41414141 41414141 41414141 41414141 0x41414141 0538fc30 41414141 41414141 41414141 41414141 0x41414141 0538fc34 41414141 41414141 41414141 41414141 0x41414141 0538fc38 41414141 41414141 41414141 41414141 0x41414141 0538fc3c 41414141 41414141 41414141 41414141 0x41414141 0538fc40 41414141 41414141 41414141 41414141 0x41414141 0538fc44 41414141 41414141 41414141 41414141 0x41414141 0538fc48 41414141 41414141 41414141 41414141 0x41414141 0538fc4c 41414141 41414141 41414141 41414141 0x41414141 0538fc50 41414141 41414141 41414141 41414141 0x41414141 0538fc54 41414141 41414141 41414141 41414141 0x41414141 0538fc58 41414141 41414141 41414141 41414141 0x41414141 0538fc5c 41414141 41414141 41414141 41414141 0x41414141 0538fc60 41414141 41414141 41414
Quelle⚠️ https://malvuln.com/advisory/1e3665a67201209609ae493a2a590bee.txt
Benutzer
 malvuln (UID 14984)
Einreichung17.02.2022 03:56 (vor 4 Jahren)
Moderieren17.02.2022 08:24 (4 hours later)
StatusAkzeptiert
VulDB Eintrag193285 [Backdoor.Win32.Zombam.b Service Port 80 Pufferüberlauf]
Punkte20

Want to know what is going to be exploited?

We predict KEV entries!