제출 #14956: Trojan.Win32.Alien.erf / Remote Stack Buffer Overflow정보

제목	Trojan.Win32.Alien.erf / Remote Stack Buffer Overflow
설명	Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_B.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Trojan.Win32.Alien.erf Vulnerability: Remote Stack Buffer Overflow Description: The malware deploys a Web server AM6WebMgr.exe (JAO build 809) listening on TCP port 1789. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by making a HTTP GET request for the "SynchroRes.cgi" URL with a long payload. This will overwrite the ECX and EIP stack registers. Type: PE32 MD5: 57ab194d8c60ee97914eda22e4d71b68 Vuln ID: MVID-2021-0252 ASLR: False DEP: True Safe SEH: True Disclosure: 06/16/2021 Memory Dump: EAX : 00000000 EBX : 00000000 ECX : 41414141 EDX : 77279D70 ntdll.77279D70 EBP : 000A12E0 ESP : 000A12C0 ESI : 00000000 EDI : 00000000 EIP : 41414141 EFLAGS : 00010246 ZF : 1 OF : 0 am6webmgr.4FCF00 (1b74.1b40): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000 eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:000> .ecxr eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000 eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ***************************************************************************** * ERROR: Module load completed but symbols could not be loaded for AM6WebMgr.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for JAONPServ.dll - Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: AM6WebMgr+3061e 0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] EXCEPTION_RECORD: 0019eaf0 -- (.exr 0x19eaf0) ExceptionAddress: 0043061e (AM6WebMgr+0x0003061e) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: AM6WebMgr.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: AM6WebMgr+3061e 0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] FAILED_INSTRUCTION_ADDRESS: +3061e 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 CONTEXT: 0019eb40 -- (.cxr 0x19eb40) eax=04b116c7 ebx=000005e6 ecx=00000307 edx=000005e6 esi=04b113c0 edi=001a0000 eip=0043061e esp=0019efa0 ebp=0019efcc iopl=0 nv up ei pl nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207 AM6WebMgr+0x3061e: 0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] Resetting default scope FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 0044a12c to 0043061e STACK_TEXT: 0019efa0 0043061e am6webmgr+0x3061e 0019efd4 0044a12c am6webmgr+0x4a12c 0019f008 004438b5 am6webmgr+0x438b5 0019f024 00440418 am6webmgr+0x40418 0019f4c8 0044aa27 am6webmgr+0x4aa27 0019f4ec 00401704 am6webmgr+0x1704 0019f510 00423195 am6webmgr+0x23195 0019f848 41414141 unknown!printable+0x0 0019f84c 41414141 unknown!printable+0x0 0019f850 41414141 unknown!printable+0x0 0019f854 41414141 unknown!printable+0x0 0019f858 41414141 unknown!printable+0x0 0019f85c 41414141 unknown!printable+0x0 0019f860 41414141 unknown!printable+0x0 0019f864 41414141 unknown!printable+0x0 0019f868 41414141 unknown!printable+0x0 0019f86c 41414141 unknown!printable+0x0 0019f870 41414141 unknown!printable+0x0 0019f874 41414141 unknown!printable+0x0 0019f878 41414141 unknown!printable+0x0 0019f87c 41414141 unknown!printable+0x0 0019f880 41414141 unknown!printable+0x0 0019f884 41414141 unknown!printable+0x0 0019f888 41414141 unknown!printable+0x0 0019f88c 41414141 unknown!printable+0x0 0019f890 41414141 unknown!printable+0x0 0019f894 41414141 unknown!printable+0x0 0019f898 41414141 unknown!printable+0x0 0019f89c 41414141 unknown!printable+0x0 0019f8a0 41414141 unknown!printable+0x0 0019f8a4 41414141 unknown!printable+0x0 0019f8a8 41414141 unknown!printable+0x0 0019f8ac 41414141 unknown!printable+0x0 0019f8b0 41414141 unknown!printable+0x0 0019f8b4 41414141 unknown!printable+0x0 0019f8b8 41414141 unknown!printable+0x0 0019f8bc 41414141 unknown!printable+0x0 0019f8c0 41414141 unknown!printable+0x0 0019f8c4 41414141 unknown!printable+0x0 0019f8c8 41414141 unknown!printable+0x0 0019f8cc 41414141 unknown!printable+0x0 0019f8d0 41414141 unknown!printable+0x0 0019f8d4 41414141 unknown!printable+0x0 0019f8d8 41414141 unknown!printable+0x0 0019f8dc 41414141 unknown!printable+0x0 0019f8e0 41414141 unknown!printable+0x0 0019f8e4 41414141 unknown!printable+0x0 0019f8e8 41414141 unknown!printable+0x0 0019f8ec 41414141 unknown!printable+0x0 0019f8f0 41414141 unknown!printable+0x0 0019f8f4 41414141 unknown!printable+0x0 0019f8f8 41414141 unknown!printable+0x0 0019f8fc 41414141 unknown!printable+0x0 0019f900 41414141 unknown!printable+0x0 0019f904 41414141 unknown!printable+0x0 0019f908 41414141 unknown!printable+0x0 0019f90c 41414141 unknown!printable+0x0 0019f910 41414141 unknown!printable+0x0 0019f914 41414141 unknown!printable+0x0 0019f918 41414141 unknown!printable+0x0 0019f91c 41414141 unknown!printable+0x0 0019f920 41414141 unknown!printable+0x0 0019f924 41414141 unknown!printable+0x0 0019f928 41414141 unknown!printable+0x0 0019f92c 41414141 unknown!printable+0x0 0019f930 41414141 unknown!printable+0x0 0019f934 41414141 unknown!printable+0x0 0019f938 41414141 unknown!printable+0x0 0019f93c 41414141 unknown!printable+0x0 0019f940 41414141 unknown!printable+0x0 0019f944 41414141 unknown!printable+0x0 0019f948 41414141 unknown!printable+0x0 0019f94c 41414141 unknown!printable+0x0 0019f950 41414141 unknown!printable+0x0 0019f954 41414141 unknown!printable+0x0 0019f958 41414141 unknown!printable+0x0 0019f95c 41414141 unknown!printable+0x0 0019f960 41414141 unknown!printable+0x0 0019f964 41414141 unknown!printable+0x0 0019f968 41414141 unknown!printable+0x0 0019f96c 41414141 unknown!printable+0x0 0019f970 41414141 unknown!printable+0x0 0019f974 41414141 unknown!printable+0x0 0019f978 41414141 unknown!printable+0x0 0019f97c 41414141 unknown!printable+0x0 0019f980 41414141 unknown!printable+0x0 0019f984 41414141 unknown!printable+0x0 0019f988 41414141 unknown!printable+0x0 0019f98c 41414141 unknown!printable+0x0 0019f990 41414141 unknown!printable+0x0 0019f994 41414141 unknown!printable+0x0 0019f998 41414141 unknown!printable+0x0 0019f99c 41414141 unknown!printable+0x0 0019f9a0 41414141 unknown!printable+0x0 0019f9a4 41414141 unknown!printable+0x0 0019f9a8 41414141 unknown!printable+0x0 0019f9ac 41414141 unknown!printable+0x0 0019f9b0 41414141 unknown!printable+0x0 0019f9b4 41414141 unknown!printable+0x0 0019f9b8 41414141 unknown!printable+0x0 0019f9bc 41414141 unknown!printable+0x0 0019f9c0 41414141 unknown!printable+0x0 0019f9c4 41414141 unknown!printable+0x0 0019f9c8 41414141 unknown!printable+0x0 0019f9cc 41414141 unknown!printable+0x0 0019f9d0 41414141 unknown!printable+0x0 0019f9d4 41414141 unknown!printable+0x0 0019f9d8 41414141 unknown!printable+0x0 0019f9dc 41414141 unknown!printable+0x0 0019f9e0 41414141 unknown!printable+0x0 0019f9e4 41414141 unknown!printable+0x0 0019f9e8 41414141 unknown!printable+0x0 0019f9ec 41414141 unknown!printable+0x0 0019f9f0 41414141 unknown!printable+0x0 0019f9f4 41414141 unknown!printable+0x0 0019f9f8 41414141 unknown!printable+0x0 0019f9fc 41414141 unknown!printable+0x0 0019fa00 41414141 unknown!printable+0x0 0019fa04 41414141 unknown!printable+0x0 0019fa08 41414141 unknown!printable+0x0 0019fa0c 41414141 unknown!printable+0x0 0019fa10 41414141 unknown!printable+0x0 0019fa14 41414141 unknown!printable+0x0 0019fa18 41414141 unknown!printable+0x0 0019fa1c 41414141 unknown!printable+0x0 0019fa20 41414141 unknown!printable+0x0 0019fa24 41414141 unknown!printable+0x0 0019fa28 41414141 unknown!printable+0x0 0019fa2c 41414141 unknown!printable+0x0 0019fa30 41414141 unknown!printable+0x0 0019fa34 41414141 unknown!printable+0x0 0019fa38 41414141 unknown!printable+0x0 0019fa3c 41414141 unknown!printable+0x0 0019fa40 41414141 unknown!printable+0x0 0019fa44 41414141 unknown!printable+0x0 0019fa48 41414141 unknown!printable+0x0 0019fa4c 41414141 unknown!printable+0x0 0019fa50 41414141 unknown!printable+0x0 0019fa54 41414141 unknown!printable+0x0 0019fa58 41414141 unknow
원천	⚠️ https://www.malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_B.txt
사용자	malvuln (UID 14984)
제출	2021. 06. 17. AM 03:20 (5 연령 ago)
모더레이션	2021. 06. 17. AM 07:47 (4 hours later)
상태	수락
VulDB 항목	177155 [Trojan.Win32.Alien.erf Service Port 1789 메모리 손상]
포인트들	20

◂ 이전 개요 다음 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!