| Title | Trojan.Win32.Alien.erf / Remote Stack Buffer Overflow |
|---|
| Description | Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_B.txt
Contact: [email protected]
Media: twitter.com/malvuln
Threat: Trojan.Win32.Alien.erf
Vulnerability: Remote Stack Buffer Overflow
Description: The malware deploys a Web server AM6WebMgr.exe (JAO build 809) listening on TCP port 1789. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by making a HTTP GET request for the "SynchroRes.cgi" URL with a long payload. This will overwrite the ECX and EIP stack registers.
Type: PE32
MD5: 57ab194d8c60ee97914eda22e4d71b68
Vuln ID: MVID-2021-0252
ASLR: False
DEP: True
Safe SEH: True
Disclosure: 06/16/2021
Memory Dump:
EAX : 00000000
EBX : 00000000
ECX : 41414141
EDX : 77279D70 ntdll.77279D70
EBP : 000A12E0
ESP : 000A12C0
ESI : 00000000
EDI : 00000000
EIP : 41414141
EFLAGS : 00010246
ZF : 1
OF : 0 am6webmgr.4FCF00
(1b74.1b40): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000
eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:000> .ecxr
eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000
eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Module load completed but symbols could not be loaded for AM6WebMgr.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for JAONPServ.dll -
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
AM6WebMgr+3061e
0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
EXCEPTION_RECORD: 0019eaf0 -- (.exr 0x19eaf0)
ExceptionAddress: 0043061e (AM6WebMgr+0x0003061e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 001a0000
Attempt to write to address 001a0000
PROCESS_NAME: AM6WebMgr.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 41414141
WRITE_ADDRESS: 41414141
FOLLOWUP_IP:
AM6WebMgr+3061e
0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
FAILED_INSTRUCTION_ADDRESS:
+3061e
41414141 ?? ???
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
IP_ON_HEAP: 41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 41414141
CONTEXT: 0019eb40 -- (.cxr 0x19eb40)
eax=04b116c7 ebx=000005e6 ecx=00000307 edx=000005e6 esi=04b113c0 edi=001a0000
eip=0043061e esp=0019efa0 ebp=0019efcc iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
AM6WebMgr+0x3061e:
0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Resetting default scope
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 0044a12c to 0043061e
STACK_TEXT:
0019efa0 0043061e am6webmgr+0x3061e
0019efd4 0044a12c am6webmgr+0x4a12c
0019f008 004438b5 am6webmgr+0x438b5
0019f024 00440418 am6webmgr+0x40418
0019f4c8 0044aa27 am6webmgr+0x4aa27
0019f4ec 00401704 am6webmgr+0x1704
0019f510 00423195 am6webmgr+0x23195
0019f848 41414141 unknown!printable+0x0
0019f84c 41414141 unknown!printable+0x0
0019f850 41414141 unknown!printable+0x0
0019f854 41414141 unknown!printable+0x0
0019f858 41414141 unknown!printable+0x0
0019f85c 41414141 unknown!printable+0x0
0019f860 41414141 unknown!printable+0x0
0019f864 41414141 unknown!printable+0x0
0019f868 41414141 unknown!printable+0x0
0019f86c 41414141 unknown!printable+0x0
0019f870 41414141 unknown!printable+0x0
0019f874 41414141 unknown!printable+0x0
0019f878 41414141 unknown!printable+0x0
0019f87c 41414141 unknown!printable+0x0
0019f880 41414141 unknown!printable+0x0
0019f884 41414141 unknown!printable+0x0
0019f888 41414141 unknown!printable+0x0
0019f88c 41414141 unknown!printable+0x0
0019f890 41414141 unknown!printable+0x0
0019f894 41414141 unknown!printable+0x0
0019f898 41414141 unknown!printable+0x0
0019f89c 41414141 unknown!printable+0x0
0019f8a0 41414141 unknown!printable+0x0
0019f8a4 41414141 unknown!printable+0x0
0019f8a8 41414141 unknown!printable+0x0
0019f8ac 41414141 unknown!printable+0x0
0019f8b0 41414141 unknown!printable+0x0
0019f8b4 41414141 unknown!printable+0x0
0019f8b8 41414141 unknown!printable+0x0
0019f8bc 41414141 unknown!printable+0x0
0019f8c0 41414141 unknown!printable+0x0
0019f8c4 41414141 unknown!printable+0x0
0019f8c8 41414141 unknown!printable+0x0
0019f8cc 41414141 unknown!printable+0x0
0019f8d0 41414141 unknown!printable+0x0
0019f8d4 41414141 unknown!printable+0x0
0019f8d8 41414141 unknown!printable+0x0
0019f8dc 41414141 unknown!printable+0x0
0019f8e0 41414141 unknown!printable+0x0
0019f8e4 41414141 unknown!printable+0x0
0019f8e8 41414141 unknown!printable+0x0
0019f8ec 41414141 unknown!printable+0x0
0019f8f0 41414141 unknown!printable+0x0
0019f8f4 41414141 unknown!printable+0x0
0019f8f8 41414141 unknown!printable+0x0
0019f8fc 41414141 unknown!printable+0x0
0019f900 41414141 unknown!printable+0x0
0019f904 41414141 unknown!printable+0x0
0019f908 41414141 unknown!printable+0x0
0019f90c 41414141 unknown!printable+0x0
0019f910 41414141 unknown!printable+0x0
0019f914 41414141 unknown!printable+0x0
0019f918 41414141 unknown!printable+0x0
0019f91c 41414141 unknown!printable+0x0
0019f920 41414141 unknown!printable+0x0
0019f924 41414141 unknown!printable+0x0
0019f928 41414141 unknown!printable+0x0
0019f92c 41414141 unknown!printable+0x0
0019f930 41414141 unknown!printable+0x0
0019f934 41414141 unknown!printable+0x0
0019f938 41414141 unknown!printable+0x0
0019f93c 41414141 unknown!printable+0x0
0019f940 41414141 unknown!printable+0x0
0019f944 41414141 unknown!printable+0x0
0019f948 41414141 unknown!printable+0x0
0019f94c 41414141 unknown!printable+0x0
0019f950 41414141 unknown!printable+0x0
0019f954 41414141 unknown!printable+0x0
0019f958 41414141 unknown!printable+0x0
0019f95c 41414141 unknown!printable+0x0
0019f960 41414141 unknown!printable+0x0
0019f964 41414141 unknown!printable+0x0
0019f968 41414141 unknown!printable+0x0
0019f96c 41414141 unknown!printable+0x0
0019f970 41414141 unknown!printable+0x0
0019f974 41414141 unknown!printable+0x0
0019f978 41414141 unknown!printable+0x0
0019f97c 41414141 unknown!printable+0x0
0019f980 41414141 unknown!printable+0x0
0019f984 41414141 unknown!printable+0x0
0019f988 41414141 unknown!printable+0x0
0019f98c 41414141 unknown!printable+0x0
0019f990 41414141 unknown!printable+0x0
0019f994 41414141 unknown!printable+0x0
0019f998 41414141 unknown!printable+0x0
0019f99c 41414141 unknown!printable+0x0
0019f9a0 41414141 unknown!printable+0x0
0019f9a4 41414141 unknown!printable+0x0
0019f9a8 41414141 unknown!printable+0x0
0019f9ac 41414141 unknown!printable+0x0
0019f9b0 41414141 unknown!printable+0x0
0019f9b4 41414141 unknown!printable+0x0
0019f9b8 41414141 unknown!printable+0x0
0019f9bc 41414141 unknown!printable+0x0
0019f9c0 41414141 unknown!printable+0x0
0019f9c4 41414141 unknown!printable+0x0
0019f9c8 41414141 unknown!printable+0x0
0019f9cc 41414141 unknown!printable+0x0
0019f9d0 41414141 unknown!printable+0x0
0019f9d4 41414141 unknown!printable+0x0
0019f9d8 41414141 unknown!printable+0x0
0019f9dc 41414141 unknown!printable+0x0
0019f9e0 41414141 unknown!printable+0x0
0019f9e4 41414141 unknown!printable+0x0
0019f9e8 41414141 unknown!printable+0x0
0019f9ec 41414141 unknown!printable+0x0
0019f9f0 41414141 unknown!printable+0x0
0019f9f4 41414141 unknown!printable+0x0
0019f9f8 41414141 unknown!printable+0x0
0019f9fc 41414141 unknown!printable+0x0
0019fa00 41414141 unknown!printable+0x0
0019fa04 41414141 unknown!printable+0x0
0019fa08 41414141 unknown!printable+0x0
0019fa0c 41414141 unknown!printable+0x0
0019fa10 41414141 unknown!printable+0x0
0019fa14 41414141 unknown!printable+0x0
0019fa18 41414141 unknown!printable+0x0
0019fa1c 41414141 unknown!printable+0x0
0019fa20 41414141 unknown!printable+0x0
0019fa24 41414141 unknown!printable+0x0
0019fa28 41414141 unknown!printable+0x0
0019fa2c 41414141 unknown!printable+0x0
0019fa30 41414141 unknown!printable+0x0
0019fa34 41414141 unknown!printable+0x0
0019fa38 41414141 unknown!printable+0x0
0019fa3c 41414141 unknown!printable+0x0
0019fa40 41414141 unknown!printable+0x0
0019fa44 41414141 unknown!printable+0x0
0019fa48 41414141 unknown!printable+0x0
0019fa4c 41414141 unknown!printable+0x0
0019fa50 41414141 unknown!printable+0x0
0019fa54 41414141 unknown!printable+0x0
0019fa58 41414141 unknow |
|---|
| Source | ⚠️ https://www.malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_B.txt |
|---|
| User | malvuln (UID 14984) |
|---|
| Submission | 06/17/2021 03:20 (5 years ago) |
|---|
| Moderation | 06/17/2021 07:47 (4 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 177155 [Trojan.Win32.Alien.erf Service Port 1789 buffer overflow] |
|---|
| Points | 20 |
|---|