cbcvebase.
CVE-2007-2508
published 2007-05-08

CVE-2007-2508: Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2 Build 1174 allow remote attackers to execute arbitrary code via…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
77.19%
99.5th percentile
Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2 Build 1174 allow remote attackers to execute arbitrary code via crafted data to (1) TCP port 5168, which triggers an overflow in the CAgRpcClient::CreateBinding function in the AgRpcCln.dll library in SpntSvc.exe; or (2) TCP port 3628, which triggers an overflow in EarthAgent.exe. NOTE: both issues are reachable via TmRpcSrv.dll.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microserverprotect<= 5.58
trend_microserverprotect

Detection & IOCsextracted from sources · hover to see the quote

portTCP/5168
portTCP/3628
otherDCERPC UUID: 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0
otherROP gadget: 0x605e3c2f (pop esi; pop ebx; ret) in agentclient.dll
otherROP gadget: 0x65675aa8 (pop esi; pop ecx; ret) in StRpcSrv.dll
commandNDR.long(0x001f0014) + NDR.long(len) + filler + NDR.long(len)
commandNDR.long(0x001f0002) + NDR.long(len) + filler + NDR.long(len)
processEarthAgent.exe
processSpntSvc.exe
  • Detect exploit attempts by monitoring for DCERPC bind requests to UUID 25288888-bd5b-11d1-9d53-0080c83a5c2c over ncacn_ip_tcp on TCP ports 5168 and 3628.
  • Flag inbound TCP connections to port 3628 (EarthAgent.exe) or port 5168 (SpntSvc.exe) from untrusted external hosts; both are reachable via TmRpcSrv.dll and should not be exposed externally.
  • Detect the stack-pivot prepend encoder byte sequence \x81\xc4\xff\xef\xff\xff\x44 in TCP payloads on ports 3628 and 5168 as a shellcode delivery indicator.
  • For the EarthAgent exploit (port 3628), look for DCERPC call opnum 0 with NDR opcode 0x001f0014 and oversized data buffers (~680+ bytes of filler followed by a return address).
  • For the CreateBinding exploit (port 5168), look for DCERPC call opnum 0 with NDR opcode 0x001f0002 and oversized data buffers (~360+ bytes of filler followed by a return address).
  • Alert on the return address value 0x605e3c2f appearing in network payloads targeting TCP/3628 (agentclient.dll ROP gadget used by EarthAgent exploit).
  • Alert on the return address value 0x65675aa8 appearing in network payloads targeting TCP/5168 (StRpcSrv.dll ROP gadget used by CreateBinding exploit).
  • ·The ROP gadget addresses (0x605e3c2f in agentclient.dll and 0x65675aa8 in StRpcSrv.dll) are specific to Trend Micro ServerProtect 5.58 Build 1060 and will not match other builds or patched versions; detection rules relying on these exact values will miss variants using different return addresses.
  • ·The exploit uses rand_text_english/rand_text_alpha for filler, meaning the buffer content is randomized per attempt; signature-based detection must focus on structural elements (DCERPC UUID, opcode, prepend encoder bytes) rather than filler content.
  • ·The vulnerability is fixed in ServerProtect 5.58 Security Patch 2 Build 1174; detections targeting vulnerable process behavior are only relevant on unpatched Build 1060 systems.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.