cbcvebase.
CVE-2008-0311
published 2008-04-06

CVE-2008-0311: Stack-based buffer overflow in the PGMWebHandler::parse_request function in the StarTeam Multicast Service component (STMulticastService) 6.4 in Borland…

PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.02%
98.0th percentile
Stack-based buffer overflow in the PGMWebHandler::parse_request function in the StarTeam Multicast Service component (STMulticastService) 6.4 in Borland CaliberRM 2006 allows remote attackers to execute arbitrary code via a large HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
borlandcaliberrm

Detection & IOCsextracted from sources · hover to see the quote

port3057
commandGET request with 511 bytes + NULL + 1020 bytes to STMulticastService on port 3057
otherReturn address 0x7c5729db (Windows 2000 SP4 English)
otherReturn address 0x71ae1f9b (Windows 2003 SP0 English)
bytes
\x81\xc4\x54\xf2\xff\xff
  • Monitor for large HTTP GET requests sent to TCP port 3057 (STMulticastService default port), particularly requests exceeding 511 bytes targeting the PGMWebHandler::parse_request function.
  • Detect the stack-adjustment prepend encoder byte sequence \x81\xc4\x54\xf2\xff\xff in payloads delivered to port 3057, indicative of the Metasploit module's shellcode preparation.
  • Flag HTTP requests to port 3057 containing bad-character-free shellcode blobs; the exploit avoids bytes: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c.
  • Alert on return-address values 0x7c5729db or 0x71ae1f9b appearing within network traffic to port 3057, corresponding to known exploit targets for Windows 2000 SP4 and Windows 2003 SP0.
  • ·The Metasploit module targets only Windows 2000 SP4 English and Windows 2003 SP0 English with hardcoded return addresses; exploitation against other OS versions or service packs requires different return addresses and may fail.
  • ·The exploit uses a payload space of only 600 bytes and requires a stack adjustment of -3500 bytes; inline payloads are noted to work best, meaning staged payloads may be unreliable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.