cbcvebase.
CVE-2008-0492
published 2008-01-30

CVE-2008-0492: Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to…

PriorityP340medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
29.52%
98.0th percentile
Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to execute arbitrary code via a long argument to the AddFile method. NOTE: some of these details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
persitsxupload

Detection & IOCsextracted from sources · hover to see the quote

filenameXUpload.ocx
otherPersits.XUpload.2
registryCLSID: Persits.XUpload.2
otherRET: 0x10019d6e (pop/pop/ret @ XUpload.ocx)
bytes
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a
bytes
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a
  • Detect instantiation of the Persits.XUpload.2 ActiveX control (ProgID) in browser contexts, particularly calls to the AddFile() method with an oversized string argument (>738 bytes).
  • Monitor for the presence of XUpload.ocx on disk, especially versions 3.0.0.3 and 3.0.0.4, which are the confirmed vulnerable versions targeted by public exploits.
  • The Metasploit exploit uses a 738-byte alpha-numeric heap spray buffer passed to AddFile(); detect JavaScript heap spray patterns using unescape() with %u9090%u9090 NOP sleds in browser memory.
  • The exploit targets a pop/pop/ret gadget at offset 0x10019d6e within XUpload.ocx; detect ROP/SEH chains referencing this address in memory or crash dumps.
  • The shellcode uses Alpha2 encoding; detect the characteristic Alpha2 stub header bytes %u03eb%ueb59%ue805%ufff8%uffff in network traffic or memory.
  • The bind-shell payload opens TCP port 4444; monitor for unexpected inbound connections on port 4444 following browser-based ActiveX exploitation.
  • ·The Metasploit module targets specifically XUpload.ocx version 3.0.0.3 on Windows XP SP3 with IE6 SP3; the RET address 0x10019d6e is version-specific and will not apply to other OS/browser/DLL combinations.
  • ·The NVD advisory notes that version 3.0.0.4 and earlier are vulnerable, but the public Metasploit exploit was only confirmed against 3.0.0.3; detection rules should cover both versions.
  • ·The exploit sets EXITFUNC=process (Metasploit) or EXITFUNC=seh (raw PoC); payload exit behavior differs between exploit variants, affecting post-exploitation forensic artifacts.
  • ·BadChars for the payload are limited to null bytes only (\x00), meaning the shellcode is largely unrestricted; Alpha2 encoding is used in the raw PoC to bypass any additional character filtering.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.