cbcvebase.
CVE-2008-1491
published 2008-03-25

CVE-2008-1491: Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (aka ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.13%
99.3th percentile
Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (aka ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623.

Affected

2 ranges
VendorProductVersion rangeFixed in
asusremote_console
asusremote_console

Detection & IOCsextracted from sources · hover to see the quote

portTCP/623
processDpcProxy.exe
otherSEH overwrite return address: 0x0040273b
otherBadChars: \x07\x08\x0d\x0e\x0f\x7e\x7f\xff
bytes
\x89\xe6\xdb\xdd\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41
  • The Metasploit module sends a sploit buffer of ~6032+ bytes to TCP/623; a single TCP segment or session with payload length significantly exceeding normal IPMI/RMCP traffic on port 623 is suspicious.
  • SEH-based exploitation: look for the p/p/r gadget address 0x0040273b appearing in network traffic to TCP/623 as a 4-byte little-endian sequence (\x3b\x27\x40\x00).
  • The exploit targets DpcProxy.exe (ASUS ASMB3/ARC Remote Console); presence of this process listening on TCP/623 on a Windows host indicates an attack surface for CVE-2008-1491.
  • ·The Metasploit module targets only version 2.0.0.19 with a universal return address; the exploit-db PoC also targets 2.0.0.16. Versions 2.0.0.24 are stated as vulnerable in the NVD but the specific return address/offset may differ.
  • ·Payload space is constrained to 400 bytes in the Metasploit module; staged or larger payloads will not fit without modification.
  • ·EXITFUNC is set to 'process' in the Metasploit module (not 'seh' as in the standalone PoC), meaning successful exploitation terminates the DpcProxy process.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.