cbcvebase.
CVE-2008-1661
published 2008-06-04

CVE-2008-1661: Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Storage Mirroring (SWSM) before 4.5 SP2 allows remote attackers to execute arbitrary code via…

PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.96%
99.3th percentile
Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Storage Mirroring (SWSM) before 4.5 SP2 allows remote attackers to execute arbitrary code via a crafted encoded authentication request.

Affected

1 ranges
VendorProductVersion rangeFixed in
hpstorageworks_storage_mirroring

Detection & IOCsextracted from sources · hover to see the quote

port1100
filenameDoubleTake.exe
otherXOR key: 0xf0
otherRET address doubletake 4.5.0: 0x006f5fa7, Offset: 5544
otherRET address doubletake 4.4.2: 0x0074e307, Offset: 944
otherRET address doubletake 4.5.0.1819: 0x006e62dd, Offset: 5544
bytes
\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01
  • Detect exploit attempts by monitoring TCP port 1100 for connections to DoubleTake/HP StorageWorks Storage Mirroring service carrying the known malicious authentication request header magic bytes (\x00\x02\x00\x01\x27\x30) followed by oversized payloads.
  • The exploit payload is XOR-encoded with key 0xf0; network signatures should account for this encoding when inspecting payload content on port 1100.
  • The vulnerability is triggered via a crafted encoded authentication request; monitor DoubleTake.exe for abnormal process behavior or crashes indicative of stack-based buffer overflow exploitation.
  • SEH (Structured Exception Handler) overwrite technique is used; endpoint detection should flag SEH chain corruption in DoubleTake.exe.
  • ·The exploit targets only Windows platforms; non-Windows deployments of DoubleTake/SWSM are not affected by this specific exploit module.
  • ·Payload space is limited to 500 bytes and null bytes (\x00) are bad characters; detection signatures must account for the constrained and XOR-encoded payload.
  • ·The EXITFUNC is set to 'process', meaning successful exploitation will terminate the DoubleTake service process; a sudden crash of DoubleTake.exe after a connection on port 1100 may indicate exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.