CVE-2008-1661
published 2008-06-04CVE-2008-1661: Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Storage Mirroring (SWSM) before 4.5 SP2 allows remote attackers to execute arbitrary code via…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.96%
99.3th percentile
Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Storage Mirroring (SWSM) before 4.5 SP2 allows remote attackers to execute arbitrary code via a crafted encoded authentication request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | storageworks_storage_mirroring | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01
- →Detect exploit attempts by monitoring TCP port 1100 for connections to DoubleTake/HP StorageWorks Storage Mirroring service carrying the known malicious authentication request header magic bytes (\x00\x02\x00\x01\x27\x30) followed by oversized payloads. ↗
- →The exploit payload is XOR-encoded with key 0xf0; network signatures should account for this encoding when inspecting payload content on port 1100. ↗
- →The vulnerability is triggered via a crafted encoded authentication request; monitor DoubleTake.exe for abnormal process behavior or crashes indicative of stack-based buffer overflow exploitation. ↗
- →SEH (Structured Exception Handler) overwrite technique is used; endpoint detection should flag SEH chain corruption in DoubleTake.exe. ↗
- ·The exploit targets only Windows platforms; non-Windows deployments of DoubleTake/SWSM are not affected by this specific exploit module. ↗
- ·Payload space is limited to 500 bytes and null bytes (\x00) are bad characters; detection signatures must account for the constrained and XOR-encoded payload. ↗
- ·The EXITFUNC is set to 'process', meaning successful exploitation will terminate the DoubleTake service process; a sudden crash of DoubleTake.exe after a connection on port 1100 may indicate exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DoubleTake/HP StorageWorks Storage Mirroring Service - Authentication Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2008-1661 DoubleTake/HP StorageWorks Storage Mirroring Service - Authentication Overflow (Metasploit)
DoubleTake/HP StorageWorks Storage Mirroring Service - Authentication Overflow (Metasploit)
---
##
# $Id: doubletake.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the authentication mechanism of
NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability
was found by Titon of Bastard Labs.
},
'Author' => [ 'ri0t ' ],
'Version' => '$Revisi
Exploit-DB
HP StorageWorks - NSI Double Take Remote Overflow (Metasploit)
exploitdb·2008-06-04
CVE-2008-1661 HP StorageWorks - NSI Double Take Remote Overflow (Metasploit)
HP StorageWorks - NSI Double Take Remote Overflow (Metasploit)
---
##
# $Id: doubletake.rb 4529 2007-03-23 01:08:18Z $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Windows::Misc::Doubletake 'doubletake Overflow',
'Description' => %q{
This Module Exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded
as hp storage works Vulnerability found by Titon of Bastard Labs.
},
'Author' => [ 'ri0t ' ],
'Version' => '$Revision: 9 $',
'References' =>
[
],
'DefaultOptions' =>
{
'EXITFUNC'
Metasploit
DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow
metasploit
DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow
DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow
This module exploits a stack buffer overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=121250518326713&w=2http://secunia.com/advisories/30502http://www.securitytracker.com/id?1020157http://www.vupen.com/english/advisories/2008/1723http://www.zerodayinitiative.com/advisories/ZDI-08-034/https://exchange.xforce.ibmcloud.com/vulnerabilities/42810http://marc.info/?l=bugtraq&m=121250518326713&w=2http://secunia.com/advisories/30502http://www.securitytracker.com/id?1020157http://www.vupen.com/english/advisories/2008/1723http://www.zerodayinitiative.com/advisories/ZDI-08-034/https://exchange.xforce.ibmcloud.com/vulnerabilities/42810
2008-06-04
Published