CVE-2008-2158
published 2008-05-29CVE-2008-2158: Multiple stack-based buffer overflows in the Command Line Interface process in the Server Agent in EMC AlphaStor 3.1 SP1 for Windows allow remote attackers to…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.40%
99.0th percentile
Multiple stack-based buffer overflows in the Command Line Interface process in the Server Agent in EMC AlphaStor 3.1 SP1 for Windows allow remote attackers to execute arbitrary code via crafted TCP packets to port 41025.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc_corporation | alphastor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x0b (4-byte little-endian header word)
bytes↗
\x00\x00\x00\x04 (second 4-byte little-endian word)
bytes↗
\x00\x00\x00\x1b (fourth 4-byte little-endian word)
bytes↗
\x00\x00\x04\x7c (fifth 4-byte little-endian word, payload length 0x47c=1148)
- →Alert on TCP connections to port 41025 targeting EMC AlphaStor Agent (rpcbind/CLI process); any connection delivering a payload >827 bytes following the 5-word protocol header sequence is suspicious. ↗
- →The exploit sends a structured multi-part TCP stream: first a 4-byte LE word 0x0000000b, then a short alpha string containing '@', then 0x00000004, 0x0000001b, 0x0000047c, followed by an 827+ byte NOP sled + payload. Detecting this exact sequence on port 41025 is a high-fidelity indicator. ↗
- →Monitor for execution of ascli.exe with the argument 'asopmsg' followed by an unusually long string argument, as this is the vulnerable code path triggered by the exploit. ↗
- →The exploit targets return address 0x65153fe0 inside dblib9.dll version 9.0.1.1975. Presence of this DLL version on a Windows host running AlphaStor 3.1 SP1 indicates a vulnerable target. ↗
- →The exploit uses BadChars \x00\x0a\x0d\x20 and a StackAdjustment of -3500; NOP sleds of 827 bytes minus payload length are prepended. Large NOP sleds on port 41025 traffic are a strong detection signal. ↗
- ·The return address 0x65153fe0 is specific to dblib9.dll version 9.0.1.1975 on Windows; the exploit only targets EMC AlphaStor 3.1 SP1 for Windows and will not work against other platforms or versions. ↗
- ·The exploit uses EXITFUNC=process (one-shot overwrite), meaning the agent process will terminate after exploitation; repeated connection attempts or process restarts may indicate exploitation attempts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EMC AlphaStor Agent - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-2158 EMC AlphaStor Agent - Remote Buffer Overflow (Metasploit)
EMC AlphaStor Agent - Remote Buffer Overflow (Metasploit)
---
##
# $Id: alphastor_agent.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'EMC AlphaStor Agent Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in EMC AlphaStor 3.1.
By sending a specially crafted message, an attacker may
be able to execute arbitrary code.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-2158' ],
[ 'OSVDB', '45714' ],
[ 'URL', 'h
Exploit-DB
Power Phlogger 2.2.5 - 'css_str' SQL Injection
exploitdb·2008-06-05
CVE-2008-2562 Power Phlogger 2.2.5 - 'css_str' SQL Injection
Power Phlogger 2.2.5 - 'css_str' SQL Injection
---
############################################################
SQL Injection vulnerability in Power Phlogger
By MustLive (http://websecurity.com.ua)
Detailed information: http://websecurity.com.ua/2158/
Description: SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form.
SQL Injection:
http://site/edCss.php?css_str=-1%20union%20select%20null,null,id,username,pw,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pphl_users%20limit%200,1&action=edit
With this query you will receive id, login and password (has
Metasploit
EMC AlphaStor Agent Buffer Overflow
metasploit
EMC AlphaStor Agent Buffer Overflow
EMC AlphaStor Agent Buffer Overflow
This module exploits a stack buffer overflow in EMC AlphaStor 3.1. By sending a specially crafted message, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702http://secunia.com/advisories/30410http://securitytracker.com/id?1020115http://www.securityfocus.com/bid/29399http://www.vupen.com/english/advisories/2008/1670https://exchange.xforce.ibmcloud.com/vulnerabilities/42669http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702http://secunia.com/advisories/30410http://securitytracker.com/id?1020115http://www.securityfocus.com/bid/29399http://www.vupen.com/english/advisories/2008/1670https://exchange.xforce.ibmcloud.com/vulnerabilities/42669
2008-05-29
Published