cbcvebase.
CVE-2008-4322
published 2008-09-29

CVE-2008-4322: Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin Server 2.0, as distributed by DATAC, allows remote attackers to execute arbitrary code via a…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.83%
99.1th percentile
Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin Server 2.0, as distributed by DATAC, allows remote attackers to execute arbitrary code via a crafted FC_INFOTAG/SET_CONTROL packet.

Affected

1 ranges
VendorProductVersion rangeFixed in
realflex_technologies_ltdrealwin_server

Detection & IOCsextracted from sources · hover to see the quote

port910
other0x4001e2a9
bytes
|10 23 54 67 00 08 00 00|
bytes
|e3 77 0a 00 05 00 04 00 00 00|
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:2; metadata:created_at 2010_12_23, cve CVE_2008_4322, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_19;)
  • Exploit packet targets TCP port 910 (RealWin SCADA Server default port); monitor for inbound connections from external hosts to this port.
  • The malicious FC_INFOTAG/SET_CONTROL packet begins with the 8-byte magic header 10 23 54 67 00 08 00 00 at depth 0, followed within 10 bytes by e3 77 0a 00 05 00 04 00 00 00; both patterns must be present to confirm exploit attempt.
  • After the second content match, the exploit payload spans at least 744 bytes and must not contain a 0x0a (newline) byte within that range — use isdataat:744,relative and content:!|0a| within:744 to confirm overflow-sized payload without bad chars.
  • The exploit uses bad characters \x00\x20\x0a\x0d; shellcode in observed traffic will not contain these bytes, which can help distinguish exploit payloads from benign data.
  • The return address used in the Universal target is 0x4001e2a9; presence of this 4-byte little-endian value (a9 e2 01 40) at offset 740 within the packet body is a strong indicator of this specific exploit module.
  • ·The Metasploit module targets specifically RealWin SCADA Server 2.0 Build 6.0.10.37; the hardcoded return address 0x4001e2a9 and offset 740 are version-specific and may not apply to other builds.
  • ·Payload space is constrained to 550 bytes with a stack adjustment of -3500; detection rules or shellcode scanners should account for this relatively small payload window.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.