cbcvebase.
CVE-2008-5159
published 2008-11-18

CVE-2008-5159: Integer overflow in the remote administration protocol processing in Client Software WinCom LPD Total 3.0.2.623 and earlier allows remote attackers to cause a…

PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
59.67%
99.0th percentile
Integer overflow in the remote administration protocol processing in Client Software WinCom LPD Total 3.0.2.623 and earlier allows remote attackers to cause a denial of service (crash) via a large string length argument, which triggers memory corruption.

Affected

1 ranges
VendorProductVersion rangeFixed in
clientsoftwarewincome_mpd_total<= 3.0.2.623

Detection & IOCsextracted from sources · hover to see the quote

port13500
other0x0047d7a7
bytes
\x65\x00\x00\x00\x00\x00\x00\x04\x00\x00\xFF\x1F
  • Monitor for oversized authentication packets sent to TCP port 13500 (WinComLPD remote administration service); the exploit header begins with the fixed byte sequence \x65\x00\x00\x00\x00\x00\x00\x04\x00\x00\xFF\x1F followed by a large NOP sled and shellcode.
  • Alert on any TCP connection to port 13500 carrying a payload larger than ~872 bytes, which matches the exploit buffer size used to trigger the stack overflow.
  • The vulnerability is triggered by a large string length argument in the remote administration protocol; detect integer overflow conditions by monitoring for abnormally large length field values in packets destined for port 13500.
  • ·The return address 0x0047d7a7 is hardcoded for WinComLPD 3.0.2.623 only; the exploit will not work as-is against other versions, though other versions may still be vulnerable.
  • ·Bad characters \x00 and \x0a are filtered from the payload; detection signatures must account for the fact that these bytes will not appear in the shellcode portion of the exploit buffer.
  • ·Payload space is limited to 600 bytes; shellcode exceeding this size cannot be delivered via this exploit path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.