cbcvebase.
CVE-2008-5405
published 2008-12-10

CVE-2008-5405: Stack-based buffer overflow in the RDP protocol password decoder in Cain & Abel 4.9.23 and 4.9.24, and possibly earlier, allows remote attackers to execute…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
46.98%
98.7th percentile
Stack-based buffer overflow in the RDP protocol password decoder in Cain & Abel 4.9.23 and 4.9.24, and possibly earlier, allows remote attackers to execute arbitrary code via an RDP file containing a long string.

Affected

2 ranges
VendorProductVersion rangeFixed in
oxidcain_and_abel
oxidcain_and_abel

Detection & IOCsextracted from sources · hover to see the quote

filenamecain.rdp
filenameexploit_cain.rdp
registry0x7E492FB7
other0x7c82385d
other0x71ab7bfb
other0x7c951eed
bytes
\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46\xcd\x10\x60
  • The exploit overwrites EIP at offset 8206 with a return address, followed by payload. A pattern of 8206 bytes of repeated characters before a 4-byte return address in an .rdp file is a strong indicator of exploitation.
  • The Metasploit module uses AlphanumMixed encoding with bad chars \x00\x0a\x0d\x3c\x22\x3e\x3d; encoded shellcode in .rdp files will be alphanumeric mixed-case.
  • The win32_adduser shellcode in exploit 7329 creates a local user account (USER=user, PASS=pass). Post-exploitation indicator: unexpected local account 'user' created after Cain .rdp file processing.
  • ·Return addresses (ROP gadgets) are platform-specific; the three targets cover Windows XP SP0/1/2 English and SP2 Spanish only. Exploitation on other OS versions or service packs requires different return addresses.
  • ·The vulnerability requires user interaction: the victim must manually open the crafted .rdp file via Cain's Tools -> Remote Desktop Password Decoder menu. It is not a remote network-exploitable vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.