cbcvebase.
CVE-2009-2227
published 2009-06-26

CVE-2009-2227: Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.26.5460 allows remote attackers to execute arbitrary code via a crafted request to TCP…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.58%
99.3th percentile
Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.26.5460 allows remote attackers to execute arbitrary code via a crafted request to TCP port 19810.

Affected

1 ranges
VendorProductVersion rangeFixed in
blabsoftbopup_communication_server

Detection & IOCsextracted from sources · hover to see the quote

port19810/tcp
registry0x0041add2
registry0x00401DD5
registry0x004014E0
port10000/tcp
bytes
\x81\xc4\xff\xef\xff\xff\x44
bytes
\x01\x00\x00\x00
bytes
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45
  • Detect exploit attempts by monitoring for TCP connections to port 19810 carrying a packet whose first 4 bytes are \x01\x00\x00\x00 followed by a large (~829+ byte) payload — the characteristic structure of the Bopup Communications Server buffer overflow exploit.
  • Payload bad characters for this exploit are \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40; encoded shellcode on the wire will avoid these bytes — use this to tune IDS signatures.
  • The Python PoC exploit sends a payload starting with \x01\x00\x00\x00 followed by 821 bytes of padding/shellcode, then 27 bytes padding, a 5-byte call-back instruction, and a SEH overwrite — total packet length is BOPUP_STR_OFFSET (0x19) + BOPUP_STR_LEN (0x348+8) bytes.
  • ·The return address 0x0041add2 (Metasploit) and 0x00401DD5 (C PoC) are version-specific to Bopup Communications Server 3.2.26.5460 only; exploitation against other versions requires different offsets.
  • ·The SEH overwrite address 0x004014E0 is described as 'universal' (p/p/r in bcssrvc) for the target version, but this may not hold across service pack levels or recompilations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.