cbcvebase.
CVE-2009-2685
published 2009-11-06

CVE-2009-2685: Stack-based buffer overflow in the login form in the management web server in HP Power Manager allows remote attackers to execute arbitrary code via the Login…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.71%
99.5th percentile
Stack-based buffer overflow in the login form in the management web server in HP Power Manager allows remote attackers to execute arbitrary code via the Login variable.

Detection & IOCsextracted from sources · hover to see the quote

url/goform/formLogin
port4444
commandPOST /goform/formLogin HTTP/1.1
commandHtmlOnly=true&Login=<overflow>&Password=&loginButton=Submit+Login
commandHtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin<overflow>
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/goform/formLogin"; nocase; http.request_body; content:"Login="; nocase; content:!"|0A|"; within:300; isdataat:300,relative; pcre:"/Login=[^\r\n]{300}/i"; reference:url,www.securityfocus.com/bid/36933; reference:cve,2009-2685; classtype:web-application-attack; sid:2010699; rev:8;)
  • Exploit sends an HTTP POST to /goform/formLogin with an overly long Login parameter (>300 bytes, up to 2024 bytes) to trigger the stack buffer overflow.
  • The Emergent Threats Snort/Suricata rule (sid:2010699) triggers on POST to /goform/formLogin where the Login= body parameter is 300+ bytes with no newline — use this as a detection threshold.
  • The exploit payload uses alphanumeric-encoded shellcode (PexAlphaNum encoder) with bad characters \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c — inspect Login parameter for long alphanumeric strings lacking these bytes.
  • The exploit targets msvcp60.dll for its return address gadget (JMP ESP / pop-pop-ret); presence of msvcp60.dll addresses in stack traces or crash dumps is indicative of exploitation.
  • Reverse shell spawned by the exploit connects back to the attacker on port 4444; monitor for outbound connections from the HP Power Manager process to port 4444.
  • The exploit sets a large negative stack adjustment (StackAdjustment -3500) prepended as \x81\xc4\xff\xef\xff\xff\x44; this byte sequence in the Login payload is a strong exploit indicator.
  • ·HP originally patched this in version 4.2.10, but Tenable confirmed the fix was incomplete and the same root vulnerability persisted; version 4.3.2 is the actual fix. Detection should not assume 4.2.10 is safe.
  • ·The ET Snort rule (sid:2010699) is marked confidence:Low — it may produce false positives on legitimate long Login values; tune threshold accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.