cbcvebase.
CVE-2009-4988
published 2010-08-25

CVE-2009-4988: Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business One 2005 A 6.80.123 and 6.80.320 allows remote attackers to execute arbitrary code via a…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.52%
99.2th percentile
Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business One 2005 A 6.80.123 and 6.80.320 allows remote attackers to execute arbitrary code via a long GIOP request to TCP port 30000.

Affected

2 ranges
VendorProductVersion rangeFixed in
sapbusiness_one_2005-a
sapbusiness_one_2005-a

Detection & IOCsextracted from sources · hover to see the quote

port30000/tcp
filenameNT_Naming_Service.exe
registry0x00547b82
other0x773a73fb (JMP ESP, User32.dll, Server2k3 R2 STD/ENT SP2)
bytes
\x47\x49\x4f\x50\x01\x00\x01\x00
bytes
\x47\x49\x4f\x50\x01\x00\x01\x00
  • Detect exploit attempts by matching TCP traffic to port 30000 beginning with the 8-byte GIOP magic header '\x47\x49\x4f\x50\x01\x00\x01\x00' followed by an abnormally large payload (>1000 bytes), indicative of the buffer overflow trigger.
  • The PoC exploit sends the GIOP header followed by '\x2f\x5c' repeated 500 times as padding before the return address; this pattern on port 30000 is a strong indicator of exploitation.
  • Monitor for NOP sled patterns (\x90 * 44 or \x90 * 384) appended after a return address in TCP streams to port 30000, consistent with shellcode delivery in this exploit.
  • The Metasploit module uses tao2005.dll as the ROP gadget source (push esp/ret at 0x00547b82); presence of this DLL loaded in NT_Naming_Service.exe and crashes at that address indicate active exploitation.
  • ·The PoC hardcodes a test IP (10.0.0.241) and is confirmed only against Windows Server 2003 R2 STD/ENT SP2; the return address 0x773a73fb (User32.dll JMP ESP) is OS/SP-specific and will differ on other platforms.
  • ·The Metasploit module targets only 'Sap Business One 2005 B1 Universal' with a single return address (0x00547b82 from tao2005.dll); exploitation against other OS/SP combinations requires a different return address.
  • ·Affected versions are specifically SAP Business One 2005 A 6.80.123 and 6.80.320; other versions are not confirmed vulnerable.
  • ·The Metasploit payload space is limited to 400 bytes with null bytes as bad characters; payloads exceeding this or containing \x00 will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.