cbcvebase.
CVE-2010-1185
published 2010-03-29

CVE-2010-1185: Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.22%
96.3th percentile
Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information.

Affected

3 ranges
VendorProductVersion rangeFixed in
sapmaxdb
sapmaxdb
sapmaxdb

Detection & IOCsextracted from sources · hover to see the quote

port7210/tcp
processserv.exe
bytes
\x63\x00\x00\x00\x03\x2f\x00\x00\x01\x00\x00\x00\xff\xff\xff\xff\x00\x00\x04\x00\x63\x00\x00\x00\x00\x02\x4b\x00\x04\x09\x00\x00\x44\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x6d\x61
bytes
T00WT00W
bytes
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
  • Detect exploit attempts by monitoring for TCP connections to port 7210 carrying oversized handshake packets (>5000 bytes) with the malformed MaxDB handshake header magic bytes 0x63 0x00 0x00 0x00 0x03 0x2f at offset 0.
  • Hunt for the egg-hunter tag 'T00WT00W' (bytes 54 30 30 57 54 30 30 57) in TCP payloads on port 7210, which is the egg marker used by this exploit to locate shellcode.
  • Alert on the Windows egg-hunter stub (int 2e / NtAccessCheckAndAuditAlarm syscall pattern: CD 2E 3C 05) appearing in network traffic on port 7210, indicative of this exploit's egghunter shellcode.
  • Monitor serv.exe (SAP MaxDB listener) for unexpected child process creation or outbound connections following receipt of a large packet on TCP/7210, which may indicate successful exploitation and shell spawning.
  • The exploit targets an invalid length parameter in the handshake packet; IDS rules should flag packets to TCP/7210 where the declared length field in the MaxDB handshake header does not match the actual payload length.
  • ·The exploit PoC hardcodes a private/lab IP (172.16.29.133) as the target; this IP is not a threat-actor infrastructure indicator and should not be used as a network-level block.
  • ·The return address (ret = \x08\xf1\xa0\x00) is specific to Windows XP SP2 EN and the tested MaxDB version 7.7.06.09; it will differ on other OS/patch levels, so byte-matching the RET value alone is not a reliable universal detection.
  • ·Affected versions span 7.4.3.32 and 7.6.0.37 through 7.6.06 per NVD, but the PoC was tested on 7.7.06.09; detection logic should not be version-gated as the vulnerable component (serv.exe on TCP/7210) is consistent across versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.