CVE-2010-1318
published 2010-04-20CVE-2010-1318: Stack-based buffer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.05%
99.0th percentile
Stack-based buffer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | helix_mobile_server | <= 13.1.1 | — |
| realnetworks | helix_server | <= 13.1.1 | — |
| realnetworks | helix_server | — | — |
| realnetworks | helix_server | — | — |
| realnetworks | helix_server | — | — |
| realnetworks | helix_server | — | — |
| realnetworks | helix_server_mobile | — | — |
| realnetworks | helix_server_mobile | — | — |
| realnetworks | helix_server_mobile | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xf0\xef\xff\xff
- →Flag large TCP payloads (~25000 bytes) sent to port 705 following a small initial header packet; the Metasploit module sends a crafted header then a large stack-spray buffer of this size. ↗
- →Alert on use of the ROP gadget address 0x46664b (mov esp,ebp / pop ebp / ret) within network traffic to port 705, as this is the return address used by the Metasploit module targeting Helix Server v12/v13. ↗
- →Detect the stack-pivot prepend encoder bytes \x81\xc4\xf0\xef\xff\xff in payloads sent to port 705; this sequence adjusts ESP and is prepended to shellcode by the Metasploit exploit module. ↗
- ·The Metasploit module explicitly states it does not work when NX/XD (hardware DEP) is enabled on the target system, limiting exploitation to systems without DEP. ↗
- ·The BufAddr (heap buffer address) used by the Metasploit module varies between runs/environments, which may affect reliability; the module hardcodes 0x1053880 as a best-effort value. ↗
- ·Sending a BufSize that is too large causes the buffer to be unmapped on free, breaking exploitation; the module uses 25000 bytes as a safe upper bound. ↗
- ·Sending more data after the header smashes the low bytes of the socket handle, which disrupts exploitation; the module carefully limits post-header data to avoid this. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AgentX++ Master - AgentX::receive_agentx Stack Buffer Overflow (Metasploit)
exploitdb·2010-05-11
CVE-2010-1318 AgentX++ Master - AgentX::receive_agentx Stack Buffer Overflow (Metasploit)
AgentX++ Master - AgentX::receive_agentx Stack Buffer Overflow (Metasploit)
---
##
# $Id: agentxpp_receive_agentx.rb 9279 2010-05-11 01:56:20Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow',
'Description' => %q{
This exploits a stack buffer overflow in the AgentX++ library, as used by
various applications. By sending a specially crafted request, an attacker can
execute arbitrary code, potentially with SYSTEM privileges.
This module was tested successfully against master
Exploit-DB
Multiple Vendor AgentX++ - Stack Buffer Overflow (PoC)
exploitdb·2010-04-17·CVSS 10.0
CVE-2010-1318 [CRITICAL] Multiple Vendor AgentX++ - Stack Buffer Overflow (PoC)
Multiple Vendor AgentX++ - Stack Buffer Overflow (PoC)
---
# Exploit Title: Multiple Vendor AgentX++ Stack Buffer Overflow
Vulnerability
# Date: 2010-04-17
# Author: ZSploit.com
# Software Link: N/A
# Version: N/A
# Tested on: RealNetworks Helix Server v11
# CVE : CVE-2010-1318
#! /usr/bin/env python
###############################################################################
## File : zs_agentx_bof.py
## Description:
## :
## Created_On : Apr 17 2010
##
## (c) Copyright 2010, ZSploit.com. all rights reserved.
###############################################################################
"""
int AgentX::receive_agentx(int sd, AgentXPdu& pdu)
{
u_char buffer[AGENTX_HEADER_LEN+1]; [1]
u_int payloadLen;
boolean netByteOrder;
int status;
// read header
unsigned int bytesRead = 0;
while
Metasploit
AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
metasploit
AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow
This exploits a stack buffer overflow in the AgentX++ library, as used by various applications. By sending a specially crafted request, an attacker can execute arbitrary code, potentially with SYSTEM privileges. This module was tested successfully against master.exe as included with Real Network\'s Helix Server v12. When installed as a service with Helix Server, the service runs as SYSTEM, has no recovery action, but will start automatically on boot. This module does not work with NX/XD enabled but could be modified easily to do so. The address
No writeups or analysis indexed.
http://secunia.com/advisories/39279http://www.realnetworks.com/uploadedFiles/Support/helix-support/SecurityUpdate041410HS.pdfhttp://www.securityfocus.com/bid/39490http://www.vupen.com/english/advisories/2010/0889http://secunia.com/advisories/39279http://www.realnetworks.com/uploadedFiles/Support/helix-support/SecurityUpdate041410HS.pdfhttp://www.securityfocus.com/bid/39490http://www.vupen.com/english/advisories/2010/0889
2010-04-20
Published