cbcvebase.
CVE-2010-1318
published 2010-04-20

CVE-2010-1318: Stack-based buffer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.05%
99.0th percentile
Stack-based buffer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via unspecified vectors.

Affected

9 ranges
VendorProductVersion rangeFixed in
realnetworkshelix_mobile_server<= 13.1.1
realnetworkshelix_server<= 13.1.1
realnetworkshelix_server
realnetworkshelix_server
realnetworkshelix_server
realnetworkshelix_server
realnetworkshelix_server_mobile
realnetworkshelix_server_mobile
realnetworkshelix_server_mobile

Detection & IOCsextracted from sources · hover to see the quote

port705
port705
other0x46664b (mov esp,ebp / pop ebp / ret in master.exe)
other0x7c3d55b7 (jmp esp from bundled msvcp71.dll)
bytes
\x81\xc4\xf0\xef\xff\xff
  • Flag large TCP payloads (~25000 bytes) sent to port 705 following a small initial header packet; the Metasploit module sends a crafted header then a large stack-spray buffer of this size.
  • Alert on use of the ROP gadget address 0x46664b (mov esp,ebp / pop ebp / ret) within network traffic to port 705, as this is the return address used by the Metasploit module targeting Helix Server v12/v13.
  • Detect the stack-pivot prepend encoder bytes \x81\xc4\xf0\xef\xff\xff in payloads sent to port 705; this sequence adjusts ESP and is prepended to shellcode by the Metasploit exploit module.
  • ·The Metasploit module explicitly states it does not work when NX/XD (hardware DEP) is enabled on the target system, limiting exploitation to systems without DEP.
  • ·The BufAddr (heap buffer address) used by the Metasploit module varies between runs/environments, which may affect reliability; the module hardcodes 0x1053880 as a best-effort value.
  • ·Sending a BufSize that is too large causes the buffer to be unmapped on free, breaking exploitation; the module uses 25000 bytes as a safe upper bound.
  • ·Sending more data after the header smashes the low bytes of the socket handle, which disrupts exploitation; the module carefully limits post-header data to avoid this.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.