cbcvebase.
CVE-2010-4741
published 2011-02-18

CVE-2010-4741: Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.84%
97.9th percentile
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.

Affected

1 ranges
VendorProductVersion rangeFixed in
moxamdm_tool<= 2.1

Detection & IOCsextracted from sources · hover to see the quote

port54321/TCP
filenameMDMUtil.dll
filenameMDMTool.exe
other0x1016bca7 (RET address in UTU.dll for MOXA MDM Tool 2.1)
bytes
sploit[0, 4] = [0x29001028].pack('V') — 4-byte header magic at offset 0 of exploit buffer
  • Monitor for inbound TCP connections on port 54321 originating from external/untrusted hosts targeting MDMTool.exe; the exploit server listens on this port and sends a crafted 18024-byte buffer to the connecting MDM client.
  • Detect oversized responses (≥18024 bytes) on TCP port 54321 purporting to be MDMGw (MDM2_Gateway) protocol messages; legitimate MDM gateway responses are not expected to be this large.
  • Look for SEH-based exploit patterns in TCP/54321 traffic: a structured exception handler record followed immediately by a short backward 'call $-550' stub at offset 1080 within the payload.
  • Flag processes spawned by MDMTool.exe with elevated privileges; the Metasploit module auto-runs a privilege migration post-exploitation script after successful exploitation.
  • The exploit payload is embedded at offset 472 within the buffer and bad characters \x00\x0a\x0d\x20 are avoided; IDS signatures for TCP/54321 should flag buffers containing shellcode-like content at that offset.
  • ·The return address 0x1016bca7 is specific to UTU.dll as loaded by MOXA MDM Tool 2.1; detections keyed on this exact value will not fire against other versions or a ROP-based variant of the exploit.
  • ·The Metasploit module acts as a rogue MDM Gateway server (SRVPORT 54321), meaning the victim MDM Tool client initiates the connection outbound — perimeter rules blocking inbound 54321 alone are insufficient; egress filtering on MDMTool.exe connections is also required.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.