CVE-2010-4741
published 2011-02-18CVE-2010-4741: Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.84%
97.9th percentile
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moxa | mdm_tool | <= 2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
sploit[0, 4] = [0x29001028].pack('V') — 4-byte header magic at offset 0 of exploit buffer- →Monitor for inbound TCP connections on port 54321 originating from external/untrusted hosts targeting MDMTool.exe; the exploit server listens on this port and sends a crafted 18024-byte buffer to the connecting MDM client. ↗
- →Detect oversized responses (≥18024 bytes) on TCP port 54321 purporting to be MDMGw (MDM2_Gateway) protocol messages; legitimate MDM gateway responses are not expected to be this large. ↗
- →Look for SEH-based exploit patterns in TCP/54321 traffic: a structured exception handler record followed immediately by a short backward 'call $-550' stub at offset 1080 within the payload. ↗
- →Flag processes spawned by MDMTool.exe with elevated privileges; the Metasploit module auto-runs a privilege migration post-exploitation script after successful exploitation. ↗
- →The exploit payload is embedded at offset 472 within the buffer and bad characters \x00\x0a\x0d\x20 are avoided; IDS signatures for TCP/54321 should flag buffers containing shellcode-like content at that offset. ↗
- ·The return address 0x1016bca7 is specific to UTU.dll as loaded by MOXA MDM Tool 2.1; detections keyed on this exact value will not fire against other versions or a ROP-based variant of the exploit. ↗
- ·The Metasploit module acts as a rogue MDM Gateway server (SRVPORT 54321), meaning the victim MDM Tool client initiates the connection outbound — perimeter rules blocking inbound 54321 alone are insufficient; egress filtering on MDMTool.exe connections is also required. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f988-7h8q-c8xr: Stack-based buffer overflow in MDMUtil
ghsa_unreviewed·2022-05-17
CVE-2010-4741 [HIGH] CWE-119 GHSA-f988-7h8q-c8xr: Stack-based buffer overflow in MDMUtil
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
CISA ICS
GLEG Agora SCADA+ Exploit Pack
cisa_ics·2018-09-06
GLEG Agora SCADA+ Exploit Pack
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GLEG Agora SCADA+ Exploit Pack
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-096-01
## OVERVIEW
On March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack for Immunity’s CANVAS system. CANVAS is a penetration testing framework that is extensible using CANVAS Exploit Packs. On March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011. The ICS-CERT has not received any reports of this tool being used for an unauthorized compromise of an actual control system installation.
ICS-CERT has prepared t
No detection rules found.
Exploit-DB
MOXA Device Manager Tool 2.1 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-14
CVE-2010-4741 MOXA Device Manager Tool 2.1 - Remote Buffer Overflow (Metasploit)
MOXA Device Manager Tool 2.1 - Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'MOXA Device Manager Tool 2.1 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'Ruben Santamarta', 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-4741'],
[ 'OSVDB', '69027'],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
],
'DefaultO
Metasploit
MOXA Device Manager Tool 2.1 Buffer Overflow
metasploit
MOXA Device Manager Tool 2.1 Buffer Overflow
MOXA Device Manager Tool 2.1 Buffer Overflow
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw (MDM2_Gateway) response, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=1http://www.kb.cert.org/vuls/id/237495http://www.kb.cert.org/vuls/id/MORO-8D9JX8http://www.moxa.com/support/download.aspx?d_id=2669http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdfhttp://reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=1http://www.kb.cert.org/vuls/id/237495http://www.kb.cert.org/vuls/id/MORO-8D9JX8http://www.moxa.com/support/download.aspx?d_id=2669http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf
2011-02-18
Published