cbcvebase.
CVE-2011-0517
published 2011-01-20

CVE-2011-0517: Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of…

PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.46%
98.5th percentile
Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted 0x02 opcode to TCP port 46823.

Affected

1 ranges
VendorProductVersion rangeFixed in
sielcosistemiwinlog_pro<= 2.07.00

Detection & IOCsextracted from sources · hover to see the quote

port46823/tcp
commandopcode 0x02 with header bytes 0x02 0x01 0x01
commandudpsz -T -b a -C 020101 SERVER 46823 1000
processRuntime.exe
otherSEH overwrite return address: 0x011946de (Winlog Lite 2.07.00)
  • Alert on TCP connections to port 46823 where the first byte of the payload is 0x02 followed by bytes 0x01 0x01 — this matches the malicious opcode header used to trigger the overflow.
  • Alert on TCP payloads to port 46823 exceeding ~588 bytes following the 3-byte opcode header (0x02 0x01 0x01), as the overflow requires ~588 bytes of padding before the SEH overwrite.
  • Monitor for the Metasploit post-exploitation default option 'migrate -f' immediately after exploitation of this vulnerability, indicating process migration following shellcode execution.
  • The vulnerable function at offset 0x00446795 in Runtime.exe performs an unbounded memcpy into a ~60-byte stack buffer; stack canary or DEP absence on this process is a prerequisite for exploitation.
  • The exploit uses a structured exception handler (SEH) overwrite technique; detection of SEH-chain corruption in Runtime.exe is a strong indicator of active exploitation.
  • ·The vulnerability is only exploitable when the TCP/IP server feature is explicitly enabled in the Winlog project configuration; installations without this option are not exposed remotely.
  • ·The Metasploit module targets only Winlog Lite 2.07.00 with a hardcoded return address; other builds or versions may require a different RET value and the exploit may not function reliably against them.
  • ·Payload bad characters include null bytes, spaces, newlines, and carriage returns; shellcode must be encoded to avoid these bytes or delivery will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.