cbcvebase.
CVE-2011-0647
published 2011-02-10

CVE-2011-0647: The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to…

PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.68%
99.1th percentile
The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to execute arbitrary commands via the RunProgram function to TCP port 6542.

Affected

6 ranges
VendorProductVersion rangeFixed in
emcnetworker_module
emcnetworker_module
emcreplication_manager<= 5.2.3
emcreplication_manager
emcreplication_manager
emcreplication_manager

Detection & IOCsextracted from sources · hover to see the quote

port6542/tcp
processirccd.exe
commandcmd /c <cmd>
bytes
1HELLOEMC00000000000000000000000
bytes
EMC_Len00000001361
  • Monitor for inbound TCP connections to port 6542 targeting irccd.exe; any connection from an external/untrusted host should be treated as suspicious.
  • Detect exploit handshake by inspecting TCP payloads on port 6542 for the literal string '1HELLOEMC' followed by null-padded bytes, which is the initial hello beacon sent by the attacker.
  • Detect session-establishment packets by looking for the pattern 'EMC_Len' followed by a numeric length field on port 6542; this prefix is used for both session setup and RunProgram command delivery.
  • Alert on irccd.exe spawning cmd.exe or any child process, as exploitation results in arbitrary command execution with SYSTEM privileges via the RunProgram function.
  • The Metasploit module uses a VBS CmdStager payload ('CmdStagerFlavor' => 'vbs'); look for irccd.exe writing or executing .vbs files on disk as a post-exploitation indicator.
  • Server responds with 'RAWHELLO' to the initial hello probe; network signatures can match this response string on port 6542 to fingerprint vulnerable/exposed instances.
  • ·The exploit module targets only Windows x86 (XP and Windows 2003) with a native payload space of 4096 bytes; detection logic should not assume exploitation on 64-bit or non-Windows platforms.
  • ·EMC Networker Module for Microsoft Applications 2.1 and 2.2 may also expose the vulnerable service on port 6542, but the Metasploit module was not tested against those products; coverage should extend beyond Replication Manager.
  • ·The module uses a WfsDelay of 5 seconds and a linemax of 5000 bytes for the CmdStager; timing-based detections should account for this deliberate delay between stager chunks.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.