cbcvebase.
CVE-2011-2089
published 2011-05-13

CVE-2011-2089: Stack-based buffer overflow in the SetActiveXGUID method in the VersionInfo ActiveX control in GenVersion.dll 8.0.138.0 in the WebHMI subsystem in ICONICS…

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.46%
98.4th percentile
Stack-based buffer overflow in the SetActiveXGUID method in the VersionInfo ActiveX control in GenVersion.dll 8.0.138.0 in the WebHMI subsystem in ICONICS BizViz 9.x before 9.22 and GENESIS32 9.x before 9.22 allows remote attackers to execute arbitrary code via a long string in the argument. NOTE: some of these details are obtained from third party information.

Affected

14 ranges
VendorProductVersion rangeFixed in
iconicsbizviz
iconicsbizviz
iconicsbizviz
iconicsbizviz
iconicsbizviz
iconicsbizviz
iconicsbizviz
iconicsgenesis32
iconicsgenesis32
iconicsgenesis32
iconicsgenesis32
iconicsgenesis32
iconicsgenesis32
iconicsgenesis32

Detection & IOCsextracted from sources · hover to see the quote

other{CEFF5F48-BD2E-4D10-BAE5-AF729975E223}
filenameGenVersion.dll
commandtarget.SetActiveXGUID(sploit);
bytes
%ueaba%ud0be%udba1%ud9de%u2474%u5df4%uc933%u3bb1%u5531%u8314%ufced%u5503%u0810%u2c4b%u4549%ucdb4%u358a%u283c%u67bb%u385a%ub7ee%u6c28%u3c03%u857c%u3090%uaaa9%ufe11%u858f%ucfa2%u490f%u4e60%u90ec%ub0b5%u5acd%ub1c8%u860a%ue323%uccc3%u1396%u9067%u122a%u9ea7%u6c13%u61c2%uc6e7%ub1cd%u5d58%u2985%u39d2%u4b36%u5a37%u020a%ua83c%u95f8%ue194%ua401%uadd8%u083f%uacd5%uaf78%udb06%ud372%udbbb%ua940%u6e67%u0955%uc8e3%uabbd%u8e20%ua736%uc58d%ua411%u0a10%ud02a%uad99%u50fd%u89d9%u39d9%ub0b9%ue478%ucd6c%u409b%u6bd0%u63d7%u0d05%ue9ba%u9cd8%u57c0%u9eda%uf7ca%uafb3%u9841%u30c4%udc80%ud32b%u2901%u4dc4%u90c0%u6e89%ud63e%uecb7%ua7cb%uec43%ua2b9%uab08%udf52%u5901%u4c55%u4821%u1f36%u5cb9%ua7dc%u8024%u0931%uef87%u8926%u8eb3%ua2cb%u3950%u5940%u9687%u81fe%ua1e8%ue1b3%u549f%u9234%uf933%u37b6%u60e2%udd4f%u41fa
  • Detect ActiveX instantiation of ClassID {CEFF5F48-BD2E-4D10-BAE5-AF729975E223} (GenVersion.dll) in browser — especially when followed by a call to SetActiveXGUID with an abnormally long string argument.
  • Alert on HTML pages that instantiate the ICONICS WebHMI ActiveX CLSID and invoke SetActiveXGUID with a payload exceeding ~510 bytes, consistent with the known ROP offset.
  • Detect heap-spray patterns in JavaScript: large repeated unescape('%u9090') NOP sleds combined with the exploit shellcode unicode escape sequence characteristic of this PoC.
  • Monitor for GenVersion.dll loaded in browser processes (iexplore.exe) on Windows XP SP3 with IE6/7/8 — the known tested exploitation platform.
  • The Metasploit module uses a ROP pivot at 0x770167b0 (PUSH ESP; POP EBP; RETN 8) for XP SP3 targets; detect ROP chain execution pivoting through this address in memory forensics or dynamic analysis.
  • For Vista targets, the Metasploit module uses a heap-spray target address of 0x0c0c0c0c; detect this value as a return address in stack analysis.
  • The exploit payload calls VirtualProtect (kernel32 at 0x7c801ad4 on XP SP3) as part of its ROP chain to mark shellcode memory executable; this sequence can be detected via API monitoring.
  • ·The ROP gadget addresses and VirtualProtect address are hardcoded for Windows XP SP3 with specific module versions (kernel32, user32, shell32, rpcrt4, ole32); they will not be valid on other OS versions or patch levels.
  • ·The static writable address 0x0012f878 used for VirtualProtect's lpflOldProtect parameter is hardcoded and may cause ERROR_NOACCESS on systems where this address is not writable.
  • ·The vulnerability affects ICONICS BizViz 9.x before 9.22 and GENESIS32 9.x before 9.22 only; version 9.22 and later are patched.
  • ·Exploitation requires the victim to have the GenVersion.dll ActiveX control installed and to visit an attacker-controlled web page; it is a client-side, browser-based attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.