cbcvebase.
CVE-2011-3490
published 2011-09-16

CVE-2011-3490: Multiple stack-based buffer overflows in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to cause a denial of service (crash) and…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
36.43%
98.3th percentile
Multiple stack-based buffer overflows in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long command to port 11234, as demonstrated with the TF command.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
measuresoftscadapro<= 4.0.0
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro

Detection & IOCsextracted from sources · hover to see the quote

port11234/UDP
port11234
commandxf%..\..\..\..\..\windows\system32\msvcrt.dll,system,cmd /c <stager>
commandxf%..\..\..\..\..\windows\system32\msvcrt.dll,system,start C:/Windows/Temp/<stager>.vbs
pathC:/Windows/Temp
filenamescadapro_1b.dat
filenamescadapro_1c.dat
filenamescadapro_1d.dat
filenamescadapro_1e.dat
urlhttp://aluigi.org/poc/scadapro_1.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17844-2.zip
processservice.exe
  • Monitor for TCP/UDP connections to port 11234 targeting service.exe in Measuresoft ScadaPro; any long command string sent to this port is indicative of exploitation attempts.
  • Detect use of the 'XF' command over port 11234 to execute arbitrary DLL functions (e.g., system() from msvcrt.dll), which enables remote code execution via directory traversal.
  • Detect directory traversal sequences (e.g., '../../../../../') in commands sent to port 11234, particularly in RF, wF, UF, NF, and XF command arguments.
  • Alert on VBS script creation in C:\Windows\Temp followed by execution via msvcrt.dll system() call over port 11234, as used in the Metasploit module for this CVE.
  • Detect the 'xf%' command prefix in network traffic on port 11234 combined with 'msvcrt.dll,system' as a reliable indicator of exploitation.
  • Detect injection of the '"' character in BF, OF, and EF backup command arguments on port 11234, which enables command injection against backup utilities (mszip, tar, compress).
  • ·Port 11234/UDP is the attack vector; the vendor fix (v4.0.1) disables this port by default. Verify the port is disabled or firewalled in deployed environments.
  • ·The vulnerability affects ScadaPro Version 4.0.0.0 and earlier; version 4.0.1 contains the fix. Ensure patched version is deployed before relying solely on network controls.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.