cbcvebase.
CVE-2011-3492
published 2011-09-16

CVE-2011-3492: Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.91%
99.3th percentile
Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted NETB packet to UDP port 20034.

Affected

50 ranges· showing 25
VendorProductVersion rangeFixed in
azeotechdaqfactory<= 5.85
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory
azeotechdaqfactory

Detection & IOCsextracted from sources · hover to see the quote

port20034/UDP
urlhttp://aluigi.org/poc/daqfactory_1.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17841.dat
commandnc SERVER 20034 -u < daqfactory_1.dat
otherNETB (packet magic bytes / protocol identifier)
otherReturn address: 0x100B9EDF (jmp esp in PEGRP32A.dll)
  • Detect exploit attempts by monitoring for UDP packets to port 20034 that begin with the 4-byte magic string 'NETB'.
  • Alert on any external/untrusted host sending UDP traffic to port 20034 on DAQFactory SCADA/HMI hosts; the service should not be internet-facing.
  • The Metasploit module uses an egghunter with egg tag 'scar'; scanning memory or network payloads for this tag can identify exploitation attempts.
  • The exploit payload offset is 636 bytes and the EIP overwrite targets a 'jmp esp' gadget in PEGRP32A.dll at 0x100B9EDF; process memory inspection or crash dumps showing EIP=0x100B9EDF indicate exploitation.
  • The exploit uses a short backward JMP (-70 bytes) as a springboard; NOP sleds or short JMP sequences immediately before the return address in UDP payloads to port 20034 are indicative of this exploit.
  • ·The EIP offset (636) and DHCP-IP-length-based sub-offset correction are specific to DAQFactory Pro 5.85 Build 1853 on Windows XP SP3; different builds or OS versions will require different offsets.
  • ·The vulnerable NETB feature was undocumented and completely removed in DAQFactory Version 5.86; only Version 5.85 is confirmed affected.
  • ·Exploitation timing may vary due to egghunter use; the module notes this explicitly.
  • ·The null byte (\x00) is a bad character for the payload; shellcode must avoid it.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.