CVE-2011-3492
published 2011-09-16CVE-2011-3492: Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.91%
99.3th percentile
Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted NETB packet to UDP port 20034.
Affected
50 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| azeotech | daqfactory | <= 5.85 | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
| azeotech | daqfactory | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring for UDP packets to port 20034 that begin with the 4-byte magic string 'NETB'. ↗
- →Alert on any external/untrusted host sending UDP traffic to port 20034 on DAQFactory SCADA/HMI hosts; the service should not be internet-facing. ↗
- →The Metasploit module uses an egghunter with egg tag 'scar'; scanning memory or network payloads for this tag can identify exploitation attempts. ↗
- →The exploit payload offset is 636 bytes and the EIP overwrite targets a 'jmp esp' gadget in PEGRP32A.dll at 0x100B9EDF; process memory inspection or crash dumps showing EIP=0x100B9EDF indicate exploitation. ↗
- →The exploit uses a short backward JMP (-70 bytes) as a springboard; NOP sleds or short JMP sequences immediately before the return address in UDP payloads to port 20034 are indicative of this exploit. ↗
- ·The EIP offset (636) and DHCP-IP-length-based sub-offset correction are specific to DAQFactory Pro 5.85 Build 1853 on Windows XP SP3; different builds or OS versions will require different offsets. ↗
- ·The vulnerable NETB feature was undocumented and completely removed in DAQFactory Version 5.86; only Version 5.85 is confirmed affected. ↗
- ·Exploitation timing may vary due to egghunter use; the module notes this explicitly. ↗
- ·The null byte (\x00) is a bad character for the payload; shellcode must avoid it. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
AzeoTech DAQFactory Stack Overflow
cisa_ics·2011-09-13
AzeoTech DAQFactory Stack Overflow
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
AzeoTech DAQFactory Stack Overflow
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-264-01
## Overview
This advisory is a follow-up to the alert titled “ICS-ALERT-11-256-02—AzeoTech DAQFactory Stack Overflow” that was published September 13, 2011, on the ICS-CERT web page.
ICS-CERT is aware of a public report of one stack overflow vulnerability with proof-of-concept (POC) exploit code affecting AzeoTech DAQFactory, a SCADA/HMI Product. According to the report, the vulnerability is exploitable via a service running on Port 20034/UDP. The report was released without coordinating
GHSA
GHSA-cxgc-rj9m-qm58: Stack-based buffer overflow in Azeotech DAQFactory 5
ghsa_unreviewed·2022-05-17
CVE-2011-3492 [HIGH] CWE-119 GHSA-cxgc-rj9m-qm58: Stack-based buffer overflow in Azeotech DAQFactory 5
Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted NETB packet to UDP port 20034.
No detection rules found.
Exploit-DB
DaqFactory - HMI NETB Request Overflow (Metasploit)
exploitdb·2011-09-18
CVE-2011-3492 DaqFactory - HMI NETB Request Overflow (Metasploit)
DaqFactory - HMI NETB Request Overflow (Metasploit)
---
##
# $Id: daq_factory_bof.rb 13750 2011-09-18 02:45:55Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DaqFactory HMI NETB Request Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Azeotech's DaqFactory
product. The specfic vulnerability is triggered when sending a specially crafted
'NETB' request to port 20034. Exploitation of this vulnerability may take a few
seconds due to the use of egghunter. This vulnerability was one of the 14
releases dis
Exploit-DB
DaqFactory 5.85 build 1853 - Stack Overflow
exploitdb·2011-09-14
CVE-2011-3492 DaqFactory 5.85 build 1853 - Stack Overflow
DaqFactory 5.85 build 1853 - Stack Overflow
---
#######################################################################
Luigi Auriemma
Application: DAQFactory
http://www.azeotech.com/daqfactory.php
Versions: ]
..and..
005C423A |. 8D8C24 6C010000 LEA ECX,DWORD PTR SS:[ESP+16C]
005C4241 |. 68 682C9000 PUSH DAQFacto.00902C68 ; "MAC: [%02x-%02X-%02X-%02X-%02X-%02X] IP:%d.%d.%d.%d %s%s"
005C4246 |. 51 PUSH ECX
005C4247 |. FF15 6CC07F00 CALL DWORD PTR DS:[]
#######################################################################
3) The Code
http://aluigi.org/poc/daqfactory_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17841.dat
nc SERVER 20034 -u < daqfactory_1.dat
#######################################################################
4) Fix
Metasploit
DaqFactory HMI NETB Request Overflow
metasploit
DaqFactory HMI NETB Request Overflow
DaqFactory HMI NETB Request Overflow
This module exploits a stack buffer overflow in Azeotech's DaqFactory product. The specific vulnerability is triggered when sending a specially crafted 'NETB' request to port 20034. Exploitation of this vulnerability may take a few seconds due to the use of egghunter. This vulnerability was one of the 14 releases discovered by researcher Luigi Auriemma.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/daqfactory_1-adv.txthttp://osvdb.org/75496http://www.exploit-db.com/exploits/17855http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-02.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69764http://aluigi.altervista.org/adv/daqfactory_1-adv.txthttp://osvdb.org/75496http://www.exploit-db.com/exploits/17855http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-02.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69764
2011-09-16
Published