cbcvebase.
CVE-2011-3496
published 2011-09-16

CVE-2011-3496: service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) BF, (2) OF, or…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.37%
96.2th percentile
service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) BF, (2) OF, or (3) EF command.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
measuresoftscadapro<= 4.0.0
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro

Detection & IOCsextracted from sources · hover to see the quote

port11234/UDP
processservice.exe
commandxf%..\..\..\..\..\windows\system32\msvcrt.dll,system,cmd /c <stager>
commandxf%..\..\..\..\..\windows\system32\msvcrt.dll,system,start C:/Windows/Temp/<stager>.vbs
  • Detect exploitation attempts targeting ScadaPro service.exe via shell metacharacter injection in BF, OF, or EF commands on UDP port 11234
  • Monitor for 'xf%' command strings on port 11234/UDP, particularly those referencing msvcrt.dll and the 'system' function, indicating arbitrary DLL function execution via the XF command
  • Detect directory traversal sequences (e.g., ..\..\..\) in commands sent to port 11234/UDP targeting ScadaPro RF, WF, UF, NF, or XF command handlers
  • Alert on unexpected .vbs file creation in C:\Windows\Temp followed by execution, which is the Metasploit module's two-stage payload delivery pattern for this CVE
  • Monitor for nc (netcat) connections to port 11234 sending raw .dat files as used in the public PoC exploit
  • Detect use of udpsz scanner tool probing port 11234 with 'xx%' pattern payloads as part of ScadaPro reconnaissance
  • ·Port 11234/UDP is the attack vector; the vendor fix (v4.0.1) disables this port by default. Blocking or monitoring this port is the primary defensive control.
  • ·The Metasploit module uses 'migrate -f' as an InitialAutoRunScript, meaning post-exploitation process migration will occur immediately after shell; detections should account for rapid process migration.
  • ·The XF command allows execution of any exported function from any DLL via directory traversal; detection must not be limited to msvcrt.dll/system — other DLL/function combinations are possible.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.