CVE-2011-4535
published 2012-04-03CVE-2011-4535: Buffer overflow in TurboPower Abbrevia before 4.0, as used in ScadaTEC ScadaPhone 5.3.11.1230 and earlier, ScadaTEC ModbusTagServer 4.1.1.81 and earlier, and…
PriorityP346medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
27.00%
97.8th percentile
Buffer overflow in TurboPower Abbrevia before 4.0, as used in ScadaTEC ScadaPhone 5.3.11.1230 and earlier, ScadaTEC ModbusTagServer 4.1.1.81 and earlier, and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ZIP file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craig_peterson | turbopower_abbrevia | <= 3.05 | — |
| scadatec | modbustagserver | <= 4.1.1.81 | — |
| scadatec | scadaphone | <= 5.3.11.1230 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x50\x4b\x03\x04\x14\x00\x00\x00\x00\x00\xb7\xac\xce\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00
bytes↗
\x50\x4b\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xb7\xac\xce\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00\x00\x00\x00\x00\x00
bytes↗
\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00
bytes↗
\xac\x14\x40\x00
bytes↗
zipz
bytes↗
OMFG
bytes↗
\x1e\x74\x78\x74
- →Malicious ZIP file has a crafted filename field of 4064 bytes (offset) used to trigger the stack buffer overflow in Abbrevia 3.x ZIP handling component; look for ZIP local file header entries with filename length (0x0fe4 = 4068) far exceeding normal values. ↗
- →Exploit ZIP contains a Central Directory File header with an oversized filename field matching the local file header; both lf_header and cdf_header share the same anomalous filename length bytes \xe4\x0f. ↗
- →For the ModbusTagServer target, the exploit uses a structured egg-hunter stub with the tag 'OMFG' embedded in the filename field at offset 229, followed by 48 bytes of padding, NSEH/SEH overwrite, and shellcode — detect ZIP files with binary egg-hunter patterns in the filename field. ↗
- →For the ScadaPhone target, the exploit uses a ROP chain starting at offset 57 within the filename field; the SEH overwrite uses address 0x004014F4 (pop esi; pop ebx; retn from ScadaPhone.exe) — flag ZIP files where the filename field contains sequences of ROP gadget addresses from ScadaPhone.exe base. ↗
- →Metasploit module generates a ZIP with a randomly named file (229 uppercase alpha chars + egghunter + padding + jmp_short(-50) + 2 bytes + ret address + 100 bytes + egg + filler to 4096 + trailing dword 0x7478741e); detect ZIP files with filename length >= 4096 and trailing bytes \x1e\x74\x78\x74. ↗
- →Successful exploitation results in a bind shell; monitor for unexpected outbound/inbound connections on port 4444 from ScadaPhone.exe or ModbusTagServer.exe processes. ↗
- →The egghunter tag used by the Metasploit module is 'zipz' (0x7a69707a); scan process memory or network payloads for this egg tag in conjunction with ScadaTEC product processes. ↗
- →Payload bad characters are \x00, \x0a, \x0d — shellcode in malicious ZIP filenames will not contain null bytes, line feeds, or carriage returns; use this to tune shellcode detection signatures. ↗
- ·The exploit requires user interaction — a victim must manually open the crafted ZIP file using the affected ScadaPhone or ModbusTagServer application; it is not a zero-click remote exploit. ↗
- ·The ROP gadget addresses and SEH handler addresses in the public exploits are hardcoded for specific module versions (ScadaPhone.exe, abbrevia DLLs at fixed base addresses); ASLR or different binary versions will break these offsets. ↗
- ·The Metasploit module target is labeled 'Windows Universal' but relies on a non-ASLR address from ScadaPhone.exe; effectiveness is limited to the exact vulnerable binary version on Windows XP-era systems without ASLR. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
ScadaTEC ScadaPhone & Modbus TagServer Buffer Overflow Vulnerability
cisa_ics·2011-09-12
ScadaTEC ScadaPhone & Modbus TagServer Buffer Overflow Vulnerability
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
ScadaTEC ScadaPhone & Modbus TagServer Buffer Overflow Vulnerability
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-362-01
## OVERVIEW
This advisory is a follow-up to the ICS-CERT alert titled ICS-ALERT-11-255-01—ScadaTEC ScadaPhone/ModbusTagServer Buffer Overflow, which was published September 12, 2011, on the ICS‑CERT Web page.
On September 12, 2011, independent security researcher Steven Seeley publicly released a report that included proof-of-concept exploit code targeting a buffer overflow vulnerability in the ScadaTEC ScadaPhone and ModbusTagServer products. Currently,
GHSA
GHSA-jxcp-mqfv-g5vw: Buffer overflow in TurboPower Abbrevia before 4
ghsa_unreviewed·2022-05-17
CVE-2011-4535 [MEDIUM] CWE-119 GHSA-jxcp-mqfv-g5vw: Buffer overflow in TurboPower Abbrevia before 4
Buffer overflow in TurboPower Abbrevia before 4.0, as used in ScadaTEC ScadaPhone 5.3.11.1230 and earlier, ScadaTEC ModbusTagServer 4.1.1.81 and earlier, and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ZIP file.
No detection rules found.
Exploit-DB
ScadaTEC ScadaPhone 5.3.11.1230 - Local Stack Buffer Overflow (Metasploit)
exploitdb·2011-09-13
CVE-2011-4535 ScadaTEC ScadaPhone 5.3.11.1230 - Local Stack Buffer Overflow (Metasploit)
ScadaTEC ScadaPhone 5.3.11.1230 - Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: scadaphone_zip.rb 13728 2011-09-13 20:10:28Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 'ScadaTEC ScadaPhone %q{
This module exploits a stack-based buffer overflow vulnerability in
version 5.3.11.1230 of scadaTEC's ScadaPhone.
In order for the command to be executed, an attacker must convince someone to
load a specially crafted project zip file with ScadaPhone.
By doing so, an attacker can execute arbitrary code as the
Exploit-DB
ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow
exploitdb·2011-09-12
CVE-2011-4535 ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow
ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow
---
[mr_me@neptune scadatec]$ php zip.php -t modbustagserver
[mr_me@neptune scadatec]$ nc -v 192.168.114.141 4444
Connection to 192.168.114.141 4444 port [tcp/krb524] succeeded!
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\ScadaTEC\ModbusTagServer\Projects>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'The reason they call it the American Dream is because you have to be asleep
to believe it.' ~ George Carlin
*/
if ($argc
software: target software
Example:
php ".$argv[0]." -t scadaphone
php ".$argv[0]." -t modbustagserver
"); die; }
function setArgs($argv){
$_ARG = array();
foreach ($argv as $arg){
if (ereg("--([^=]+)=(.*)", $arg, $reg)){
$_ARG[$
Metasploit
ScadaTEC ScadaPhone Stack Buffer Overflow
metasploit
ScadaTEC ScadaPhone Stack Buffer Overflow
ScadaTEC ScadaPhone Stack Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in version 5.3.11.1230 of scadaTEC's ScadaPhone. In order for the command to be executed, an attacker must convince someone to load a specially crafted project zip file with ScadaPhone. By doing so, an attacker can execute arbitrary code as the victim user.
2012-04-03
Published