CVE-2011-4789
published 2012-01-13CVE-2011-4789: Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.80%
99.1th percentile
Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a crafted size value in a packet. NOTE: it was originally reported that the affected product is HP Diagnostics Server, but HP states that "the vulnerable product is actually HP LoadRunner."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00 followed by 1092 bytes of alpha-upper text then SEH payload
- →Monitor for inbound TCP connections to port 23472 on hosts running magentservice.exe; exploit traffic begins with a 4-byte null header (\x00\x00\x00\x00) followed by ~1092+ bytes of data. ↗
- →Exploit uses SSL3 over TCP/23472; anomalous SSL3 sessions to magentservice.exe on that port with large payloads (>1096 bytes) should be flagged. ↗
- →The overflow is triggered by a crafted size value in a packet; inspect packets to TCP/23472 for oversized length fields that exceed the expected buffer boundary (~1092 bytes offset to SEH overwrite). ↗
- →SEH-based exploitation technique is used (EXITFUNC=seh); look for SEH chain overwrites in magentservice.exe crash dumps or live process inspection. ↗
- ·HP originally misidentified the vulnerable product as HP Diagnostics Server; the actual vulnerable product is HP LoadRunner 11.00 before patch 4. Detection rules should target HP LoadRunner deployments, not solely HP Diagnostics Server. ↗
- ·The Metasploit module's ROP gadget address (0x780c8f1f) is specific to Diagnostics Server 9.10 build of magentservice.exe; the offset and return address will differ for other versions/patch levels. ↗
- ·The exploit payload space is limited to 1000 bytes with null bytes (\x00) as bad characters; staged payloads or shellcode avoiding nulls must be used. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Diagnostics Server - 'magentservice.exe' Remote Overflow (Metasploit)
exploitdb·2012-01-27
CVE-2011-4789 HP Diagnostics Server - 'magentservice.exe' Remote Overflow (Metasploit)
HP Diagnostics Server - 'magentservice.exe' Remote Overflow (Metasploit)
---
require 'msf/core'
class Metasploit3 'HP Diagnostics Server magentservice.exe overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP Diagnostics Server
magentservice.exe service. By sending a specially crafted packet, an attacker
may be able to execute arbitrary code. Originally found and posted by
AbdulAziz Harir via ZDI.
},
'Author' =>
[
'AbdulAziz Hariri', # Original discovery
'hal', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '72815'],
['CVE', '2011-4789'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-016/']
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'SSL' => true,
'SSLVersion' => 'SSL3'
},
'Payload' =>
{
'S
Metasploit
HP Diagnostics Server magentservice.exe Overflow
metasploit
HP Diagnostics Server magentservice.exe Overflow
HP Diagnostics Server magentservice.exe Overflow
This module exploits a stack buffer overflow in HP Diagnostics Server magentservice.exe service. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by AbdulAziz Harir via ZDI.
No writeups or analysis indexed.
http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03216705http://osvdb.org/78309http://www.securityfocus.com/bid/51398http://zerodayinitiative.com/advisories/ZDI-12-016/http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03216705http://osvdb.org/78309http://www.securityfocus.com/bid/51398http://zerodayinitiative.com/advisories/ZDI-12-016/
2012-01-13
Published