cbcvebase.
CVE-2011-4789
published 2012-01-13

CVE-2011-4789: Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a…

PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.80%
99.1th percentile
Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a crafted size value in a packet. NOTE: it was originally reported that the affected product is HP Diagnostics Server, but HP states that "the vulnerable product is actually HP LoadRunner."

Detection & IOCsextracted from sources · hover to see the quote

port23472
filenamemagentservice.exe
other0x780c8f1f (pop esi # pop ebx # ret 10 gadget in magentservice.exe)
urlhttp://www.zerodayinitiative.com/advisories/ZDI-12-016/
bytes
\x00\x00\x00\x00 followed by 1092 bytes of alpha-upper text then SEH payload
  • Monitor for inbound TCP connections to port 23472 on hosts running magentservice.exe; exploit traffic begins with a 4-byte null header (\x00\x00\x00\x00) followed by ~1092+ bytes of data.
  • Exploit uses SSL3 over TCP/23472; anomalous SSL3 sessions to magentservice.exe on that port with large payloads (>1096 bytes) should be flagged.
  • The overflow is triggered by a crafted size value in a packet; inspect packets to TCP/23472 for oversized length fields that exceed the expected buffer boundary (~1092 bytes offset to SEH overwrite).
  • SEH-based exploitation technique is used (EXITFUNC=seh); look for SEH chain overwrites in magentservice.exe crash dumps or live process inspection.
  • ·HP originally misidentified the vulnerable product as HP Diagnostics Server; the actual vulnerable product is HP LoadRunner 11.00 before patch 4. Detection rules should target HP LoadRunner deployments, not solely HP Diagnostics Server.
  • ·The Metasploit module's ROP gadget address (0x780c8f1f) is specific to Diagnostics Server 9.10 build of magentservice.exe; the offset and return address will differ for other versions/patch levels.
  • ·The exploit payload space is limited to 1000 bytes with null bytes (\x00) as bad characters; staged payloads or shellcode avoiding nulls must be used.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.