CVE-2012-2288
published 2012-09-04CVE-2012-2288: Format string vulnerability in the nsrd RPC service in EMC NetWorker 7.6.3 and 7.6.4 before 7.6.4.1, and 8.0 before 8.0.0.1, allows remote attackers to execute…
PriorityP271critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.12%
98.2th percentile
Format string vulnerability in the nsrd RPC service in EMC NetWorker 7.6.3 and 7.6.4 before 7.6.4.1, and 8.0 before 8.0.0.1, allows remote attackers to execute arbitrary code via format string specifiers in a message.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | networker | — | — |
| emc | networker | — | — |
| emc | networker | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Detect exploit attempts by monitoring for TCP RPC calls to SunRPC program number 0x5F3DD (390109 decimal), version 2, procedure 6 targeting the nsrd service. ↗
- →Alert on RPC payloads containing long sequences of '%n' format string specifiers (156+ repetitions) directed at the nsrd service, indicative of format string exploitation. ↗
- →Look for the stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff) in RPC payloads to the nsrd service as a shellcode delivery indicator. ↗
- →Monitor for ROP chain addresses from MSVCR71.dll (e.g., 0x7c354dac, 0x7c345c30) appearing in network traffic to the nsrd RPC service, indicating a DEP-bypass exploit attempt. ↗
- →The vulnerability is in the lg_sprintf function within liblocal.dll; monitor for unexpected crashes or code execution originating from liblocal.dll in EMC NetWorker processes. ↗
- ·The Metasploit module targets only Windows platforms (XP SP3 and 2003 SP2); ROP gadget addresses are hardcoded to MSVCR71.dll and will not work against patched or different OS/library versions. ↗
- ·The DEP bypass ROP chain is specific to MSVCR71.dll addresses; systems with ASLR enabled or different DLL load addresses will not be exploitable via this module without modification. ↗
- ·Payload bad characters (\x00, \x0d, \x0a, \x25, \x2a) must be avoided; detection signatures should account for encoded payloads that bypass these constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EMC NetWorker - Format String (Metasploit)
exploitdb·2012-11-07
CVE-2012-2288 EMC NetWorker - Format String (Metasploit)
EMC NetWorker - Format String (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'EMC Networker Format String',
'Description' => %q{
This module exploits a format string vulnerability in the lg_sprintf function
as implemented in liblocal.dll on EMC Networker products. This module exploits the
vulnerability by using a specially crafted RPC call to the program number 0x5F3DD,
version 0x02, and procedure 0x06. This module has been tested successfully on EMC
Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).
},
'Author' =>
[
'Aaron Por
Metasploit
EMC Networker Format String
metasploit
EMC Networker Format String
EMC Networker Format String
This module exploits a format string vulnerability in the lg_sprintf function as implemented in liblocal.dll on EMC Networker products. This module exploits the vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, version 0x02, and procedure 0x06. This module has been tested successfully on EMC Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).
No writeups or analysis indexed.
2012-09-04
Published