CVE-2013-0946
published 2013-05-10CVE-2013-0946: Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.55%
97.9th percentile
Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | alphastor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff
bytes↗
\x90\x90\x90\x90\x90\x90\x90\x90 (8-byte NOP sled prepended to payload)
- →Monitor for TCP connections to port 3500 (EMC AlphaStor Library Manager LCP service) containing a 518+ byte payload whose first two bytes are 0x4F 0x7E (opcode 'O~'), indicative of CVE-2013-0946 exploitation. ↗
- →The exploit sends a crafted 514-byte pattern followed by 16 bytes of junk ('AAAABBBBCCCCDDDD'); detect oversized single-packet requests to port 3500 with this trailing pattern. ↗
- →Bad characters for the payload are NULL, TAB, LF, and CR (\x00\x09\x0a\x0d); any exploit attempt will avoid these bytes in the network stream, which can help distinguish exploit traffic from benign LCP protocol data. ↗
- →The PrependEncoder stub '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff' is a fixed shellcode decoder prefix; scan network traffic to port 3500 for this byte sequence as a high-confidence exploit indicator. ↗
- ·The ROP chain and return addresses are specific to Windows Server 2003 SP2 EN with the msvcrt.dll version present in that build; the exploit will not work as-is against other OS versions or patch levels. ↗
- ·Payload space is constrained to 160 bytes with a stack adjustment of -404; defenders should note that staged/large payloads cannot be delivered in a single packet via this exploit path. ↗
- ·The vulnerability affects EMC AlphaStor 4.0 before build 910; systems running build 910 or later are not affected by this specific buffer overflow. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2013-05-10
Published