cbcvebase.
CVE-2013-0946
published 2013-05-10

CVE-2013-0946: Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.55%
97.9th percentile
Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
emcalphastor

Detection & IOCsextracted from sources · hover to see the quote

port3500
commandOpcode 0x4f (buf[0,2] = "O~")
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff
bytes
\x90\x90\x90\x90\x90\x90\x90\x90 (8-byte NOP sled prepended to payload)
  • Monitor for TCP connections to port 3500 (EMC AlphaStor Library Manager LCP service) containing a 518+ byte payload whose first two bytes are 0x4F 0x7E (opcode 'O~'), indicative of CVE-2013-0946 exploitation.
  • The exploit sends a crafted 514-byte pattern followed by 16 bytes of junk ('AAAABBBBCCCCDDDD'); detect oversized single-packet requests to port 3500 with this trailing pattern.
  • Bad characters for the payload are NULL, TAB, LF, and CR (\x00\x09\x0a\x0d); any exploit attempt will avoid these bytes in the network stream, which can help distinguish exploit traffic from benign LCP protocol data.
  • The PrependEncoder stub '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff' is a fixed shellcode decoder prefix; scan network traffic to port 3500 for this byte sequence as a high-confidence exploit indicator.
  • ·The ROP chain and return addresses are specific to Windows Server 2003 SP2 EN with the msvcrt.dll version present in that build; the exploit will not work as-is against other OS versions or patch levels.
  • ·Payload space is constrained to 160 bytes with a stack adjustment of -404; defenders should note that staged/large payloads cannot be delivered in a single packet via this exploit path.
  • ·The vulnerability affects EMC AlphaStor 4.0 before build 910; systems running build 910 or later are not affected by this specific buffer overflow.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.