cbcvebase.
CVE-2017-11517
published 2017-07-21

CVE-2017-11517: Stack-based buffer overflow in GCoreServer.exe in the server in Geutebrueck Gcore 1.3.8.42 and 1.4.2.37 allows remote attackers to execute arbitrary code via a…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.08%
97.9th percentile
Stack-based buffer overflow in GCoreServer.exe in the server in Geutebrueck Gcore 1.3.8.42 and 1.4.2.37 allows remote attackers to execute arbitrary code via a long URI in a GET request.

Affected

2 ranges
VendorProductVersion rangeFixed in
geutebrueckgcore
geutebrueckgcore

Detection & IOCsextracted from sources · hover to see the quote

processGCoreServer.exe
port13003
port13004
url/statistics/runningmoduleslist.xml
commandGET /<200 * 'A'><rop><payload><1823 * 'A'><overwrite><stack_align>
  • Fingerprinting requests to /statistics/runningmoduleslist.xml on ports 13003/13004 can indicate pre-exploitation reconnaissance against Geutebrueck GCore servers.
  • Exploit traffic is a malformed HTTP GET request with an oversized URI (~2000+ bytes of padding, ROP chain, and shellcode) sent to GCoreServer.exe on ports 13003 or 13004; no authentication header will be present.
  • A crash of GCoreServer.exe followed by automatic service restart (within ~1 minute) and reboot after three crashes is a strong indicator of active exploitation attempts.
  • Monitor HTTP GET requests to ports 13003/13004 where the URI length exceeds normal bounds (e.g., >200 bytes of repeated 0x41 bytes) as a signature of the buffer overflow exploit.
  • ·The exploit targets only Windows x64 systems (Win7, Win8/8.1, Win2012R2); ROP chains are version-specific to GCore 1.3.8.42 and 1.4.2.37 and will crash the service if the wrong version is targeted.
  • ·After a successful or failed exploit crash, the video surveillance system may stop recording and fail to recover properly until manually remediated.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.