CVE-2017-11517
published 2017-07-21CVE-2017-11517: Stack-based buffer overflow in GCoreServer.exe in the server in Geutebrueck Gcore 1.3.8.42 and 1.4.2.37 allows remote attackers to execute arbitrary code via a…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.08%
97.9th percentile
Stack-based buffer overflow in GCoreServer.exe in the server in Geutebrueck Gcore 1.3.8.42 and 1.4.2.37 allows remote attackers to execute arbitrary code via a long URI in a GET request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geutebrueck | gcore | — | — |
| geutebrueck | gcore | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Fingerprinting requests to /statistics/runningmoduleslist.xml on ports 13003/13004 can indicate pre-exploitation reconnaissance against Geutebrueck GCore servers. ↗
- →Exploit traffic is a malformed HTTP GET request with an oversized URI (~2000+ bytes of padding, ROP chain, and shellcode) sent to GCoreServer.exe on ports 13003 or 13004; no authentication header will be present. ↗
- →A crash of GCoreServer.exe followed by automatic service restart (within ~1 minute) and reboot after three crashes is a strong indicator of active exploitation attempts. ↗
- →Monitor HTTP GET requests to ports 13003/13004 where the URI length exceeds normal bounds (e.g., >200 bytes of repeated 0x41 bytes) as a signature of the buffer overflow exploit. ↗
- ·The exploit targets only Windows x64 systems (Win7, Win8/8.1, Win2012R2); ROP chains are version-specific to GCore 1.3.8.42 and 1.4.2.37 and will crash the service if the wrong version is targeted. ↗
- ·After a successful or failed exploit crash, the video surveillance system may stop recording and fail to recover properly until manually remediated. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Geutebrueck GCore 1.3.8.42/1.4.2.37 - Remote Code Execution (Metasploit)
exploitdb·2017-01-24
CVE-2017-11517 Geutebrueck GCore 1.3.8.42/1.4.2.37 - Remote Code Execution (Metasploit)
Geutebrueck GCore 1.3.8.42/1.4.2.37 - Remote Code Execution (Metasploit)
---
# Exploit Title: Geutebrueck GCore X64 Full RCE Bufferoverflow for Metasploit
# Date: 20170125
# Exploit Author: Luca Cappiello, Maurice Popp
# Contact(Twitter): @dopa_mined, @_m4p0
# Github: https://github.com/m4p0/Geutebrueck_GCore_X64_RCE_BO
# Vendor Homepage: http://www.geutebrueck.com/en_US/product-overview-31934.html
# Software Link: None
# Version: 1.3.8.42/1.4.2.37
# Tested on: Win7, Win8/8.1, Win2012R2
# CVE : None
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
require 'open-uri'
class MetasploitModule 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE',
'Description' =
Metasploit
Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE
metasploit
Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE
Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE
This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).
No writeups or analysis indexed.
2017-07-21
Published