cbcvebase.
CVE-2017-5177
published 2017-05-19

CVE-2017-5177: A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5.0.45.5921 and prior. A stack-based buffer overflow vulnerability has been identified…

PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
17.71%
96.8th percentile
A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5.0.45.5921 and prior. A stack-based buffer overflow vulnerability has been identified, where an attacker with a specially crafted packet could overflow the fixed length buffer. This could allow remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
vipa_controlswinplc7_firmware<= 5.0.45.5921

Detection & IOCsextracted from sources · hover to see the quote

port7777
registry0x00422354
processws7v5.exe
commandpkt[848, 4] = [target.ret].pack('V')
bytes
\x13\x88\x00\x00\x00
  • Monitor for TCP connections to port 7777 targeting WinPLC7; the exploit module listens on this port and sends a crafted packet to trigger the overflow.
  • Detect oversized packets (~5000 bytes) sent to/from WinPLC7 (ws7v5.exe) beginning with the 5-byte header \x13\x88\x00\x00\x00; legitimate traffic should not approach this size.
  • The return address overwrite occurs at offset 848 in the packet buffer (4-byte little-endian RET value), followed immediately by shellcode at offset 852; inspect packet payloads for this structure.
  • The exploit targets ws7v5.exe on Windows 7 EN using a JMP ESP gadget at 0x00422354; alert on execution flow reaching this address within the process.
  • EXITFUNC is set to 'process', meaning successful exploitation terminates the WinPLC7 process; unexpected crashes of ws7v5.exe should be investigated as potential exploitation attempts.
  • ·The Metasploit module's RET address (JMP ESP gadget at 0x00422354) is specific to the Windows 7 EN build of ws7v5.exe; the exploit will not function as-is against other OS versions or locales without a different gadget address.
  • ·Payload space is constrained to 500 bytes with a stack adjustment of -3500; detection rules should account for shellcode embedded within the 500-byte window starting at offset 852.
  • ·At time of ICS-CERT advisory publication, no known public exploits specifically targeted this vulnerability; the Exploit-DB module post-dates the advisory.
  • ·All WinPLC7 versions 5.0.45.5921 and prior are affected; ensure version identification is part of asset inventory before scoping detection.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.