cbcvebase.
CVE-2018-5359
published 2018-01-23

CVE-2018-5359: The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access because of a Buffer…

PriorityP261high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
9.16%
94.7th percentile
The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access because of a Buffer Overflow.

Affected

1 ranges
VendorProductVersion rangeFixed in
flexensesysgauge

Detection & IOCsextracted from sources · hover to see the quote

port9221
urlhttp://www.sysgauge.com/setups/sysgaugesrv_setup_v3.6.18.exe
port1337
pathC:\Program Files\SysGauge Server\bin\sysgaus.exe
bytes
\x75\x19\xba\xab\x03\x00\x00\x00\x00\x40\x00\x00
bytes
\x3b\x38\x01\x10
bytes
\xeb\x12\x90\x90
  • Detect exploit attempts by monitoring for TCP connections to port 9221 on SysGauge Server hosts, particularly packets beginning with the magic header bytes \x75\x19\xba\xab followed by \x03\x00\x00\x00\x00\x40\x00\x00.
  • The exploit sends a payload with a 124-byte 'A' offset followed by SEH overwrite bytes \xeb\x12\x90\x90 and POP/POP/RET gadget \x3b\x38\x01\x10 from libdsm.dll; network payloads matching this pattern on port 9221 indicate active exploitation.
  • Post-exploitation, the shellcode opens a bind shell on port 1337; monitor for unexpected listening services on port 1337 on Windows hosts running SysGauge Server.
  • The exploit is unauthenticated and targets SysGauge Server version 3.6.18 on Windows; alert on any unauthenticated remote connection to port 9221 from external/untrusted IP addresses.
  • ·The exploit was tested on Windows 7 x64; the SEH gadget address (0x1001383b) in libdsm.dll is version/build specific and may differ across environments.
  • ·The shellcode was generated with a bad-character exclusion of \x02; detection signatures based on shellcode bytes should account for possible re-encoding with different bad-character sets.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.