CVE-2018-5359
published 2018-01-23CVE-2018-5359: The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access because of a Buffer…
PriorityP261high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
9.16%
94.7th percentile
The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access because of a Buffer Overflow.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flexense | sysgauge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x75\x19\xba\xab\x03\x00\x00\x00\x00\x40\x00\x00
bytes↗
\x3b\x38\x01\x10
bytes↗
\xeb\x12\x90\x90
- →Detect exploit attempts by monitoring for TCP connections to port 9221 on SysGauge Server hosts, particularly packets beginning with the magic header bytes \x75\x19\xba\xab followed by \x03\x00\x00\x00\x00\x40\x00\x00. ↗
- →The exploit sends a payload with a 124-byte 'A' offset followed by SEH overwrite bytes \xeb\x12\x90\x90 and POP/POP/RET gadget \x3b\x38\x01\x10 from libdsm.dll; network payloads matching this pattern on port 9221 indicate active exploitation. ↗
- →Post-exploitation, the shellcode opens a bind shell on port 1337; monitor for unexpected listening services on port 1337 on Windows hosts running SysGauge Server. ↗
- →The exploit is unauthenticated and targets SysGauge Server version 3.6.18 on Windows; alert on any unauthenticated remote connection to port 9221 from external/untrusted IP addresses. ↗
- ·The exploit was tested on Windows 7 x64; the SEH gadget address (0x1001383b) in libdsm.dll is version/build specific and may differ across environments. ↗
- ·The shellcode was generated with a bad-character exclusion of \x02; detection signatures based on shellcode bytes should account for possible re-encoding with different bad-character sets. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2018-01-23
Published