cbcvebase.
CVE-2019-13577
published 2019-07-17

CVE-2019-13577: SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.40%
97.6th percentile
SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.

Affected

1 ranges
VendorProductVersion rangeFixed in
computerlabmaple_computer_wbt_snmp_administrator

Detection & IOCsextracted from sources · hover to see the quote

filenameSnmpAdm.exe
hasha3913aae166c11ddd21dca437e78c3f4
urlftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
filenameSnmpSetup.195.15.EXE
pathC:\Program Files (x86)\SnmpAdm\ipwSNMPv5.dll
filenameipwSNMPv5.dll
  • Detect exploit attempts by monitoring for large TCP payloads (>640KB) sent to port 987 on hosts running SnmpAdm.exe (MAPLE WBT SNMP Administrator CE Remote feature).
  • Hunt for the EggHunter tag string 'w00tw00t' in TCP payloads destined for port 987, which is used by the EggHunter exploit variant to locate shellcode in memory.
  • Alert on process creation or DLL load events for ipwSNMPv5.dll with ASLR/SafeSEH/Rebase all set to False, indicating the vulnerable unprotected module is loaded.
  • Monitor AppData\Local\Temp for files with .tmp extensions dropped by SnmpAdm.exe (e.g. ~ip6B92.tmp), which may indicate the vulnerable software is running and potentially being exploited.
  • No authentication is required to trigger the overflow; any unauthenticated TCP connection sending a long string to port 987 should be treated as suspicious.
  • ·The exploit was tested on Windows XP SP2 x86 (EggHunter variant) and Windows 7 SP1 (calc.exe PoC variant); the ROP/return address gadget (0x10008fb3 / call ebx in ipwSNMPv5.dll) is specific to the unrebased DLL and may differ across installations.
  • ·The software is packed with ASPack v2.12 and uses self-modifying code, which may hinder static analysis and AV detection of the installer binary.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.