CVE-2019-13577
published 2019-07-17CVE-2019-13577: SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.40%
97.6th percentile
SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| computerlab | maple_computer_wbt_snmp_administrator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring for large TCP payloads (>640KB) sent to port 987 on hosts running SnmpAdm.exe (MAPLE WBT SNMP Administrator CE Remote feature). ↗
- →Hunt for the EggHunter tag string 'w00tw00t' in TCP payloads destined for port 987, which is used by the EggHunter exploit variant to locate shellcode in memory. ↗
- →Alert on process creation or DLL load events for ipwSNMPv5.dll with ASLR/SafeSEH/Rebase all set to False, indicating the vulnerable unprotected module is loaded. ↗
- →Monitor AppData\Local\Temp for files with .tmp extensions dropped by SnmpAdm.exe (e.g. ~ip6B92.tmp), which may indicate the vulnerable software is running and potentially being exploited. ↗
- →No authentication is required to trigger the overflow; any unauthenticated TCP connection sending a long string to port 987 should be treated as suspicious. ↗
- ·The exploit was tested on Windows XP SP2 x86 (EggHunter variant) and Windows 7 SP1 (calc.exe PoC variant); the ROP/return address gadget (0x10008fb3 / call ebx in ipwSNMPv5.dll) is specific to the unrebased DLL and may differ across installations. ↗
- ·The software is packed with ASPack v2.12 and uses self-modifying code, which may hinder static analysis and AV detection of the installer binary. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
exploitdb·2019-07-19
CVE-2019-13577 MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
---
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
# Author: sasaga92
# Discovery Date: 2019-07-18
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows XP SP2 x86
# CVE: N/A
# [+] Credits: John Page (aka hyp3rlinx)
#!/usr/bin/python
import sys
import socket
import random
import string
import struct
def pattern_create(_type,_length):
_type = _type.split(" ")
if _type[0] == "trash":
return _type[1] * _length
elif _type[0] == "random":
return ''.join(random.choice(str
Exploit-DB
MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow
exploitdb·2019-07-17·CVSS 9.8
CVE-2019-13577 [CRITICAL] MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow
MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow
---
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow
# Author: hyp3rlinx
# Discovery Date: 2019-07-17
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows
# CVE: CVE-2019-13577
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt
[+] ISR: Apparition Security
[Vendor]
www.computerlab.com
[Product]
MAPLE Computer WBT SNMP Adminis
No writeups or analysis indexed.
http://hyp3rlinx.altervista.orghttp://packetstormsecurity.com/files/153675/MAPLE-Computer-WBT-SNMP-Administrator-2.0.195.15-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2019/Jul/17https://seclists.org/bugtraq/2019/Jul/29http://hyp3rlinx.altervista.orghttp://packetstormsecurity.com/files/153675/MAPLE-Computer-WBT-SNMP-Administrator-2.0.195.15-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2019/Jul/17https://seclists.org/bugtraq/2019/Jul/29
2019-07-17
Published