CVE-2002-2268
published 2002-12-31CVE-2002-2268: Buffer overflow in Webster HTTP Server allows remote attackers to execute arbitrary code via a long URL.
PriorityP348critical9.4CVSS 2.0
AVNACLAuNCCICAN
EXPLOIT
EPSS
52.68%
98.8th percentile
Buffer overflow in Webster HTTP Server allows remote attackers to execute arbitrary code via a long URL.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Kolibri HTTP Server 2.0 exploitation by monitoring for HTTP HEAD requests with oversized URIs (~515+ bytes of alphanumeric data) followed by a 4-byte little-endian return address. ↗
- →Detect Webster HTTP Server exploitation by monitoring for HTTP GET requests with URIs containing ~266+ bytes of alphanumeric data (SEH overwrite pattern). ↗
- →For Kolibri exploitation, the egghunter payload is delivered in the Content-Type HTTP header; alert on abnormally large or binary-containing Content-Type header values in HEAD requests. ↗
- →Fingerprint vulnerable Kolibri server via HTTP Server banner matching 'kolibri-2.0'; presence of this banner indicates an unpatched, exploitable instance. ↗
- →Bad characters for Kolibri exploit payload are null byte, CR, LF, '=', space, '?'; payloads avoiding these bytes in a HEAD request URI are characteristic of this exploit. ↗
- →Bad characters for Webster exploit payload include null, ':', '&', '?', '%', '#', space, LF, CR, '/', '+', VT, backslash; URL-encoded or raw GET requests avoiding these bytes but exceeding 266 chars are suspicious. ↗
- ·The Kolibri exploit uses an egghunter technique to stage a larger payload; the actual shellcode is placed in the Content-Type header while the egghunter stub is in the URI overflow, meaning detection must cover both the URI and headers. ↗
- ·The Webster exploit uses an SEH (Structured Exception Handler) overwrite technique, not a direct RET overwrite; detection/analysis tools must account for SEH chain corruption at offset ~266 bytes. ↗
- ·The Kolibri exploit payload space is limited to 3000 bytes with NOPs disabled; the Webster exploit payload space is limited to 1024 bytes with NOPs disabled. ↗
- ·The CVE is referenced by two distinct exploits targeting different HTTP servers (Webster and Kolibri); detection rules should cover both attack vectors independently. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kolibri HTTP Server 2.0 - HEAD Buffer Overflow (Metasploit)
exploitdb·2011-08-03
CVE-2002-2268 Kolibri HTTP Server 2.0 - HEAD Buffer Overflow (Metasploit)
Kolibri HTTP Server 2.0 - HEAD Buffer Overflow (Metasploit)
---
##
# $Id: kolibri_http.rb 10887 2011-08-03 12:19:19Z mr_me $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /kolibri-2\.0/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Kolibri %q{This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.},
'Author' =>
[
'mr_me ', # msf
'TheLeader' # original exploit
],
'Version' => '$Revision: 10887 $',
'References' =>
[
[ 'CVE',
Exploit-DB
Webster HTTP Server - GET Buffer Overflow (Metasploit)
exploitdb·2010-11-03
CVE-2002-2268 Webster HTTP Server - GET Buffer Overflow (Metasploit)
Webster HTTP Server - GET Buffer Overflow (Metasploit)
---
##
# $Id: webster_http.rb 10887 2010-11-03 12:19:19Z patrickw $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Webster HTTP Server GET Buffer Overflow',
'Description' => %q{
This exploits a stack buffer overflow in the Webster HTTP server.
The server and source code was released within an article from
the Microsoft Systems Journal in February 1996 titled "Write a
Simple HTTP-based Server Using MFC and Windows Sockets".
},
'Author' => [ 'patrick' ],
'Version' => '$Revision: 10887 $'
Metasploit
Kolibri HTTP Server HEAD Buffer Overflow
metasploit
Kolibri HTTP Server HEAD Buffer Overflow
Kolibri HTTP Server HEAD Buffer Overflow
This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.
Metasploit
Webster HTTP Server GET Buffer Overflow
metasploit
Webster HTTP Server GET Buffer Overflow
Webster HTTP Server GET Buffer Overflow
This exploits a stack buffer overflow in the Webster HTTP server. The server and source code was released within an article from the Microsoft Systems Journal in February 1996 titled "Write a Simple HTTP-based Server Using MFC and Windows Sockets".
No writeups or analysis indexed.
http://seclists.org/lists/bugtraq/2002/Dec/0013.htmlhttp://www.securiteam.com/windowsntfocus/6R0030A6AY.htmlhttp://www.securityfocus.com/bid/6289https://exchange.xforce.ibmcloud.com/vulnerabilities/10727http://seclists.org/lists/bugtraq/2002/Dec/0013.htmlhttp://www.securiteam.com/windowsntfocus/6R0030A6AY.htmlhttp://www.securityfocus.com/bid/6289https://exchange.xforce.ibmcloud.com/vulnerabilities/10727
2002-12-31
Published