cbcvebase.
CVE-2003-0471
published 2003-08-07

CVE-2003-0471: Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument.

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.95%
99.0th percentile
Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument.

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /WebAdmin.DLL?View=Logon
url/WebAdmin.DLL?View=Logon
path/WebAdmin.DLL
port1000
commandUser=<168-byte overflow>+<ret addr>+<shellcode>&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In
otherjmp esp @ 0x1005d58d (webAdmin.dll 2.0.4)
otherRET 0x10074d9b (webAdmin.dll 2.0.4)
otherRET 0x10074b13 (webAdmin.dll 2.0.3)
otherRET 0x10071e3b (webAdmin.dll 2.0.2)
otherRET 0x100543c2 (webAdmin.dll 2.0.1)
filenameWebAdmin.dll
filenameWebAdmin.exe
bytes
\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c
  • Detect exploit attempts by matching HTTP POST requests to /WebAdmin.DLL?View=Logon with an oversized User= parameter in the POST body (overflow offset is 168 bytes before the return address).
  • Alert on HTTP requests to /WebAdmin.DLL where the Content-Type is application/x-www-form-urlencoded and the User= POST field length exceeds 168 bytes.
  • Fingerprint vulnerable versions by checking HTTP response body for the pattern /v2\.0\.4|v2\.0\.3|v2\.0\.2|v2\.0\.1/ on the WebAdmin service (default port 1000).
  • Monitor for exploitation of WebAdmin on TCP port 1000, which is the default service port targeted by all known exploit variants.
  • Payload bad characters for this exploit are \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; shellcode in the User= field will avoid these bytes, which can aid in distinguishing encoded shellcode from normal traffic.
  • Successful exploitation results in code execution with SYSTEM-level privileges; monitor for WebAdmin.exe spawning unexpected child processes (e.g., cmd.exe) on Windows hosts.
  • ·The exploit targets WebAdmin versions 2.0.1 through 2.0.4; version 2.0.5 is the patched release. Return addresses are version-specific and hardcoded per DLL build — using the wrong target offset will crash the service without code execution.
  • ·The download-and-execute shellcode variant (exploit 22834) crashes the server after execution; an attacker would need to restart the WebAdmin service to restore access.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.