cbcvebase.
CVE-2003-1192
published 2003-11-03

CVE-2003-1192: Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.17%
99.3th percentile
Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.

Affected

2 ranges
VendorProductVersion rangeFixed in
truenorth_softwareia_webmail_server
truenorth_softwareia_webmail_server

Detection & IOCsextracted from sources · hover to see the quote

port8180
urlhttp://www.elitehaven.net/ncat.exe
pathc:\nc.exe
filenameiaregdll.dll
commandGET /<1036 'a' bytes><EBP><EIP><shellcode> HTTP/1.1
commandGET /<1036 'o' bytes>META<packed Ret><payload> (Metasploit exploit URI)
bytes
\x4c\xf8\x12 (EIP overwrite return address, offset 1040)
bytes
\x33\xBD\x02\x10 (JMP ESP in iaregdll.dll, EIP overwrite at offset 1036+4)
bytes
0x1002bd33 (Metasploit Ret address for IA WebMail 3.x)
  • Flag HTTP GET requests to port 8180 where the URI length exceeds 1036 bytes, consistent with all known exploit variants
  • Presence of the literal string 'META' at offset 1036 in the GET URI is a Metasploit-specific exploit marker
  • Bad characters for payload encoding include null bytes and common HTTP special characters; presence of raw binary in GET URI path is anomalous
  • Shellcode in exploit variant (exploit-db 124) downloads a file from elitehaven.net; monitor for outbound connections to that domain or creation of c:\nc.exe
  • The exploit targets iaregdll.dll version 1.0.0.5 using a static JMP ESP gadget; presence of this DLL version on a web server is an indicator of a vulnerable target
  • ·The Metasploit module explicitly states it has not been tested against a live system; the return address (0x1002bd33) and buffer length (1036) may not be reliable across all patch levels
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.