cbcvebase.
CVE-2003-1247
published 2003-12-31

CVE-2003-1247: Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a…

PriorityP339high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
9.95%
95.0th percentile
Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist.

Affected

1 ranges
VendorProductVersion rangeFixed in
positive_softwareh-sphere

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/zz
path/tmp/.webshell.txt
path/tmp/rs
path/tmp/zz
process./webshell
port10000
otherContent-Type: multipart/form-data boundary=<overflow>
otherAccept-Encoding: <shellcode NOP sled>
bytes
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68
bytes
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff
  • The remote exploit delivers shellcode via the HTTP Accept-Encoding header in a POST request to the webshell CGI path; detect oversized or binary-content Accept-Encoding headers in POST requests targeting webshell endpoints.
  • The overflow is triggered via a long Content-Type multipart boundary value; monitor for HTTP requests where the Content-Type multipart/form-data boundary parameter is abnormally long (>256 bytes).
  • Successful exploitation of the remote variant binds a root shell to TCP port 10000 on the victim; monitor for unexpected listening services on port 10000 following webshell CGI access.
  • The local exploit drops artefacts at /tmp/.webshell.txt, /tmp/zz, and /tmp/rs; alert on creation of these specific files, especially /tmp/rs with SUID bit set.
  • The local exploit requires the webshell binary to be SUID root; audit for SUID/SGID binaries named 'webshell' in web-accessible directories.
  • The exploit uses a bruteforce loop forking the webshell process repeatedly with varying EGG_SIZE (257–291) and RET_ADDR values; detect rapid repeated process spawning of the webshell binary from a single parent process.
  • The exploit sets environment variables CONTENT_LENGTH=261, REQUEST_METHOD=POST, and a large 'S=' NOP-sled variable; inspect CGI environment for anomalously large environment variable values, particularly 'S='.
  • ·The vulnerability was confirmed in H-Sphere 2.3 RC3 and WebShell 2.4; whether earlier versions are affected is unknown per the advisory.
  • ·The port-binding shellcode has the target port (10000 by default) embedded as a runtime-patched 2-byte value at offsets 33–34; the bound port can be changed by the attacker at compile time.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.