CVE-2004-2086
published 2004-02-06CVE-2004-2086: Stack-based buffer overflow in results.stm for Sambar Server before the 6.0 production release allows remote attackers to cause a denial of service (crash) and…
PriorityP348medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
73.60%
99.4th percentile
Stack-based buffer overflow in results.stm for Sambar Server before the 6.0 production release allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a long query parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sambar | sambar_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c
- →Detect exploit attempts by matching HTTP POST requests to the path /search/results.stm with an oversized 'query' parameter in the POST body. ↗
- →Fingerprint Sambar Server presence by checking HTTP response banner for 'Server: SAMBAR' header before exploitation. ↗
- →POST body for exploit contains the fixed pattern 'spage=0&indexname=docs&query=' followed by a large overflow buffer; alert on POST bodies to results.stm containing this parameter combination with abnormally large query values. ↗
- →The exploit shellcode stub begins with \xfc followed by a packed return address; look for this byte pattern in POST body payloads targeting Sambar. ↗
- ·The exploit unconditionally crashes the Sambar service regardless of whether the correct target platform is selected; do not test against production systems. ↗
- ·Return addresses (Ret/jmpESP) are hardcoded per OS version (Windows 2000 vs XP SP0); detections based on these values are platform-specific and may not cover all variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sambar Server 6 - Search Results Buffer Overflow (Metasploit)
exploitdb·2010-02-13
CVE-2004-2086 Sambar Server 6 - Search Results Buffer Overflow (Metasploit)
Sambar Server 6 - Search Results Buffer Overflow (Metasploit)
---
##
# $Id: sambar6_search_results.rb 8480 2010-02-13 20:15:19Z patrickw $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Sambar 6 Search Results Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow found in the
/search/results.stm application that comes with Sambar 6.
This code is a direct port of Andrew Griffiths's SMUDGE
exploit, the only changes made were to the nops and payload.
This exploit causes the service to die, whether you provided
the cor
Exploit-DB
Sambar Server 6.0 - 'results.stm' POST Buffer Overflow
exploitdb·2004-02-09
CVE-2004-2086 Sambar Server 6.0 - 'results.stm' POST Buffer Overflow
Sambar Server 6.0 - 'results.stm' POST Buffer Overflow
---
source: https://www.securityfocus.com/bid/9607/info
A buffer overflow vulnerability has been reported in the Sambar web server. The issue is due to a boundary condition error in the POST data processing of the affected software.
Immediate consequences of an attack may result in a denial of service condition. It may also be possible for the attacker to manipulate process memory and execute arbitrary code in the context of the vulnerable process.
# http://felinemenace.org/~nd/SMUDGE
# Sambar script (c) [email protected]
from SMUDGE import *
import sys
sm = SMUDGE(1)
sm.setname("SambarOverflow")
sm.plain("POST /search/results.stm HTTP/1.1")
sm.addcrlf()
sm.plain("Host: MSUDGEDPU")
sm.addcrlf()
sm.plain("Content-Length: ")
sm.
Metasploit
Sambar 6 Search Results Buffer Overflow
metasploit
Sambar 6 Search Results Buffer Overflow
Sambar 6 Search Results Buffer Overflow
This module exploits a buffer overflow found in the /search/results.stm application that comes with Sambar 6. This code is a direct port of Andrew Griffiths's SMUDGE exploit, the only changes made were to the nops and payload. This exploit causes the service to die, whether you provided the correct target or not.
No writeups or analysis indexed.
http://securitytracker.com/id?1008979http://www.osvdb.org/5786http://www.sambar.com/security.htmhttp://www.securityfocus.com/archive/82/353087http://www.securityfocus.com/bid/9607https://exchange.xforce.ibmcloud.com/vulnerabilities/15071http://securitytracker.com/id?1008979http://www.osvdb.org/5786http://www.sambar.com/security.htmhttp://www.securityfocus.com/archive/82/353087http://www.securityfocus.com/bid/9607https://exchange.xforce.ibmcloud.com/vulnerabilities/15071
2004-02-06
Published