CVE-2006-1148
published 2006-03-10CVE-2006-1148: Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code…
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.50%
99.4th percentile
Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code via an HTTP GET request with a long (1) parameter name or (2) value in a URL, which triggers the overflow in the nextCGIarg function in servhs.cpp.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| peercast | peercast | <= 0.1215 | — |
| peercast | peercast | — | — |
| peercast | peercast | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x0a\x0d\x20\x0d\x2f\x3d\x3b
- →Detect exploit attempts by monitoring for HTTP GET requests to the /stream/? path on port 7144 with abnormally long URL parameter strings (>780 bytes), indicative of stack overflow exploitation against PeerCast. ↗
- →The overflow is triggered via a long parameter name or value in the URL query string passed to nextCGIarg in servhs.cpp; alert on GET requests to PeerCast (port 7144) with query strings exceeding normal length bounds. ↗
- →Linux exploit pads 780 bytes of alphanumeric data before the return address; Windows exploit uses a 1024-byte buffer with the return address at offset 768 and a JMP instruction at offset 812. Use these offsets for signature tuning. ↗
- →Windows exploit places a relative JMP (0xe9) at offset 812 within the overflow buffer to redirect execution; detect shellcode patterns containing 0xe9 near offset 812 in oversized /stream/? requests. ↗
- →The exploit uses HTTP/1.0 with no additional headers; a bare 'GET /stream/?<long_string> HTTP/1.0\r\n\r\n' with no Host header on port 7144 is a strong indicator of exploitation. ↗
- ·The Linux exploit payload space is only 200 bytes with a minimum of 64 NOPs required, leaving very limited room for shellcode; complex payloads may not fit. ↗
- ·The Windows exploit has a larger payload space (400 bytes) but requires a stack adjustment of -3500 bytes, and the return address offset differs by platform target (Win2000/2003/XP SP variants each use a different hardcoded return address). ↗
- ·The vulnerability affects PeerCast versions up to and including 0.1216; version 0.1217 contains the fix. The published Metasploit target only includes a return address for the v0.1212 binary on Linux, so reliability against other minor versions may vary. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-1148 PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)
PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)
---
##
# $Id: peercast_url.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PeerCast %q{
This module exploits a stack buffer overflow in PeerCast [ 'MC' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2006-1148'],
['OSVDB', '23777'],
['BID', '17040'],
['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 200,
'BadChars' => "\x00\x0a\x0d\
Exploit-DB
PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-1148 PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)
PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)
---
##
# $Id: peercast_url.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PeerCast %q{
This module exploits a stack buffer overflow in PeerCast [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2006-1148'],
['OSVDB', '23777'],
['BID', '17040'],
['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0
Exploit-DB
PeerCast 0.1216 - Remote Stack Overflow (Metasploit)
exploitdb·2006-03-08
CVE-2006-1148 PeerCast 0.1216 - Remote Stack Overflow (Metasploit)
PeerCast 0.1216 - Remote Stack Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PeerCast %q{
This module exploits a stack overflow in PeerCast [ 'MC' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2006-1148'],
['OSVDB', '23777'],
['BID', '17040'],
['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 200,
'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
'MinNops' => 64,
},
'Platform' => 'linux',
'Arch' => ARCH
Metasploit
PeerCast URL Handling Buffer Overflow
metasploit
PeerCast URL Handling Buffer Overflow
PeerCast URL Handling Buffer Overflow
This module exploits a stack buffer overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters.
No writeups or analysis indexed.
http://secunia.com/advisories/19169http://secunia.com/advisories/19291http://security.gentoo.org/glsa/glsa-200603-17.xmlhttp://www.infigo.hr/in_focus/INFIGO-2006-03-01http://www.osvdb.org/23777http://www.peercast.org/forum/viewtopic.php?t=3346http://www.securityfocus.com/archive/1/427160/100/0/threadedhttp://www.securityfocus.com/bid/17040http://www.vupen.com/english/advisories/2006/0900https://exchange.xforce.ibmcloud.com/vulnerabilities/25113http://secunia.com/advisories/19169http://secunia.com/advisories/19291http://security.gentoo.org/glsa/glsa-200603-17.xmlhttp://www.infigo.hr/in_focus/INFIGO-2006-03-01http://www.osvdb.org/23777http://www.peercast.org/forum/viewtopic.php?t=3346http://www.securityfocus.com/archive/1/427160/100/0/threadedhttp://www.securityfocus.com/bid/17040http://www.vupen.com/english/advisories/2006/0900https://exchange.xforce.ibmcloud.com/vulnerabilities/25113
2006-03-10
Published