cbcvebase.
CVE-2006-1148
published 2006-03-10

CVE-2006-1148: Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.50%
99.4th percentile
Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code via an HTTP GET request with a long (1) parameter name or (2) value in a URL, which triggers the overflow in the nextCGIarg function in servhs.cpp.

Affected

3 ranges
VendorProductVersion rangeFixed in
peercastpeercast<= 0.1215
peercastpeercast
peercastpeercast

Detection & IOCsextracted from sources · hover to see the quote

port7144
url/stream/?
commandGET /stream/?<780-byte alphanumeric payload + ret addr + shellcode> HTTP/1.0
other0x080922f7
other0x75023360
other0x77d099e3
other0x77dbfa2c
other0x77dc12b8
bytes
BadChars: \x00\x0a\x0d\x20\x0d\x2f\x3d\x3b
  • Detect exploit attempts by monitoring for HTTP GET requests to the /stream/? path on port 7144 with abnormally long URL parameter strings (>780 bytes), indicative of stack overflow exploitation against PeerCast.
  • The overflow is triggered via a long parameter name or value in the URL query string passed to nextCGIarg in servhs.cpp; alert on GET requests to PeerCast (port 7144) with query strings exceeding normal length bounds.
  • Linux exploit pads 780 bytes of alphanumeric data before the return address; Windows exploit uses a 1024-byte buffer with the return address at offset 768 and a JMP instruction at offset 812. Use these offsets for signature tuning.
  • Windows exploit places a relative JMP (0xe9) at offset 812 within the overflow buffer to redirect execution; detect shellcode patterns containing 0xe9 near offset 812 in oversized /stream/? requests.
  • The exploit uses HTTP/1.0 with no additional headers; a bare 'GET /stream/?<long_string> HTTP/1.0\r\n\r\n' with no Host header on port 7144 is a strong indicator of exploitation.
  • ·The Linux exploit payload space is only 200 bytes with a minimum of 64 NOPs required, leaving very limited room for shellcode; complex payloads may not fit.
  • ·The Windows exploit has a larger payload space (400 bytes) but requires a stack adjustment of -3500 bytes, and the return address offset differs by platform target (Win2000/2003/XP SP variants each use a different hardcoded return address).
  • ·The vulnerability affects PeerCast versions up to and including 0.1216; version 0.1217 contains the fix. The published Metasploit target only includes a return address for the v0.1212 binary on Linux, so reliability against other minor versions may vary.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.