cbcvebase.
CVE-2006-2926
published 2006-06-09

CVE-2006-2926: Stack-based buffer overflow in the WWW Proxy Server of Qbik WinGate 6.1.1.1077 allows remote attackers to cause a denial of service and possibly execute…

PriorityP358high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.91%
99.3th percentile
Stack-based buffer overflow in the WWW Proxy Server of Qbik WinGate 6.1.1.1077 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
qbikwingate

Detection & IOCsextracted from sources · hover to see the quote

commandPOST http://<overflow_buffer>/ HTTP/1.0
commandGET /
other0x01991932
other0x014f9e4b
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36
  • Fingerprint vulnerable WinGate instances by checking the Server banner in HTTP responses for the specific build string.
  • Detect exploitation attempts by monitoring for anomalously long URLs in HTTP POST requests directed at the proxy service on port 80.
  • The exploit payload uses AlphanumMixed encoding; look for large alphanumeric-only POST request bodies (~3000 bytes) to the proxy on port 80.
  • The PoC exploit sends a POST request with ~2000+ bytes of padding followed by shellcode in the URL field; detect oversized HTTP POST URLs exceeding normal thresholds.
  • The bind-shell shellcode in the PoC opens LPORT 4444; monitor for unexpected outbound/inbound connections on TCP/4444 from the WinGate proxy process.
  • ·The Metasploit return address (0x01991932 / call esi) is specific to WinGate 6.1.1.1077 only; the PoC return address (0x014f9e4b / JMP ESI) targets Win2k SP4 German specifically — detections based on these values will not generalise to other OS/build combinations.
  • ·The exploit payload space is limited to 1000 bytes and bad characters include null bytes, whitespace, and several URL-special characters, meaning real-world payloads must be alphanumeric-encoded.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.