cbcvebase.
CVE-2006-5216
published 2006-10-10

CVE-2006-5216: Stack-based buffer overflow in Sergey Lyubka Simple HTTPD (shttpd) 1.34 allows remote attackers to execute arbitrary code via a long URI.

PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.33%
99.1th percentile
Stack-based buffer overflow in Sergey Lyubka Simple HTTPD (shttpd) 1.34 allows remote attackers to execute arbitrary code via a long URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
sergey_lyubkasimple_httpd

Detection & IOCsextracted from sources · hover to see the quote

versionshttpd 1.34
commandpost /<URI-encoded 4000-byte payload> HTTP/1.0
commandPOST /$buff HTTP/1.1 HOST:$host
  • Detect oversized URI-encoded POST requests to port 80 targeting shttpd; the exploit sends a POST request with a ~4000-byte URI-encoded path beginning with 'post /' (lowercase) followed by a large alphanumeric+URI-encoded payload.
  • The overflow is triggered via a long URI in a POST request; the return address is overwritten at offset 8 within the 4000-byte pattern, and shellcode is placed at offset 103. Alert on POST requests with URI lengths exceeding normal bounds (e.g., >1000 bytes).
  • The original PoC exploit sends a POST request with a large buffer in the URI path and a minimal HOST header with no space after the colon (HOST:$host), which may be detectable as a malformed HTTP header.
  • ·The Metasploit module targets Windows platforms only (win); the exploit uses platform-specific hardcoded return addresses for each Windows OS/SP combination and will not work against non-Windows deployments of shttpd.
  • ·The original PoC was tested specifically on shttpd 1.34 running on Windows XP SP1 Hebrew; behavior on other locales or service pack levels may differ.
  • ·The exploit is described as 'Privileged => false', meaning the resulting shell runs with the privileges of the shttpd process, not necessarily SYSTEM.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.