cbcvebase.
CVE-2006-6853
published 2006-12-31

CVE-2006-6853: Buffer overflow in Durian Web Application Server 3.02 freeware on Windows allows remote attackers to execute arbitrary code via a long string in a crafted…

PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
8.01%
94.0th percentile
Buffer overflow in Durian Web Application Server 3.02 freeware on Windows allows remote attackers to execute arbitrary code via a long string in a crafted packet to TCP port 4002.

Affected

1 ranges
VendorProductVersion rangeFixed in
mozilladurian_web_application_server

Detection & IOCsextracted from sources · hover to see the quote

port4002/tcp
otherEIP=0x00f2e072
bytes
\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53\xbb\x6d\x13\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xda\xcd\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20
  • Monitor for large crafted TCP packets sent to port 4002 targeting Durian Web Application Server 3.02; the exploit cycles through buffer sizes of 30, 70, 150, 330, 520, 700, 1400, and 2300 bytes using repeated byte patterns (0xaa, 0xa0, 0x41).
  • Detect shellcode containing WinExec (0x7c86136d) and ExitProcess (0x7c81cdda) addresses in TCP port 4002 payloads, indicative of exploitation of CVE-2006-6853 on Windows XP/2003 targets.
  • The DoS variant also targets TCP port 4002 with the same byte patterns and size array; repeated connections with oversized payloads to this port from a single source should be alerted on.
  • ·The RCE exploit uses two different EIP values depending on whether DEP is enabled or disabled on the target; defenders should note both return addresses when writing signatures.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.