CVE-2008-0871
published 2008-02-21CVE-2008-0871: Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.27 and earlier allow remote attackers to execute arbitrary code via a (1) long password in…
PriorityP354medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
32.79%
98.1th percentile
Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.27 and earlier allow remote attackers to execute arbitrary code via a (1) long password in an Authorization header to the HTTP service or a (2) large packet to the SMPP service.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| now | sms_mms_gateway | <= 2007.06.27 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x44\x46\x58\x50\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
- →Detect exploitation attempts by monitoring HTTP requests to port 8800 containing an oversized Authorization: Basic header (>129 bytes decoded) targeting Now SMS/MMS Gateway ↗
- →The exploit sends a long password in an Authorization header to the HTTP service; flag HTTP GET requests to port 8800 with Authorization: Basic headers whose base64-decoded value exceeds normal credential length ↗
- →The exploit also targets the SMPP service with a large packet; monitor for anomalously large SMPP packets to the gateway ↗
- →The return address 0x10002f9d (CALL ESP in SMSHMAC.DLL) appears in the payload; scan network captures for this 4-byte sequence (\x9d\x2f\x00\x10) in HTTP Authorization header payloads on port 8800 ↗
- →Egghunter tag bytes 0x44465850 ('DFXP') are placed in the User-Agent and used as the egg marker; detect this pattern in HTTP User-Agent headers on port 8800 ↗
- →Bad characters for payload encoding include null bytes and common HTTP special characters; payloads will be base64-encoded in the Authorization header to bypass these restrictions ↗
- ·The Metasploit module targets specifically Now SMS/MMS Gateway v2007.06.27; the exploit-db PoC also lists v5.5 and a 'universal' target with the same RET address (0x10002f9d), but a different RET (0x0027727c) is used for v5.5 specifically ↗
- ·The exploit was tested on Windows 2000 Server; behavior on other Windows versions may differ ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Now SMS/Mms Gateway - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-0871 Now SMS/Mms Gateway - Remote Buffer Overflow (Metasploit)
Now SMS/Mms Gateway - Remote Buffer Overflow (Metasploit)
---
##
# $Id: nowsms.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Now SMS/MMS Gateway Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.
By sending a specially crafted GET request, an attacker may be able to execute
arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-0871' ],
[ 'OSVDB', '42953'],
Exploit-DB
Now SMS/Mms Gateway 5.5 - Remote Buffer Overflow
exploitdb·2008-05-29
CVE-2008-0871 Now SMS/Mms Gateway 5.5 - Remote Buffer Overflow
Now SMS/Mms Gateway 5.5 - Remote Buffer Overflow
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Now SMS/MMS Gateway v5.5 and others
* ----------------------------------------
* Exploit : Now SMS/MMS Gateway v5.5 Remote Buffer Overflow Exploit
* Exploit date : 14.04.2008
* Exploit writer : Heretic2 ([email protected])
* OS : Windows ALL
* Tested : Windows 2000 Server
* Crew : Dreatica-FXP
* Location : http://www.milw0rm.com/
* ----------------------------------------
* Info : We obtain EIP after sending a long Authentificate request to server
* Egghunter help here.
* ----------------------------------------
* Thanks to:
* 1. Luigi Auriemma ( http://aluigi.org )
* 2. The Metasploit project ( http://metasploit.com )
* 3. ALPHA 2: Zero-tolerance ( )
* 4. D
Metasploit
Now SMS/MMS Gateway Buffer Overflow
metasploit
Now SMS/MMS Gateway Buffer Overflow
Now SMS/MMS Gateway Buffer Overflow
This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/nowsmsz-adv.txthttp://secunia.com/advisories/29003http://www.securityfocus.com/archive/1/488365/100/100/threadedhttp://www.securityfocus.com/bid/27896http://www.vupen.com/english/advisories/2008/0615https://www.exploit-db.com/exploits/5695http://aluigi.altervista.org/adv/nowsmsz-adv.txthttp://secunia.com/advisories/29003http://www.securityfocus.com/archive/1/488365/100/100/threadedhttp://www.securityfocus.com/bid/27896http://www.vupen.com/english/advisories/2008/0615https://www.exploit-db.com/exploits/5695
2008-02-21
Published