cbcvebase.
CVE-2008-1914
published 2008-04-22

CVE-2008-1914: Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.72%
99.4th percentile
Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary code via a long URI in a request to TCP port 6080. NOTE: some of these details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
bigantsoftbigant_messenger

Detection & IOCsextracted from sources · hover to see the quote

port6080
port6660
processAntServer.exe
commandGET <985 bytes junk><next_seh><seh><nops><shellcode>
port4444
bytes
\xeb\x06\x90\x90
bytes
\x6a\x19\x9a\x0f
bytes
\xc3\x20\xc4\x6b
  • Detect exploit attempts by monitoring for oversized GET requests (>950 bytes in URI) sent to TCP port 6080 targeting AntServer.exe
  • Detect exploit attempts by monitoring for oversized GET requests (~985 bytes junk + SEH overwrite) sent to TCP port 6660
  • SEH overwrite occurs at offset 989 in the GET request buffer; look for the short-jump NOP sled pattern \xeb\x06\x90\x90 at that offset
  • Payload uses AlphanumUpper encoder; look for all-uppercase alphanumeric shellcode following the SEH overwrite in GET requests to ports 6080/6660
  • The p/p/r gadget from VBAJET32.dll (0x0f9a196a) is used as the SEH handler address; flag connections where this value appears in the GET request body
  • The p/p/r gadget from MFC42.DLL (0x6bc420c3) is used as the SEH handler address in the universal exploit variant
  • Successful exploitation results in a bind shell on TCP port 4444 on the victim; monitor for unexpected listening services on that port after connections to 6080/6660
  • ·Two different default ports are used depending on the BigAnt version targeted: TCP 6080 for version 2.2 and TCP 6660 for version 2.50 SP1; detection rules must cover both ports
  • ·The CVE-2008-1914 reference is reused for the BigAnt 2.50 SP1 module, though it is noted as potentially incorrect ('It's not clear if these are correct - there was a fix for the v2.2 vuln back in Dec 2008')
  • ·Bad characters for payload encoding are \x00\x20\x0a\x0d (null, space, LF, CR); detection signatures based on raw shellcode bytes must account for alphanumeric encoding
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.