cbcvebase.
CVE-2008-6898
published 2009-08-05

CVE-2008-6898: Buffer overflow in the XHTTP Module 4.1.0.0 in the ActiveX control for SaschArt SasCam Webcam Server 2.6.5 allows remote attackers to cause a denial of service…

PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.74%
98.1th percentile
Buffer overflow in the XHTTP Module 4.1.0.0 in the ActiveX control for SaschArt SasCam Webcam Server 2.6.5 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long argument to the Get method and other unspecified methods.

Affected

1 ranges
VendorProductVersion rangeFixed in
saschartsascam_webcam_server

Detection & IOCsextracted from sources · hover to see the quote

versionSasCam Webcam Server 2.6.5 / XHTTP Module 4.1.0.0
commandActiveX Get() method with overly long argument
bytes
EIP return address: 0x77E37EEC (call esp, User32.dll)
bytes
SEH overwrite nseh: %eb%06%90%90 (short jump + NOPs)
bytes
SEH overwrite seh: 0x72D1204E (msacm32.drv)
bytes
Heap-spray return address: 0x0c0c0c0c
  • Detect exploitation attempts by monitoring for ActiveX Get() method calls with arguments exceeding 8293 bytes (buffer size used in PoC exploits).
  • Detect SEH-based exploitation variant using a buffer of 8349 'A' bytes followed by SEH overwrite pattern targeting msacm32.drv gadget at 0x72D1204E.
  • The ActiveX control is not marked safe for scripting; monitor for instantiation of the SasCam XHTTP ActiveX control (XHTTP Module 4.1.0.0) in browser processes.
  • Heap spray pattern using 0x0c0c0c0c as return address is characteristic of the Metasploit module for this CVE; look for this value in memory or network-delivered HTML.
  • Payload delivery is via a crafted HTML file; monitor for HTML files containing unescape() heap-spray patterns combined with ActiveX Get() method invocations.
  • ·The EIP overwrite ROP gadget (call esp in User32.dll at 0x77E37EEC) is specific to a particular Windows/DLL version and will not be reliable across different patch levels.
  • ·The SEH overwrite gadget (0x72D1204E in msacm32.drv) and the heap-spray return address (0x0c0c0c0c) are both tested only on Windows XP SP3 with IE 7; exploitation on other targets requires different offsets.
  • ·Payload space is limited to 1024 bytes with null bytes as bad characters; shellcode must be encoded accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.