cbcvebase.
CVE-2009-4660
published 2010-03-03

CVE-2009-4660: Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.12%
99.1th percentile
Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.

Affected

1 ranges
VendorProductVersion rangeFixed in
bigantsoftbigant_messenger

Detection & IOCsextracted from sources · hover to see the quote

port6660/TCP
processAntServer.exe
port4444/TCP
commandGET <985 bytes junk><next_seh><seh><nops><shellcode>\r\n\r\n
  • Exploit triggers a stack-based SEH overwrite via an oversized HTTP GET request; the SEH record is overwritten at offset 989 bytes into the payload.
  • The exploit uses a short jump (\xeb\x06\x90\x90) as the next-SEH pointer to redirect execution into the NOP sled and shellcode.
  • The SEH overwrite address in exploit 9673 points to a pop/pop/ret gadget inside vbajet32.dll (0x0f9a196a).
  • The universal variant (exploit 9690) uses a pop/pop/ret gadget from MFC42.DLL (0x6bc420c3) for the SEH overwrite.
  • The shellcode payload is encoded with x86/alpha_mixed encoder with EXITFUNC=seh and opens a bind shell on TCP port 4444; detect anomalously large GET requests to port 6660 containing high-entropy alpha-mixed encoded data.
  • AntServer service does not restart after exploitation; a single successful exploit attempt permanently kills the service, which can serve as a post-exploitation indicator.
  • ·Exploit was tested specifically against Windows XP SP3 (exploit 9673) and Windows XP SP2 (exploit 9690); SEH gadget addresses (vbajet32.dll, MFC42.DLL) are OS/patch-level specific and may not apply to other environments.
  • ·The Metasploit module targets BigAnt Server version 2.52 via the USV command, which is a related but distinct attack surface from the GET-based overflow in version 2.50.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.