cbcvebase.
CVE-2011-2960
published 2011-07-29

CVE-2011-2960: Heap-based buffer overflow in httpsvr.exe 6.0.5.3 in Sunway ForceControl 6.1 SP1, SP2, and SP3 allows remote attackers to cause a denial of service (crash) and…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.57%
96.8th percentile
Heap-based buffer overflow in httpsvr.exe 6.0.5.3 in Sunway ForceControl 6.1 SP1, SP2, and SP3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted URL.

Affected

1 ranges
VendorProductVersion rangeFixed in
sunwaylandforcecontrol

Detection & IOCsextracted from sources · hover to see the quote

filenamehttpsvr.exe
commandGET /<1599 x 'H'><SEH chain><NOP sled><shellcode><NOP padding> HTTP/1.1
bytes
\xeb\x06\x90\x90
bytes
0x719737FA
  • Detect oversized GET request URLs targeting httpsvr.exe on port 80; the exploit sends a GET request with a URL payload of ~4058+ bytes (1599 'H' chars + SEH overwrite + shellcode).
  • Alert on HTTP GET requests where the URI length exceeds 1599 bytes directed at Sunway ForceControl httpsvr.exe (port 80); this is the minimum buffer size before the SEH overwrite begins.
  • Look for the SEH overwrite gadget address 0x719737FA (pop/pop/ret) within the raw TCP stream of HTTP requests to port 80 as a high-confidence exploit indicator.
  • The exploit uses a short JMP-over stub (\xeb\x06\x90\x90) immediately before the SEH handler address; detect this 4-byte sequence in HTTP URI payloads.
  • ·The exploit targets httpsvr.exe version 6.0.5.3 specifically within Sunway ForceControl 6.1 SP1, SP2, and SP3; the SEH gadget address 0x719737FA is version/build-specific and may not apply to other builds.
  • ·The exploit hardcodes port 80 for the HTTP server; verify the actual listening port of httpsvr.exe in the target environment as it may differ.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.