cbcvebase.
CVE-2012-6275
published 2013-02-24

CVE-2012-6275: Multiple stack-based buffer overflows in AntDS.exe in BigAntSoft BigAnt IM Message Server allow remote attackers to have an unspecified impact via (1) the…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
46.50%
98.7th percentile
Multiple stack-based buffer overflows in AntDS.exe in BigAntSoft BigAnt IM Message Server allow remote attackers to have an unspecified impact via (1) the filename header in an SCH request or (2) the userid component in a DUPF request.

Detection & IOCsextracted from sources · hover to see the quote

port6661
filenameAntDS.exe
commandSCH 16\ncmdid: 1\ncontent-length: 0\ncontent-type: Appliction/Download\nfilename: <filename>.txt\n...\nusername: <payload>
commandDUPF 16\ncmdid: 1\ncontent-type: Appliction/Download\n...
bytes
\x81\xc4\x54\xf2\xff\xff
  • Monitor TCP port 6661 for SCH and DUPF protocol requests containing oversized 'username' fields, which is the exploit delivery vector for this buffer overflow.
  • Detect SCH requests where the 'username' header value exceeds 629 bytes, as this is the overflow offset used to overwrite the return address.
  • Flag presence of stack-adjustment shellcode prepend bytes 0x81 0xC4 0x54 0xF2 0xFF 0xFF (add esp, -3500) in payloads on port 6661.
  • Null bytes and specific characters are avoided in payloads; filter for long alpha-numeric strings in SCH 'username' fields on port 6661 as a heuristic for exploit attempts.
  • The exploit targets AntDS.exe process; monitor this process for abnormal child process spawning or shellcode execution following receipt of SCH/DUPF requests.
  • ·Exploit has only been validated against BigAnt Server 2.97 SP7 on Windows XP SP3 and Windows 2003 SP2; ROP gadget addresses are OS/version-specific and will differ on other targets.
  • ·Return addresses and ROP gadgets are hardcoded to msvcrt.dll offsets for the specific SP levels listed; detections relying on these addresses will not generalize across patch levels.
  • ·Payload space is limited to 2500 bytes; staged payloads or large shellcode may not function correctly within this constraint.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.