CVE-2012-6275
published 2013-02-24CVE-2012-6275: Multiple stack-based buffer overflows in AntDS.exe in BigAntSoft BigAnt IM Message Server allow remote attackers to have an unspecified impact via (1) the…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
46.50%
98.7th percentile
Multiple stack-based buffer overflows in AntDS.exe in BigAntSoft BigAnt IM Message Server allow remote attackers to have an unspecified impact via (1) the filename header in an SCH request or (2) the userid component in a DUPF request.
Detection & IOCsextracted from sources · hover to see the quote
commandSCH 16\ncmdid: 1\ncontent-length: 0\ncontent-type: Appliction/Download\nfilename: <filename>.txt\n...\nusername: <payload>↗
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Monitor TCP port 6661 for SCH and DUPF protocol requests containing oversized 'username' fields, which is the exploit delivery vector for this buffer overflow. ↗
- →Detect SCH requests where the 'username' header value exceeds 629 bytes, as this is the overflow offset used to overwrite the return address. ↗
- →Flag presence of stack-adjustment shellcode prepend bytes 0x81 0xC4 0x54 0xF2 0xFF 0xFF (add esp, -3500) in payloads on port 6661. ↗
- →Null bytes and specific characters are avoided in payloads; filter for long alpha-numeric strings in SCH 'username' fields on port 6661 as a heuristic for exploit attempts. ↗
- →The exploit targets AntDS.exe process; monitor this process for abnormal child process spawning or shellcode execution following receipt of SCH/DUPF requests. ↗
- ·Exploit has only been validated against BigAnt Server 2.97 SP7 on Windows XP SP3 and Windows 2003 SP2; ROP gadget addresses are OS/version-specific and will differ on other targets. ↗
- ·Return addresses and ROP gadgets are hardcoded to msvcrt.dll offsets for the specific SP levels listed; detections relying on these addresses will not generalize across patch levels. ↗
- ·Payload space is limited to 2500 bytes; staged payloads or large shellcode may not function correctly within this constraint. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BigAnt Server 2.97 - SCH / DUPF Buffer Overflow (Metasploit)
exploitdb·2013-02-20
CVE-2012-6275 BigAnt Server 2.97 - SCH / DUPF Buffer Overflow (Metasploit)
BigAnt Server 2.97 - SCH / DUPF Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'BigAnt Server 2 SCH And DUPF Buffer Overflow',
'Description' => %q{
This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The
vulnerability is due to the dangerous usage of strcpy while handling errors. This
module uses a combination of SCH and DUPF request to trigger the vulnerability, and
has been tested successfully against version 2.97 SP7 over Windows XP SP3 and
Windows 2003 SP2.
},
'Author' =>
[
'Hamburgers Maccoy', # Vulnerability disc
Metasploit
BigAnt Server 2 SCH And DUPF Buffer Overflow
metasploit
BigAnt Server 2 SCH And DUPF Buffer Overflow
BigAnt Server 2 SCH And DUPF Buffer Overflow
This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The vulnerability is due to the dangerous usage of strcpy while handling errors. This module uses a combination of SCH and DUPF request to trigger the vulnerability, and has been tested successfully against version 2.97 SP7 over Windows XP SP3 and Windows 2003 SP2.
No writeups or analysis indexed.
2013-02-24
Published