cbcvebase.
CVE-2013-5019
published 2013-07-31

CVE-2013-5019: Stack-based buffer overflow in Ultra Mini HTTPD 1.21 allows remote attackers to execute arbitrary code via a long resource name in an HTTP request.

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.39%
99.1th percentile
Stack-based buffer overflow in Ultra Mini HTTPD 1.21 allows remote attackers to execute arbitrary code via a long resource name in an HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
vectorultra_mini_httpd

Detection & IOCsextracted from sources · hover to see the quote

versionUltra Mini HTTPD 1.21
commandGET /<5392+ byte overflow payload> HTTP/1.1
commandPOST /<5438+ byte overflow payload> HTTP/1.1
otherEIP offset: 5412 (GET), 5438 (POST) bytes before return address
otherROP gadget: 0x77c354b4 (push esp / ret - msvcrt.dll) — Windows XP SP3
otherROP gadget: 0x7C941EED (JMP ESP - ntdll.dll) — Windows XP SP2
otherROP gadget: 0x7E429353 (JMP ESP - user.dll) — Windows XP SP3
otherROP gadget: 0x764046cd (call esp - msvcrt.dll) — Windows 7 32-bit
bytes
BadChars: \x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f
bytes
Egg hunter tag: no0bno0b (\x6e\x6f\x30\x62\x6e\x6f\x30\x62)
bytes
Egg hunter stub: \x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x6e\x6f\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
  • Detect HTTP GET requests with a URI longer than 5392 bytes followed by a 4-byte little-endian return address and NOP sled pattern targeting Ultra Mini HTTPD.
  • Detect HTTP POST requests with a body/URI exceeding 5438 bytes, characteristic of the POST-based buffer overflow variant against Ultra Mini HTTPD 1.21.
  • Monitor for the egg-hunter tag string 'no0bno0b' appearing in HTTP request URIs, which is used by the Windows 7 PoC exploit to locate shellcode in memory.
  • The exploit's request handler thread is terminated after 60 seconds by a monitor thread; exploits may use VirtualAlloc + CreateThread + SuspendThread stager patterns to survive this. Look for these API call sequences in memory or network payloads.
  • The Metasploit module uses a StackAdjustment of -3500 bytes; look for large negative ESP adjustments (e.g., \x81\xc4\xf0\xea\xff\xff = add esp,-0x1510) immediately after EIP control in shellcode stagers.
  • ·Return addresses (JMP ESP / CALL ESP gadgets) are module-specific and vary by OS version: 0x77c354b4 (msvcrt.dll, XP SP3), 0x7C941EED (ntdll.dll, XP SP2), 0x7E429353 (user.dll, XP SP3), 0x764046cd (msvcrt.dll, Win7 32-bit). Detection rules relying on these hardcoded values will miss exploits retargeted to other environments.
  • ·The EIP offset differs between GET (5412/5392) and POST (5438) exploit variants; detection thresholds must account for both request methods.
  • ·Bad characters \x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f are filtered by the application; encoded shellcode will not contain these bytes, so byte-level signature detection must account for encoding (e.g., shikata_ga_nai).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.