cbcvebase.
CVE-2014-4158
published 2014-06-13

CVE-2014-4158: Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a GET request.

PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.30%
96.2th percentile
Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
senkaskolibri

Detection & IOCsextracted from sources · hover to see the quote

commandGET /<long_URI> HTTP/1.1
port5698
uakepo
bytes
\xEB\xBA\x90\x90
bytes
\xC2\x15\x40
bytes
dogedoge
bytes
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x64\x6f\x67\x65\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
bytes
\x63\x46\x92\x7c
bytes
\x83\xc4\x44\x83\xc4\x44\x83\xc4\x44\xff\xe4
  • Exploit sends a GET request with an oversized URI (buffer of 792–794+ bytes of NOP sleds, egghunter, and shellcode) to trigger the stack-based buffer overflow in Kolibri 2.0.
  • The SEH-based exploit (exploit 34059) places the egghunter tag 'doge' (\x64\x6f\x67\x65) in the Host header alongside the shellcode; detect HTTP requests where the Host header contains binary/shellcode content.
  • The classic stack overflow exploit (exploit 33027) uses a call-ESP gadget at 0x7C924663 (kernel32/ntdll on XP SP3 Spanish); the EIP overwrite value \x63\x46\x92\x7c is a reliable detection artifact in the GET URI payload.
  • The SEH overwrite exploit (exploit 34059) uses a pop/pop/ret gadget at 0x4015C2 inside kolibri.exe itself; presence of \xC2\x15\x40 in the GET URI is a strong indicator of exploitation.
  • Monitor HTTP traffic to Kolibri 2.0 for GET requests with URI lengths exceeding 515 bytes, which is the approximate overflow threshold used in both exploits.
  • The bind-shell payload in exploit 34059 opens TCP port 5698 on the victim; monitor for unexpected listening services on that port after exploitation.
  • ·The SEH exploit (34059) targets specific offsets per OS: 792 bytes for Windows XP SP2/Server 2003, 794 bytes for Windows 7 SP1; the pop/pop/ret gadget (0x4015C2) is from kolibri.exe itself and is version-specific.
  • ·The call-ESP EIP gadget 0x7C924663 used in exploit 33027 is specific to Windows XP SP3 Spanish; the gadget address will differ on other OS versions/languages.
  • ·The alpha-mixed encoded shellcode in exploit 34059 is designed to avoid bad characters; the egghunter tag 'doge' (\x64\x6f\x67\x65) must appear twice consecutively in memory for the hunter to locate the shellcode.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.