cbcvebase.
CVE-2017-6187
published 2017-02-22

CVE-2017-6187: Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4.18 allows remote attackers to execute arbitrary code via a long URI in a GET request.

PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.05%
98.1th percentile
Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4.18 allows remote attackers to execute arbitrary code via a long URI in a GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
disksavvydisksavvy_enterprise

Detection & IOCsextracted from sources · hover to see the quote

port4444
commandGET /<2487*'A' + nseh + retn + nops + egghunter + shell> HTTP/1.1
registry0x10142e38
urlhttp://<host>/login
bytes
\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x53
bytes
t00wt00w
bytes
\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0
bytes
\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31
  • Exploit sends an oversized HTTP GET request with a URI of ~2487+ bytes ('A' padding) to the DiskSavvy Enterprise built-in web server on TCP port 80; detect abnormally long GET request URIs exceeding normal bounds.
  • The exploit uses a fixed SEH overwrite return address 0x10142e38 (pop edi / pop esi / ret gadget); look for this value in network traffic or memory at the SEH chain offset.
  • The exploit uses a WoW64 egghunter with the egg tag 't00wt00w' (hex 74 30 30 77 74 30 30 77); scanning process memory or network payload for this tag can identify exploitation attempts.
  • The exploit uses a short JMP-over SEH stub '\xeb\x08\x90\x90' as the nSEH record; this 4-byte sequence at the SEH overwrite offset is a strong indicator of exploitation.
  • The exploit sets Content-Length: 5900 in the HTTP headers while the actual GET URI carries the overflow payload; a mismatch between Content-Length and a GET request (which has no body) is anomalous and detectable.
  • The Metasploit module targets DiskSavvy Enterprise v9.1.14 and v9.3.14 in addition to 9.4.18; detection should cover all three versions.
  • The bind shell payload opens TCP port 4444 on the victim; monitor for unexpected listening services on port 4444 on Windows hosts running DiskSavvy Enterprise.
  • ·The exploit targets 64-bit Windows using WoW64 egghunters; two distinct egghunter variants exist — one for Windows 7 SP1 x64 and one for Windows 10 x64. The Win10 variant only supports x86_64 platform.
  • ·The Metasploit module was tested on Windows XP SP3 and Windows 7 SP1, while the EDB PoC was tested on Windows 7 Pro SP1 x64 and Windows 10 Pro x64; coverage may differ across OS versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.