CVE-2003-1247

H-Sphere WebShell 2.3 - Remote Code Execution via Buffer Overflow in CGI::readFile diskusage and flist

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2003-1247. PoCs published by Carl Livitt.

AI-analyzed exploit summary This exploit targets a stack-based buffer overflow in H-Sphere Webshell's CGI.C component, allowing remote code execution via a crafted HTTP request. It binds a root shell to a specified port by leveraging predictable return addresses and environment variables.

Description

Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Carl Livitt · cremotelinux

https://www.exploit-db.com/exploits/22129

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in H-Sphere Webshell's CGI.C component, allowing remote code execution via a crafted HTTP request. It binds a root shell to a specified port by leveraging predictable return addresses and environment variables.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: H-Sphere Webshell 2.4 (possibly other versions)

No auth needed

Prerequisites: Network access to the target Webshell CGI · Webshell installed with SUID/GUID root

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Carl Livitt · clocallinux

https://www.exploit-db.com/exploits/22128

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in H-Sphere Webshell 2.4 (CVE-2003-1247) via a maliciously crafted 'CONTENT_TYPE' environment variable. It uses a bruteforce approach to guess the return address and buffer size, ultimately executing arbitrary shellcode to spawn a root shell.