This exploit targets a format string vulnerability in the DynaWeb HTTPD (dwhttpd) server, specifically in the nsapi_log_error() function. It bypasses authentication to retrieve a stack pointer from the error log and calculates the location of shellcode to execute arbitrary code, binding a shell to port 2001.
Classification
Working Poc 95%
Target:
DynaWeb HTTPD (dwhttpd) versions 4.0.2a7a and 4.1a6 (as part of Solaris AnswerBook2)
No auth needed
Prerequisites:
Network access to the target server · DynaWeb HTTPD running on port 8888 · Vulnerable version of dwhttpd