cbcvebase.
CVE-2004-0313
published 2004-11-23

CVE-2004-0313: Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as…

PriorityP351critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.61%
99.1th percentile
Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name.

Affected

1 ranges
VendorProductVersion rangeFixed in
psoproxypsoproxy_server

Detection & IOCsextracted from sources · hover to see the quote

port8080
port9191
port28876
port4444
port28876
commandGET / HTTP/1.0
versionPSO Proxy 0.9
bytes
\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33
bytes
\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52
bytes
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x43\x56\x57\x8b\x45\x3c
  • Detect exploit by checking for HTTP requests to PSOProxy (default port 8080) with a payload body exceeding 1024 bytes, which is the known overflow offset.
  • Banner-check for vulnerable PSOProxy version: server banner matches /PSO Proxy 0\.9/ — use this for active scanning/detection.
  • Monitor for unexpected outbound connections or listening shells on ports 9191, 28876, and 4444 following inbound HTTP traffic to port 8080 — these are the backdoor/bind-shell ports used by known exploits.
  • The Metasploit module uses payload bad characters \x00\x0a\x0d\x20 — HTTP requests to PSOProxy containing long alphanumeric strings (1024+ bytes) with a 4-byte return address appended should be flagged.
  • Known return addresses used in exploits targeting PSOProxy 0.91 across Windows platforms: 0x75023112, 0x74fa3112, 0x74fd3112 (ws2help.dll call ecx), 0x71aa396d, 0x71aa3de3 (ws2help.dll call ecx), 0x77D615B9 (USER32.DLL jmp esp), 0x77D4643D (USER32.DLL JMP ESP).
  • ·PSOProxy listens on TCP port 8080 by default; exploits target this port. Ensure network monitoring covers this non-standard HTTP port.
  • ·The Metasploit module uses EXITFUNC=thread and a StackAdjustment of -3500, meaning the shellcode execution does not terminate the process — the service may remain running post-exploitation, making crash-based detection unreliable.
  • ·Overflow offset is 1024 bytes; the buffer size used in exploits ranges from 1530 to 3000 bytes. Detection rules should trigger on HTTP request bodies or method strings significantly exceeding 1024 bytes sent to PSOProxy.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.