cbcvebase.
CVE-2004-0326
published 2004-11-23

CVE-2004-0326: Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request.

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.81%
99.1th percentile
Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
proxy-proprofessional_gatekeeper

Detection & IOCsextracted from sources · hover to see the quote

port3128
port2000
processGKService.exe
commandGET http://www.microsoft.com/[~4100 bytes overflow buffer]\r\nHost: www.microsoft.com\r\n\r\n
bytes
\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa
bytes
\xe9\xed\xf6\xff\xff
  • Alert on TCP connections to port 3128 carrying HTTP GET requests with a payload body exceeding ~3600–4100 bytes, which is the overflow trigger size for GateKeeper Pro 4.7.
  • Detect the Metasploit exploit pattern: HTTP GET request of exactly 3603+ random bytes followed by encoded payload and the return address 0x03b1e121 packed little-endian.
  • Monitor for connections to the GateKeeper administration port 2000 followed immediately by a connection to port 3128 — a pattern used by the exploit to fingerprint version before attacking.
  • Flag HTTP GET requests where the bad-character set \x00, +, &, =, %, \x0a, \x0d, \x20 is absent from a very long URL path — consistent with the exploit's payload_badchars constraint.
  • Detect the XOR-encoded shellcode stub signature (classic xorer prologue) in TCP stream on port 3128: bytes EB 02 EB 05 E8 F9 FF FF FF 5B 80 C3 10 33 C9 66 B9 33 01 80 33 95 43 E2 FA.
  • ·The return address 0x03b1e121 is hardcoded and specific to GKService.exe in GateKeeper Pro 4.7; it will not apply to other versions or binaries.
  • ·The Metasploit module sets EXITFUNC to 'process', meaning successful exploitation terminates the GKService.exe process after shellcode execution — useful for post-exploitation detection via unexpected process termination.
  • ·The overflow requires exactly RET_POS=4079 bytes before the return address within a total buffer of SIZE=4105 bytes; detection thresholds should be tuned accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.