CVE-2004-0326
published 2004-11-23CVE-2004-0326: Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request.
PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.81%
99.1th percentile
Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| proxy-pro | professional_gatekeeper | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET http://www.microsoft.com/[~4100 bytes overflow buffer]\r\nHost: www.microsoft.com\r\n\r\n↗
bytes↗
\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa
bytes↗
\xe9\xed\xf6\xff\xff
- →Alert on TCP connections to port 3128 carrying HTTP GET requests with a payload body exceeding ~3600–4100 bytes, which is the overflow trigger size for GateKeeper Pro 4.7. ↗
- →Detect the Metasploit exploit pattern: HTTP GET request of exactly 3603+ random bytes followed by encoded payload and the return address 0x03b1e121 packed little-endian. ↗
- →Monitor for connections to the GateKeeper administration port 2000 followed immediately by a connection to port 3128 — a pattern used by the exploit to fingerprint version before attacking. ↗
- →Flag HTTP GET requests where the bad-character set \x00, +, &, =, %, \x0a, \x0d, \x20 is absent from a very long URL path — consistent with the exploit's payload_badchars constraint. ↗
- →Detect the XOR-encoded shellcode stub signature (classic xorer prologue) in TCP stream on port 3128: bytes EB 02 EB 05 E8 F9 FF FF FF 5B 80 C3 10 33 C9 66 B9 33 01 80 33 95 43 E2 FA. ↗
- ·The return address 0x03b1e121 is hardcoded and specific to GKService.exe in GateKeeper Pro 4.7; it will not apply to other versions or binaries. ↗
- ·The Metasploit module sets EXITFUNC to 'process', meaning successful exploitation terminates the GKService.exe process after shellcode execution — useful for post-exploitation detection via unexpected process termination. ↗
- ·The overflow requires exactly RET_POS=4079 bytes before the return address within a total buffer of SIZE=4105 bytes; detection thresholds should be tuned accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0326 Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit)
Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit)
---
##
# $Id: proxypro_http_get.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Proxy-Pro Professional
GateKeeper 4.7. By sending a long HTTP GET to the default port
of 3128, a remote attacker could overflow a buffer and execute
arbitrary code.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revis
Exploit-DB
Proxy-Pro Professional GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow
exploitdb·2004-02-26
CVE-2004-0326 Proxy-Pro Professional GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow
Proxy-Pro Professional GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow
---
/*================[CRPT - FrenchTeam] =================*
[Coromputer Security Advisory] - [CRPTSA-01]
*=================== [Summary] =====================*
Software : GateKeeper Pro 4.7
Platforms : win32
Risk : High
Impact : Buffer overflow
Release Date : 2004-02-23
*=================== [Description] ====================*
there is a trivial buffer overflow in the web proxy (default port 3128).
*==================== [Details] ======================*
Sending GET http://host.com/AAAAAAAAAA...(~4100bytes) will cause an access
violation. Other services not tested, but they can be vulnerable too. Exact
version can be checked from the administration service (default port 2000).
*==================== [Exploits] =
Exploit-DB
Proxy-Pro Professional GateKeeper 4.7 Web Proxy - Buffer Overrun
exploitdb·2004-02-23
CVE-2004-0326 Proxy-Pro Professional GateKeeper 4.7 Web Proxy - Buffer Overrun
Proxy-Pro Professional GateKeeper 4.7 Web Proxy - Buffer Overrun
---
// source: https://www.securityfocus.com/bid/9716/info
Proxy-Pro Professional GateKeeper is prone to a remotely exploitable buffer overrun that may be triggered by passing HTTP GET requests of excessive length through the web proxy component. This could be exploited to execute arbitrary code in the context of the software.
/******************************************************************/
/* [Crpt] GateKeeper Pro 4.7 remote sploit by
kralor [Crpt] */
/******************************************************************/
/* bug discovered & coded by: kralor [from
coromputer] */
/* tested on: win2k pro and winXP
*/
/* it uses a static offset to hijack execution to the
shellcode.. */
/* so it is 100% universal. Nothing
Metasploit
Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow
metasploit
Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow
Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow
This module exploits a stack buffer overflow in Proxy-Pro Professional GateKeeper 4.7. By sending a long HTTP GET to the default port of 3128, a remote attacker could overflow a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017703.htmlhttp://marc.info/?l=bugtraq&m=107755692400728&w=2http://www.securityfocus.com/bid/9716https://exchange.xforce.ibmcloud.com/vulnerabilities/15277http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017703.htmlhttp://marc.info/?l=bugtraq&m=107755692400728&w=2http://www.securityfocus.com/bid/9716https://exchange.xforce.ibmcloud.com/vulnerabilities/15277
2004-11-23
Published