cbcvebase.
CVE-2004-0636
published 2004-11-23

CVE-2004-0636: Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to…

PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
66.02%
99.2th percentile
Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message.

Affected

3 ranges
VendorProductVersion rangeFixed in
aolinstant_messenger
aolinstant_messenger
aolinstant_messenger

Detection & IOCsextracted from sources · hover to see the quote

urlaim:goaway?message=
port1180
registryaim:goaway
other0x10015599
other0x1108118f
bytes
\x90\xe9\x13\xfc\xff\xff
bytes
EB 0F 8B 34 24 33 C9 80 C1 B0 80 36 DE 46 E2 FA
  • Monitor for processes launching with URI arguments matching 'aim:goaway?message=' followed by an abnormally long string (>1000 bytes), which indicates exploitation of the AIM goaway buffer overflow.
  • Flag use of the return address 0x10015599 (call ebx in rtvideo.dll) in memory or shellcode, as it is the stable NT-universal gadget used by the PoC exploit.
  • Flag use of the SEH overwrite gadget at 0x1108118f (pop/pop/ret in proto.com) as used by the Metasploit module for this CVE.
  • Detect outbound TCP connections to port 1180 from the AIM process shortly after processing a goaway URI, as the PoC bind-shell shellcode listens on that port.
  • Bad characters for payload filtering/detection: null byte, tab, LF, CR, space, quote, percent, ampersand, apostrophe, plus, forward-slash, colon, angle brackets, question mark, at-sign — any AIM goaway URI message parameter containing these may indicate a crafted/encoded payload.
  • ·The PoC exploit (395) targets AIM 5.5.3595 specifically and uses offsets based on the exe/dll from that package; the return address 0x10015599 (rtvideo.dll) is described as 'NT universal' but may not apply to all builds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.