CVE-2004-0798
published 2004-10-20CVE-2004-0798: Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
62.58%
99.1th percentile
Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | whatsup_gold | — | — |
| progress | whatsup_gold | — | — |
| progress | whatsup_gold | — | — |
| progress | whatsup_gold | — | — |
| progress | whatsup_gold | — | — |
| progress | whatsup_gold | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
- →Alert on HTTP POST to /_maincfgret.cgi containing the parameter pattern 'page=notify&origname=&action=return&type=Beeper&instancename=' with a large body, indicative of the buffer overflow exploit payload. ↗
- →Flag HTTP Basic Authorization header value 'YWRtaW46YWRtaW4=' (base64 for admin:admin) in requests to /_maincfgret.cgi as a sign of default-credential exploit attempt. ↗
- →Monitor for outbound connections on TCP port 28876 from the WhatsUp Gold server host, which is the bind shell port opened by the exploit's shellcode. ↗
- →The Metasploit module targets whatsup.dll with return address 0x6032e743; presence of this address in memory/crash dumps or network traffic indicates exploitation of this specific target. ↗
- →The exploit overwrites a Structured Exception Handler (SEH) pointer; look for SEH-based exploitation patterns (e.g., short jump opcode \xeb\x06\x90\x90 followed by a return address) in POST body to /_maincfgret.cgi. ↗
- ·The Metasploit module payload excludes several bad characters that must be avoided in shellcode; encoders are required for any payload containing these bytes. ↗
- ·The Perl exploit uses a win2k SP0-SP4 ws2help.dll return address (\xc4\x2a\x02\x75); a separate address (\xfe\x63\xa1\x71) is commented out for WinXP SP1, so target OS/patch level affects the correct return address. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-14
CVE-2004-0798 IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow (Metasploit)
IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ipswitch_wug_maincfgret.rb 9820 2010-07-14 13:59:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /WhatsUp/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By
posting a long string for the value of 'instancename' in the _maincfgret.cgi
script an attacker can
Exploit-DB
IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow
exploitdb·2004-10-04
CVE-2004-0798 IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow
IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow
---
#!/usr/bin/perl
# [LoWNOISE] NotmuchG.pl v.1.5
# ================================================
# IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit
# ================================================
#
# Exploit by ET LoWNOISE Colombia
# et(at)cyberspace.org
# Oct/2004
#
# Tested on WIN2K SP4
#
# The exploit takes control by overwriting the pointer of a Structured
Exception Handler,
# installed by WhatsUP and points to a routine that handles exceptions.
# (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny
Cyberpunk THC)
#
# The overflow string has to be around 4080 in length to generate an
exception that can
# be manipulated by changing the SEH pointer (ret [815]).
#
#
# Bug Discovered by
# iDEFENSE Securit
Metasploit
Ipswitch WhatsUp Gold 8.03 Buffer Overflow
metasploit
Ipswitch WhatsUp Gold 8.03 Buffer Overflow
Ipswitch WhatsUp Gold 8.03 Buffer Overflow
This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of 'instancename' in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system.
No writeups or analysis indexed.
http://www.idefense.com/application/poi/display?type=vulnerabilitieshttp://www.ipswitch.com/Support/WhatsUp/patch-upgrades.htmlhttp://www.securityfocus.com/bid/11043https://exchange.xforce.ibmcloud.com/vulnerabilities/17111https://www.exploit-db.com/exploits/566/http://www.idefense.com/application/poi/display?type=vulnerabilitieshttp://www.ipswitch.com/Support/WhatsUp/patch-upgrades.htmlhttp://www.securityfocus.com/bid/11043https://exchange.xforce.ibmcloud.com/vulnerabilities/17111https://www.exploit-db.com/exploits/566/
2004-10-20
Published