cbcvebase.
CVE-2004-0798
published 2004-10-20

CVE-2004-0798: Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long…

PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
62.58%
99.1th percentile
Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter.

Affected

6 ranges
VendorProductVersion rangeFixed in
progresswhatsup_gold
progresswhatsup_gold
progresswhatsup_gold
progresswhatsup_gold
progresswhatsup_gold
progresswhatsup_gold

Detection & IOCsextracted from sources · hover to see the quote

path/_maincfgret.cgi
commandPOST /_maincfgret.cgi HTTP/1.0
commandpage=notify&origname=&action=return&type=Beeper&instancename=
otherAuthorization: Basic YWRtaW46YWRtaW4=
other0x6032e743
other\xc4\x2a\x02\x75
port28876
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Alert on HTTP POST to /_maincfgret.cgi containing the parameter pattern 'page=notify&origname=&action=return&type=Beeper&instancename=' with a large body, indicative of the buffer overflow exploit payload.
  • Flag HTTP Basic Authorization header value 'YWRtaW46YWRtaW4=' (base64 for admin:admin) in requests to /_maincfgret.cgi as a sign of default-credential exploit attempt.
  • Monitor for outbound connections on TCP port 28876 from the WhatsUp Gold server host, which is the bind shell port opened by the exploit's shellcode.
  • The Metasploit module targets whatsup.dll with return address 0x6032e743; presence of this address in memory/crash dumps or network traffic indicates exploitation of this specific target.
  • The exploit overwrites a Structured Exception Handler (SEH) pointer; look for SEH-based exploitation patterns (e.g., short jump opcode \xeb\x06\x90\x90 followed by a return address) in POST body to /_maincfgret.cgi.
  • ·The Metasploit module payload excludes several bad characters that must be avoided in shellcode; encoders are required for any payload containing these bytes.
  • ·The Perl exploit uses a win2k SP0-SP4 ws2help.dll return address (\xc4\x2a\x02\x75); a separate address (\xfe\x63\xa1\x71) is commented out for WinXP SP1, so target OS/patch level affects the correct return address.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.