cbcvebase.
CVE-2004-1172
published 2005-01-10

CVE-2004-1172: Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote…

PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.79%
99.6th percentile
Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname.

Affected

5 ranges
VendorProductVersion rangeFixed in
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec
symantec_veritasbackup_exec

Detection & IOCsextracted from sources · hover to see the quote

port6101
processbnetns.exe
other0x0142ffa1
other0x401150FF
other0x014308b9
other0x401138FF
other\xFF\x50\x11\x40
other\xA1\xFF\x42\x01
other\xFF\x38\x11\x40
other\xB9\x08\x43\x01
processbeclass.dll
bytes
\x02\x00\x32\x00\x20\x00
bytes
\x02\x00\x32\x00\x90\x90\x90\x90
bytes
\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56
  • The exploit targets TCP port 6101 (Veritas Backup Exec Agent Browser service). Monitor for unexpected or malformed TCP connections to this port, especially from external/untrusted hosts.
  • The exploit sends a two-stage payload: first a small findsock/stack-pivot shellcode (~51 bytes) followed by the real shellcode. Detect the two rapid sequential sends to port 6101 from the same source.
  • The registration request packet begins with the magic bytes \x02\x00\x32\x00 followed by shellcode. Alert on packets to port 6101 starting with this 4-byte header where the agent name field is 63 bytes or longer.
  • The vulnerability is triggered by sending an agent name value of 63 bytes or more in the registration request, overwriting the return address of recv() in bnetns.exe.
  • The findsock stage shellcode pivots the stack to the beginning of the page using shr/shl esp,0xc. Detect this characteristic stack-alignment sequence in shellcode: \xC1\xEC\x0C\xC1\xE4\x0C.
  • The exploit packet ends with the two-byte sequence \xEB\x80 or \xEB\x81 (short backward jump), which is a characteristic trailer of the registration request. Use this as a network signature anchor.
  • ·The hardcoded IAT/return addresses in the exploit are version-specific. The Metasploit module targets Veritas BE 9.1 SP0/SP1 and 8.5/8.6 only; using wrong target offsets will crash the service rather than achieve code execution.
  • ·The exploit requires only ~60 bytes of contiguous stack space for the first stage; the real shellcode is delivered in a second send. Detection must account for both packets, not just the initial registration request.
  • ·The C PoC (exploit-db 750) notes timing sensitivity: submitting the second-stage shellcode too quickly or too slowly relative to service processing can cause instability or missed execution.
  • ·The reverse-shell shellcode (scode1) embeds the target connect-back IP and port at fixed offsets (memcpy at payload[282] and payload[289]); ensure IP does not contain null bytes when using reverse mode.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.