cbcvebase.
CVE-2004-1317
published 2004-12-27

CVE-2004-1317: Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a…

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.41%
99.0th percentile
Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command.

Affected

1 ranges
VendorProductVersion rangeFixed in
debiannetcat

Detection & IOCsextracted from sources · hover to see the quote

  • The overflow is triggered only when netcat is invoked with the -e flag binding an executable to a port; detection should focus on nc.exe processes spawned with the -e command-line argument.
  • The Metasploit exploit sends a 277-byte payload with bad characters \x00\x0a\x0d excluded; network signatures should look for oversized DNS-hostname strings (>277 bytes) sent to a port where nc.exe -e is listening.
  • SEH overwrite occurs at offset 236 with a short JMP, and the return address (p/p/r gadget) is placed at offset 240; a 4-byte value of 0x0040a6ce at that offset in the incoming buffer is a strong exploit indicator.
  • The shellcode uses MSVCRT.system() to execute a callback command shell; process-creation monitoring should alert on nc.exe spawning cmd.exe or other child processes.
  • The JMP EBX gadget at 0x7c571c73 (kernel32.dll, Win2k SP4) and POP/POP/RET at 0x77c22cb1 (msvcrt.dll, WinXP) are used as SEH handler overwrites; memory/exception-handler integrity checks should flag these values in SEH chains of nc.exe.
  • ·The JMP EBX return address (\x73\x1c\x57\x7c) is specific to kernel32.dll on Windows 2000 SP4 (Server and Pro, English); the POP/POP/RET address (\xb1\x2c\xc2\x77) targets msvcrt.dll on Windows XP SP1/SP1a/SP2 Pro English only — these gadget addresses will differ on other OS versions or locales.
  • ·The Metasploit module uses a single universal return address (0x0040a6ce, p/p/r in nc.exe itself) tested on w2ksp0, w2ksp4, and xpsp2 English; this address is nc.exe-version-specific and may not apply to recompiled or patched builds.
  • ·The exploit author warns against using IP addresses containing a zero octet (e.g., 127.0.0.1) as this breaks the payload due to null-byte constraints.
  • ·Payload space is constrained to 236 bytes with a stack adjustment of -3500; shellcode or payloads exceeding this space or containing bad chars \x00, \x0a, \x0d will fail.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.