CVE-2004-1317
published 2004-12-27CVE-2004-1317: Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.41%
99.0th percentile
Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | netcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The overflow is triggered only when netcat is invoked with the -e flag binding an executable to a port; detection should focus on nc.exe processes spawned with the -e command-line argument. ↗
- →The Metasploit exploit sends a 277-byte payload with bad characters \x00\x0a\x0d excluded; network signatures should look for oversized DNS-hostname strings (>277 bytes) sent to a port where nc.exe -e is listening. ↗
- →SEH overwrite occurs at offset 236 with a short JMP, and the return address (p/p/r gadget) is placed at offset 240; a 4-byte value of 0x0040a6ce at that offset in the incoming buffer is a strong exploit indicator. ↗
- →The shellcode uses MSVCRT.system() to execute a callback command shell; process-creation monitoring should alert on nc.exe spawning cmd.exe or other child processes. ↗
- →The JMP EBX gadget at 0x7c571c73 (kernel32.dll, Win2k SP4) and POP/POP/RET at 0x77c22cb1 (msvcrt.dll, WinXP) are used as SEH handler overwrites; memory/exception-handler integrity checks should flag these values in SEH chains of nc.exe. ↗
- ·The JMP EBX return address (\x73\x1c\x57\x7c) is specific to kernel32.dll on Windows 2000 SP4 (Server and Pro, English); the POP/POP/RET address (\xb1\x2c\xc2\x77) targets msvcrt.dll on Windows XP SP1/SP1a/SP2 Pro English only — these gadget addresses will differ on other OS versions or locales. ↗
- ·The Metasploit module uses a single universal return address (0x0040a6ce, p/p/r in nc.exe itself) tested on w2ksp0, w2ksp4, and xpsp2 English; this address is nc.exe-version-specific and may not apply to recompiled or patched builds. ↗
- ·The exploit author warns against using IP addresses containing a zero octet (e.g., 127.0.0.1) as this breaks the payload due to null-byte constraints. ↗
- ·Payload space is constrained to 236 bytes with a stack adjustment of -3500; shellcode or payloads exceeding this space or containing bad chars \x00, \x0a, \x0d will fail. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2004-1317: netcat - Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running ...
vendor_debian·2004·CVSS 7.5
CVE-2004-1317 [HIGH] CVE-2004-1317: netcat - Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running ...
Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-wppp-w39w-5fq5: Stack-based buffer overflow in doexec
ghsa_unreviewed·2022-04-29
CVE-2004-1317 [HIGH] GHSA-wppp-w39w-5fq5: Stack-based buffer overflow in doexec
Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command.
No detection rules found.
Exploit-DB
Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2004-1317 Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)
Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)
---
##
# $Id: netcat110_nt.rb 9587 2010-06-22 23:57:05Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Netcat v1.10 NT Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending
an overly long string we are able to overwrite SEH. The vulnerability
exists when netcat is used to bind (-e) an executable to a port in doexec.c.
This module tested successfully using "c:\>nc -L -p 31337 -e ftp".
},
'Author' => 'patrick',
'Arc
Exploit-DB
Netcat 1.1 - '-e' Switch Remote Buffer Overflow
exploitdb·2004-12-26
CVE-2004-1317 Netcat 1.1 - '-e' Switch Remote Buffer Overflow
Netcat 1.1 - '-e' Switch Remote Buffer Overflow
---
/*
Netcat v1.1, "-e" Switch, Remote Buffer Overflow Exploit v0.1
Homepage..........: http://www.securityfocus.com/tools/139/scoreit
Affected versions.: v1.1
Fix...............: Actually none, Hobbit is warned 1 month+ ago, and looks like
to not act, we let him to spread a backdoor :)
Risk..............: Highly critical.
-Almost everything loaded as "nc ... -e ..." is vulnerable
-Educational tools such as the uw-imapd (http://www.washington.edu/imap/) contains no port listener,
if it's loaded with netcat (ie: nc -L -p 143 -t -e imapd.exe
25 -t -e pop3d.exe etc..vulnerable..)
this small example show you the large impact of this hole.
-Tools build on netcat , I guess are vulnerable , such as the netcat with
authentification or other
Metasploit
Netcat v1.10 NT Stack Buffer Overflow
metasploit
Netcat v1.10 NT Stack Buffer Overflow
Netcat v1.10 NT Stack Buffer Overflow
This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending an overly long string we are able to overwrite SEH. The vulnerability exists when netcat is used to bind (-e) an executable to a port in doexec.c. This module tested successfully using "c:\>nc -L -p 31337 -e ftp".
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110425875504586&w=2http://marc.info/?l=bugtraq&m=110426936423890&w=2http://marc.info/?l=bugtraq&m=110429204712327&w=2http://www.hat-squad.com/en/000142.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/18681http://marc.info/?l=bugtraq&m=110425875504586&w=2http://marc.info/?l=bugtraq&m=110426936423890&w=2http://marc.info/?l=bugtraq&m=110429204712327&w=2http://www.hat-squad.com/en/000142.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/18681
2004-12-27
Published