cbcvebase.
CVE-2004-1373
published 2004-12-23

CVE-2004-1373: Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format…

PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.07%
99.3th percentile
Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file.

Affected

1 ranges
VendorProductVersion rangeFixed in
nullsoftshoutcast_server

Detection & IOCsextracted from sources · hover to see the quote

urlGET /content/%%#0%ux
urlGET /content/%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
urlGET /content/AA\x3c\x49\x06\x08...<shellcode>.mp3 HTTP/1.0
path/content/
port8000
port7000
port1180
commandGET /content/%#0<num>x<payload>.mp3 HTTP/1.0
command\xeb\x06\x41\x41 + goreg + \xe9\x2d\xff\xff\xff
bytes
\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6\xb0\x02\xcd\x80
bytes
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA
  • Detect HTTP GET requests to /content/ paths containing format string specifiers (e.g., %x, %n, %#0) in the filename, particularly in .mp3 file requests.
  • Alert on HTTP requests to SHOUTcast (default port 8000) where the URI path under /content/ contains %x, %n, or %#0 format string tokens followed by a .mp3 extension.
  • Two-stage exploitation pattern: first request seeds shellcode in a .mp3 filename path; second request uses chained %x/%n format specifiers to trigger the overflow. Detect two rapid sequential GET /content/ requests from the same source IP.
  • Monitor for outbound connections from the SHOUTcast server process to attacker-controlled ports (1180 for Windows exploit, 7000 for Linux exploit) following receipt of a malformed /content/ request, indicating successful shellcode execution.
  • Bad characters for payload delivery include null bytes and HTTP special characters; payloads will avoid: \x00 \x3a \x26 \x3f \x25 \x23 \x20 \x0a \x0d \x2f \x2b \x0b \x5c. Signatures should account for encoded shellcode in the URI.
  • Check SHOUTcast server version banner for 'v1.9.4' combined with 'win32' platform string in HTTP responses to identify vulnerable targets.
  • ·The Windows exploit targets specific msvcrt.dll addresses for XP SP1 and W2K SP4; other service pack levels require different return addresses.
  • ·The Metasploit module uses ws2help.dll and PEB return addresses per target OS; Windows 2003 Server uses a PEB return address (0x7ffc0638) rather than a DLL address.
  • ·The Linux exploit notes that %number$x and %number$n format string variants are filtered by SHOUTcast, requiring use of sequential non-positional %x/%n specifiers instead.
  • ·Payload space is constrained to 250 bytes in the Metasploit module due to the format string buffer construction (1046 - payload length = padding width).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.