cbcvebase.
CVE-2004-1561
published 2004-12-31

CVE-2004-1561: Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
78.27%
99.5th percentile
Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianicecast2< icecast2 2.0.2.debian-1 (bookworm)icecast2 2.0.2.debian-1 (bookworm)
icecasticecast
icecasticecast

Detection & IOCsextracted from sources · hover to see the quote

port8000
commandGET / HTTP/1.0 + 31x 'a\r\n' headers + \xcc (32 headers total)
bytes
\xeb\x0c / HTTP/1.1 <payload>\r\n + 'Accept: text/html\r\n' * 31 + \xff\x64\x24\x04\r\n
bytes
\xeb\x0c (jmp 12) followed by \xff\x64\x24\x04 (jmp [esp+4])
  • Trigger condition is exactly 32 HTTP headers in a single request; the 32nd header overwrites the saved instruction pointer (one past end of pointer array).
  • Exploit payload bad characters are \x0d, \x0a, and \x00 (CR, LF, NULL) — these bytes cannot appear in the HTTP header payload; detection signatures should account for alphanumeric-encoded shellcode.
  • The exploit uses ExitThread() rather than ExitProcess(); a successfully exploited Icecast process will show a permanently elevated thread counter (threadpool never decremented) — monitor for threadpool exhaustion on port 8000.
  • The Metasploit module uses EXITFUNC=thread; look for shellcode with a stack adjustment of -3500 bytes (\x81\xec) as a payload artifact in HTTP request bodies to port 8000.
  • Exploit targets Icecast versions 2.0.1 and earlier on Windows x86; Linux builds are generally not exploitable due to stack layout differences.
  • ·The vulnerability is only reliably exploitable on Win32 builds of Icecast 2.0.1 and earlier; Linux builds are not considered exploitable due to differing compiler stack layouts.
  • ·Multi-hitting the exploit is possible but will progressively exhaust the Icecast threadpool; each successful payload exit permanently increments the thread counter.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.