CVE-2004-1595
published 2004-10-13CVE-2004-1595: Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field.
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
59.32%
99.0th percentile
Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shixxnote | shixxnote | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
JMP EBX - comdlg32.dll - Win2k SP4 English: \x79\x3c\xb6\x76
bytes↗
Payload bad characters: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40
bytes↗
Bind shellcode (XOR 0x88, port 101): \xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4...
- →ShixxNOTE listens on TCP port 2000 by default; exploit traffic targets this port with an oversized font field payload containing '~~' delimiters and a tilde-padded trailer. ↗
- →Exploit payload ends with a run of '~' characters (tilde, 0x7E); detect anomalously large ShixxNOTE font-field messages containing repeated tilde sequences on TCP/2000. ↗
- →Successful exploitation of the public PoC binds a shell on TCP port 101 of the victim; monitor for unexpected inbound connections on port 101 following ShixxNOTE traffic. ↗
- →The public PoC exploit uses a JMP EBX gadget at 0x763cb679 from comdlg32.dll (Win2k SP4 English); presence of this return address in network traffic or memory is indicative of exploitation. ↗
- →The Metasploit module uses a SEH-based overwrite; the SEH handler is overwritten with address 0x10041951 — flag this value appearing in exception handler chain records on ShixxNOTE processes. ↗
- →The vulnerability is triggered via the font field; inspect ShixxNOTE protocol messages for font field values exceeding normal bounds (payload space is 650 bytes, total sploit buffer ~330+ bytes). ↗
- ·The public PoC exploit (port-101 bind shell) only works reliably on Windows 2000 SP4 English due to the hardcoded JMP EBX address in comdlg32.dll; it crashes other OS versions rather than executing shellcode. ↗
- ·On Windows XP, EBX points to a NULL address at the time of overflow, making the public PoC's JMP EBX technique non-functional; a different gadget/technique would be required for XP exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ShixxNOTE 6.net - Font Field Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2004-1595 ShixxNOTE 6.net - Font Field Overflow (Metasploit)
ShixxNOTE 6.net - Font Field Overflow (Metasploit)
---
##
# $Id: shixxnote_font.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ShixxNOTE 6.net Font Field Overflow',
'Description' => %q{
This module exploits a buffer overflow in ShixxNOTE 6.net.
The vulnerability is caused due to boundary errors in the
handling of font fields.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
['CVE', '2004-1595'],
['OSVDB', '10721'],
['BID', '11409'],
],
'DefaultOptions' =
Exploit-DB
ShixxNOTE 6.net - Remote Buffer Overflow
exploitdb·2004-10-22
CVE-2004-1595 ShixxNOTE 6.net - Remote Buffer Overflow
ShixxNOTE 6.net - Remote Buffer Overflow
---
/*
ShixxNote 6.net buffer overflow exploit v0.1
Public exploit overflows only Win2K systems, else crashs.
Exploit code by class101 [at] DFind.kd-team.com
Bind a shellcode to the port 101.
Thanx to Luigi Auriemma(aluigi at altervista org) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
Why Win2k only?
After some days of debugging on it , I finally figured out how to exploit this
hole, this public overflow method works only on Win2k, using the
JMP EBX from comdlg32.dll from Win2k SP4 english.
Because on WinXP , the register EBX points to a NULL address, this is not exploitable
even if you update the JMP EBX, not exploitable VIA THIS WAY on XP I mean OK!.
How do I did then on Win2k?
I overwritte EIP with a JM
Metasploit
ShixxNOTE 6.net Font Field Overflow
metasploit
ShixxNOTE 6.net Font Field Overflow
ShixxNOTE 6.net Font Field Overflow
This module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=109778648232233&w=2http://secunia.com/advisories/12822/http://www.securityfocus.com/bid/11409https://exchange.xforce.ibmcloud.com/vulnerabilities/17705http://marc.info/?l=bugtraq&m=109778648232233&w=2http://secunia.com/advisories/12822/http://www.securityfocus.com/bid/11409https://exchange.xforce.ibmcloud.com/vulnerabilities/17705
2004-10-13
Published