cbcvebase.
CVE-2004-1595
published 2004-10-13

CVE-2004-1595: Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field.

PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
59.32%
99.0th percentile
Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field.

Affected

1 ranges
VendorProductVersion rangeFixed in
shixxnoteshixxnote

Detection & IOCsextracted from sources · hover to see the quote

port2000
port101
otherSEH overwrite return address: 0x10041951
bytes
JMP EBX - comdlg32.dll - Win2k SP4 English: \x79\x3c\xb6\x76
bytes
Payload bad characters: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40
bytes
Bind shellcode (XOR 0x88, port 101): \xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4...
  • ShixxNOTE listens on TCP port 2000 by default; exploit traffic targets this port with an oversized font field payload containing '~~' delimiters and a tilde-padded trailer.
  • Exploit payload ends with a run of '~' characters (tilde, 0x7E); detect anomalously large ShixxNOTE font-field messages containing repeated tilde sequences on TCP/2000.
  • Successful exploitation of the public PoC binds a shell on TCP port 101 of the victim; monitor for unexpected inbound connections on port 101 following ShixxNOTE traffic.
  • The public PoC exploit uses a JMP EBX gadget at 0x763cb679 from comdlg32.dll (Win2k SP4 English); presence of this return address in network traffic or memory is indicative of exploitation.
  • The Metasploit module uses a SEH-based overwrite; the SEH handler is overwritten with address 0x10041951 — flag this value appearing in exception handler chain records on ShixxNOTE processes.
  • The vulnerability is triggered via the font field; inspect ShixxNOTE protocol messages for font field values exceeding normal bounds (payload space is 650 bytes, total sploit buffer ~330+ bytes).
  • ·The public PoC exploit (port-101 bind shell) only works reliably on Windows 2000 SP4 English due to the hardcoded JMP EBX address in comdlg32.dll; it crashes other OS versions rather than executing shellcode.
  • ·On Windows XP, EBX points to a NULL address at the time of overflow, making the public PoC's JMP EBX technique non-functional; a different gadget/technique would be required for XP exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.