cbcvebase.
CVE-2004-2221
published 2004-12-31

CVE-2004-2221: Buffer overflow in SoftCart.exe in Mercantec SoftCart 4.00b allows remote attackers to execute arbitrary code via a long parameter in an HTTP GET request.

PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
34.76%
98.2th percentile
Buffer overflow in SoftCart.exe in Mercantec SoftCart 4.00b allows remote attackers to execute arbitrary code via a long parameter in an HTTP GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
mercantecsoftcart

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/SoftCart.exe
filenameSoftCart.exe
bytes
4d41412b7363 73746f726542 ("MAA+scstoreB" buffer prefix)
  • Detect HTTP GET requests to /cgi-bin/SoftCart.exe with an abnormally long query string (>512 bytes), which is the exploit buffer delivery mechanism.
  • Look for the literal string 'MAA+scstoreB' in HTTP GET query strings targeting SoftCart.exe — this is the fixed exploit buffer prefix used in both known Metasploit modules.
  • Look for the literal string 'MSF!' embedded within the query string of requests to SoftCart.exe, used as a return-address marker in the exploit payload.
  • Fingerprint the target by checking HTTP response bodies for the pattern /Copyright.*Mercantec/ — the Metasploit module uses this to confirm a valid target before exploitation.
  • Bruteforce return address range 0xefbf3000–0xefbffffc on BSDi/4.3 is characteristic of this exploit; alert on repeated GET requests to SoftCart.exe with varying query strings in this pattern.
  • ·The exploit targets BSDi/4.3 exclusively; the bruteforce return address range and payload prepend stub are platform-specific and will not work on other OSes.
  • ·Payload space is limited to 1000 bytes and numerous bad characters are excluded, constraining shellcode options; payloads containing these bytes will be filtered by the CGI.
  • ·The vulnerability is described as 'undisclosed' — no specific CGI parameter name is identified, meaning the overflow can be triggered via any sufficiently long parameter value in the GET request.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.