CVE-2004-2221
published 2004-12-31CVE-2004-2221: Buffer overflow in SoftCart.exe in Mercantec SoftCart 4.00b allows remote attackers to execute arbitrary code via a long parameter in an HTTP GET request.
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
34.76%
98.2th percentile
Buffer overflow in SoftCart.exe in Mercantec SoftCart 4.00b allows remote attackers to execute arbitrary code via a long parameter in an HTTP GET request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mercantec | softcart | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
4d41412b7363 73746f726542 ("MAA+scstoreB" buffer prefix)- →Detect HTTP GET requests to /cgi-bin/SoftCart.exe with an abnormally long query string (>512 bytes), which is the exploit buffer delivery mechanism. ↗
- →Look for the literal string 'MAA+scstoreB' in HTTP GET query strings targeting SoftCart.exe — this is the fixed exploit buffer prefix used in both known Metasploit modules. ↗
- →Look for the literal string 'MSF!' embedded within the query string of requests to SoftCart.exe, used as a return-address marker in the exploit payload. ↗
- →Fingerprint the target by checking HTTP response bodies for the pattern /Copyright.*Mercantec/ — the Metasploit module uses this to confirm a valid target before exploitation. ↗
- →Bruteforce return address range 0xefbf3000–0xefbffffc on BSDi/4.3 is characteristic of this exploit; alert on repeated GET requests to SoftCart.exe with varying query strings in this pattern. ↗
- ·The exploit targets BSDi/4.3 exclusively; the bruteforce return address range and payload prepend stub are platform-specific and will not work on other OSes. ↗
- ·Payload space is limited to 1000 bytes and numerous bad characters are excluded, constraining shellcode options; payloads containing these bytes will be filtered by the CGI. ↗
- ·The vulnerability is described as 'undisclosed' — no specific CGI parameter name is identified, meaning the overflow can be triggered via any sufficiently long parameter value in the GET request. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mercantec SoftCart - CGI Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-2221 Mercantec SoftCart - CGI Overflow (Metasploit)
Mercantec SoftCart - CGI Overflow (Metasploit)
---
##
# $Id: mercantec_softcart.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercantec SoftCart CGI Overflow',
'Description' => %q{
This is an exploit for an undisclosed buffer overflow
in the SoftCart.exe CGI as shipped with Mercantec's shopping
cart software. It is possible to execute arbitrary code
by passing a malformed CGI parameter in an HTTP GET
request. This issue is known to affect SoftCart version
4.00b.
},
'Author' => [ 'skape', 'trew' ],
'
Exploit-DB
Mercantec SoftCart 4.00b - CGI Overflow (Metasploit)
exploitdb·2004-08-19
CVE-2004-2221 Mercantec SoftCart 4.00b - CGI Overflow (Metasploit)
Mercantec SoftCart 4.00b - CGI Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercantec SoftCart CGI Overflow',
'Description' => %q{
This is an exploit for an undisclosed buffer overflow
in the SoftCart.exe CGI as shipped with Mercantec's shopping
cart software. It is possible to execute arbitrary code
by passing a malformed CGI parameter in an HTTP GET
request. This issue is known to affect SoftCart version
4.00b.
},
'Author' => [ 'skape', 'trew' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE'
Metasploit
Mercantec SoftCart CGI Overflow
metasploit
Mercantec SoftCart CGI Overflow
Mercantec SoftCart CGI Overflow
This is an exploit for an undisclosed buffer overflow in the SoftCart.exe CGI as shipped with Mercantec's shopping cart software. It is possible to execute arbitrary code by passing a malformed CGI parameter in an HTTP GET request. This issue is known to affect SoftCart version 4.00b.
No writeups or analysis indexed.
http://metasploit.com/projects/Framework/modules/exploits/mercantec_softcart.pmhttp://www.osvdb.org/9011http://www.securityfocus.com/bid/10926https://exchange.xforce.ibmcloud.com/vulnerabilities/17008http://metasploit.com/projects/Framework/modules/exploits/mercantec_softcart.pmhttp://www.osvdb.org/9011http://www.securityfocus.com/bid/10926https://exchange.xforce.ibmcloud.com/vulnerabilities/17008
2004-12-31
Published