cbcvebase.
CVE-2004-2271
published 2004-12-31

CVE-2004-2271: Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.91%
99.3th percentile
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
minishareminimal_http_server<= 1.4.1

Detection & IOCsextracted from sources · hover to see the quote

versionMiniShare 1.4.1
commandGET <1787-byte padding><RET><NOP sled><shellcode> HTTP/1.1
bytes
\xB8\x9E\xE3\x77
bytes
\xb8\x9e\xe3\x77
bytes
\x33\x55\xdc\x77
bytes
\xf8\x29\xf3\x77
bytes
0x7754a3ab
bytes
0x7517f163
bytes
0x71ab1d54
bytes
0x71ab9372
bytes
0x71c03c4d
bytes
0x77f329f8
bytes
0x77d5af0a
bytes
0x77d4e26e
bytes
\xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF
bytes
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e
  • Exploit sends an oversized HTTP GET (or HEAD/POST) request of ~2220 bytes to port 80; the URI portion is padded with 1787 bytes of 'A' (0x41) followed by a 4-byte JMP ESP address — detect abnormally large HTTP request lines to MiniShare.
  • HEAD and POST methods are equally exploitable with the same 1787-byte padding offset; monitor for oversized HEAD/POST requests as well as GET.
  • Payload bad characters for this exploit are null byte, colon, ampersand, question mark, percent, hash, space, LF, CR, forward-slash, plus, vertical-tab, backslash, and at-sign — shellcode in the wild will avoid these bytes.
  • The exploit opens a bind shell on port 101 (exploit-db/616) or a reverse shell on port 4444 (exploit-db/636) after successful exploitation; monitor for unexpected outbound/inbound connections on these ports from the MiniShare process.
  • The exploit uses a plain stack buffer overflow requiring a 'jmp esp' or 'push esp; ret' gadget at offset 1787 in the HTTP request URI; a Snort/IDS rule should flag HTTP requests whose URI length exceeds 1800 bytes directed at MiniShare (default port 80).
  • Only 210 bytes are available for shellcode after the overflow; and known bad chars are 0x00 and 0x0d — encoded/XOR'd shellcode (e.g., XOR key 0x88) should be expected in traffic.
  • Versions 1.3.4 and below are NOT vulnerable; focus detection on MiniShare versions 1.3.5 through 1.4.1.
  • ·JMP ESP addresses are OS/SP-specific; the Metasploit module lists nine distinct return addresses across Windows 2000, XP, 2003, and NT targets — a single static RET address will only work against one platform.
  • ·The exploit may require timing adjustments (Sleep() calls) to succeed; a wrong offset or timing will crash MiniShare without code execution.
  • ·The Metasploit payload space is only 1024 bytes with a required minimum of 64 NOPs and a stack adjustment of -3500; larger payloads will not fit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.