cbcvebase.
CVE-2004-2416
published 2004-12-31

CVE-2004-2416: Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request.

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.59%
99.0th percentile
Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request.

Affected

2 ranges
VendorProductVersion rangeFixed in
youngzsoftccproxy<= 6.2
youngzsoftccproxy

Detection & IOCsextracted from sources · hover to see the quote

commandping <overly long address> (CCProxy Telnet proxy ping command overflow)
bytes
0x7ffa54cd (return address used in exploit buffer)
bytes
GET / <0x42 * N><shellcode><0xCD 0x54 0xFA 0x7F> HTTP/1.0\r\n\r\n (exploit HTTP request structure, total ~4065 bytes before HTTP trailer)
bytes
XOR-encoded shellcode stub: eb 0e 5b 4b 33 c9 b1 fe 80 34 0b ee e2 fa eb 05 e8 ed ff ff ff (decoder prefix)
  • Alert on HTTP GET requests to CCProxy (default port 808) where the request line length approaches or exceeds ~4065 bytes, indicative of the log stack-overflow exploit payload.
  • Detect the exploit's characteristic buffer layout: 'GET /' followed by a long run of 0x42 bytes ('B') padding up to offset ~4065, then shellcode, then the return address 0x7FFA54CD.
  • Detect the XOR-0xEE decoder stub in the HTTP request body as a byte signature: EB 0E 5B 4B 33 C9 B1 FE 80 34 0B EE E2 FA EB 05 E8 ED FF FF FF.
  • Monitor CCProxy Telnet service (default port 23/8023) for oversized 'ping' command arguments; a legitimate ping target address should be short, so flag any ping argument exceeding a few hundred bytes.
  • The exploit appends the HTTP/1.0 trailer bytes 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A after the overflow payload; presence of this sequence deep inside an oversized HTTP request is suspicious.
  • ·The exploit targets CCProxy versions up to and including 6.2; the return address 0x7FFA54CD is a well-known Windows universal JMP ESP address and may vary across OS patch levels, limiting reliability of that specific byte signature on patched systems.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.