cbcvebase.
CVE-2005-0555
published 2005-04-12

CVE-2005-0555: Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content…

PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.36%
99.0th percentile
Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenamersaci.rat
port9999
commandFFD4 (CALL ESP)
processmsrating.dll
bytes
EB 03 5D EB 05 E8 F8 FF FF FF 8B C5 83 C0 11 33
  • Malicious Content Advisor .rat file contains a PICS-version header with an oversized 'name' field (~1500 bytes of padding/shellcode) — detect .rat files where the 'name' field exceeds normal length bounds.
  • Shellcode is placed at offset 500 within the name field buffer, preceded by a short JMP (\x90\xeb\xFF\x90) at offset 280 and a 4-byte return address at offset 284 — scan .rat files for NOP sleds followed by shellcode patterns in the name field.
  • Successful exploitation results in EIP overwritten with 0x41414141 (crash case) or a CALL ESP gadget in wininet.dll — monitor for access violations in msrating.dll with EIP pointing into the stack or at known wininet.dll gadget addresses.
  • Attack can be delivered via a malicious website or HTML email through Outlook/Outlook Express — monitor for .rat file downloads or email attachments with PICS-version content.
  • ·Exploitation requires user interaction — the victim must follow steps to install/open the malicious .rat file (double-click), limiting drive-by exploitation.
  • ·The provided return addresses (CALL ESP / JMP ESP gadgets in wininet.dll) are version- and SP-specific to Spanish Windows 2000 builds; offsets will differ on other locales/service packs and must be re-derived.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.