cbcvebase.
CVE-2005-0595
published 2005-05-02

CVE-2005-0595: Buffer overflow in ext.dll in BadBlue 2.55 allows remote attackers to execute arbitrary code via a long mfcisapicommand parameter.

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.08%
99.0th percentile
Buffer overflow in ext.dll in BadBlue 2.55 allows remote attackers to execute arbitrary code via a long mfcisapicommand parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
working_resources_incbadblue

Detection & IOCsextracted from sources · hover to see the quote

path/ext.dll?mfcisapicommand=
filenameext.dll
other0x1003d9da
other0x10025305
other0x100255B0
  • Detect exploitation attempts by matching HTTP GET requests to /ext.dll with an excessively long mfcisapicommand parameter (>492 bytes triggers SEH overwrite).
  • Flag HTTP requests to /ext.dll where the mfcisapicommand query string value exceeds ~490 bytes, as the SEH overwrite occurs at offset 492.
  • The exploit payload contains known bad characters that are filtered by BadBlue; absence of these bytes in a large mfcisapicommand value is characteristic of crafted exploit traffic.
  • ·The Metasploit module return address (0x1003d9da) is specific to BadBlue 2.5 Universal; the standalone C exploit uses different ext.dll offsets (0x10025305 for Win2k, 0x100255B0 for WinXP/Win2003) — target selection must match the victim OS.
  • ·The patched version is BadBlue 2.61; versions 2.60 and below were not fully tested by the exploit author but are assumed vulnerable.
  • ·Six bad characters (0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C) are badly interpreted by BadBlue and must be avoided in shellcode; detection signatures should account for encoded/XOR-obfuscated payloads.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.