cbcvebase.
CVE-2005-2297
published 2005-07-19

CVE-2005-2297: Stack-based buffer overflow in TreeAction.do in Sybase EAServer 4.2.5 through 5.2 allows remote authenticated users to execute arbitrary code via a large…

PriorityP352medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
74.20%
99.4th percentile
Stack-based buffer overflow in TreeAction.do in Sybase EAServer 4.2.5 through 5.2 allows remote authenticated users to execute arbitrary code via a large javascript parameter.

Affected

4 ranges
VendorProductVersion rangeFixed in
sybaseeaserver
sybaseeaserver
sybaseeaserver
sybaseeaserver

Detection & IOCsextracted from sources · hover to see the quote

url/WebConsole/Login.jsp
path/WebConsole/
port8080
other0x6d4548ff
other0x08041b25
bytes
\xeb\x06 (short JMP over SEH overwrite)
  • Detect oversized GET requests to /WebConsole/Login.jsp with a large query string (javascript parameter) exceeding normal bounds (~5000 bytes), indicative of the stack buffer overflow exploit attempt against TreeAction.do / Login.jsp.
  • Monitor HTTP GET requests to port 8080 targeting /WebConsole/Login.jsp with query strings longer than ~3800 characters, which corresponds to the SEH overwrite offsets used in the exploit (3820–3925 bytes).
  • Alert on the exploit's characteristic User-Agent string 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' combined with an oversized GET request to /WebConsole/Login.jsp on port 8080.
  • Look for the short-jump shellcode stub bytes \xeb\x06 at the SEH overwrite offset within the query string payload, which is the exploit's SEH-based control-flow hijack mechanism.
  • The exploit uses a 5000-byte alphanumeric random buffer with specific return addresses (0x6d4548ff or 0x08041b25) packed at the SEH offset; scanning for these byte sequences in HTTP query strings targeting EAServer can identify exploitation attempts.
  • ·The SEH overwrite offset varies depending on the JDK version installed on the target server (offsets range from 3820 to 3925), making the exploit unreliable and meaning detection rules based on a fixed offset may miss some variants.
  • ·The exploit payload space is limited to 1000 bytes with a stack adjustment of -3500; payloads larger than 1000 bytes will not fit and the exploit uses a StackAdjustment to relocate the stack pointer before shellcode execution.
  • ·The vulnerability requires remote authenticated users, meaning unauthenticated access alone is insufficient to trigger the overflow; detection should account for authenticated sessions preceding the oversized request.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.