cbcvebase.
CVE-2005-4085
published 2005-12-31

CVE-2005-4085: Buffer overflow in BlueCoat (a) WinProxy before 6.1a and (b) the web console access functionality in ProxyAV before 2.4.2.3 allows remote attackers to execute…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.92%
99.2th percentile
Buffer overflow in BlueCoat (a) WinProxy before 6.1a and (b) the web console access functionality in ProxyAV before 2.4.2.3 allows remote attackers to execute arbitrary code via a long Host: header.

Affected

5 ranges
VendorProductVersion rangeFixed in
bluecoatwebproxy
bluecoatwebproxy
bluecoatwebproxy
bluecoatwebproxy
bluecoatwebproxy

Detection & IOCsextracted from sources · hover to see the quote

port4444
commandGET / HTTP/1.0 Host: 127.0.0.1:<NOP x23><JMP><SEH><NOP x50><shellcode>
commandGET / HTTP/1.1 Host: 127.0.0.1:<31-byte overflow with SEH payload>
bytes
\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26\x8c\x6d\xa3
  • Detect exploit attempts by inspecting HTTP Host headers containing an oversized port value (after the colon) directed at WinProxy on TCP/80; the overflow is triggered in the port field of the Host header.
  • Flag HTTP requests where the Host header port field contains NOP sleds (0x90 sequences) followed by a short JMP (0xeb) and a 4-byte SEH overwrite value, characteristic of SEH-based exploitation of this vulnerability.
  • After successful exploitation, a bind shell is opened on TCP/4444 on the victim host; monitor for unexpected listening services on port 4444 on WinProxy/ProxyAV systems.
  • The exploit payload uses bad characters \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; IDS signatures for shellcode in the Host header port field should account for these exclusions when building byte-pattern rules.
  • The SEH overwrite targets a POP/POP/RET gadget at 0x01031240 in PAVDLL on WinProxy 6.0 R1c; presence of this return address in network traffic is a strong indicator of exploitation.
  • ·The Metasploit module targets a specific return address (0x6020ba04) in Asmdat.dll; this gadget address is version-specific and will not apply to all WinProxy builds.
  • ·The standalone Perl exploit hardcodes the SEH overwrite to PAVDLL offset 0x01031240 (POP/POP/RET), which is specific to WinProxy 6.0 R1c and may differ across patch levels.
  • ·The payload space is limited to 600 bytes and requires a stack adjustment of -3500 bytes; custom shellcode must fit within these constraints and avoid the listed bad characters.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.