cbcvebase.
CVE-2000-0665
published 2000-07-17

CVE-2000-0665: GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username.

PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
50.34%
98.8th percentile
GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username.

Affected

2 ranges
VendorProductVersion rangeFixed in
gamsofttelsrv
gamsofttelsrv

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip
  • Banner check: detect GAMSoft TelSrv 1.5 by matching the string 'TelSrv 1\.5' in the telnet service banner on port 23.
  • Exploit sends an oversized username (~20000 bytes) to the telnet service; alert on abnormally large username fields in telnet (port 23) login sequences.
  • Exploit requires a ~7-second delay before sending the payload (to bypass unregistered version timeout); a long pause followed by a large burst on port 23 is a behavioral indicator.
  • SEH-based exploitation: the return address 0x75022ac4 (pop/pop/ret in ws2help.dll) is placed at offset 1886 (remote) or 3318/3358 (local) within the username buffer.
  • The service terminates after successful exploitation; a sudden crash/restart of the TelSrv process following a large inbound telnet connection is a post-exploitation indicator.
  • ·Exploit payload space is limited to 1000 bytes and a stack adjustment of -3500 is applied; payloads exceeding this space will not function correctly.
  • ·The return address 0x75022ac4 (ws2help.dll pop/pop/ret) is specific to Windows 2000 Pro SP0–SP4 English; offsets differ between remote (1886) and local/DHCP (3318/3358) scenarios.
  • ·Windows XP target offset is explicitly noted as incorrect in the module and the target is commented out; do not rely on this module for XP exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.