CVE-2000-0665
published 2000-07-17CVE-2000-0665: GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username.
PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
50.34%
98.8th percentile
GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gamsoft | telsrv | — | — |
| gamsoft | telsrv | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Banner check: detect GAMSoft TelSrv 1.5 by matching the string 'TelSrv 1\.5' in the telnet service banner on port 23. ↗
- →Exploit sends an oversized username (~20000 bytes) to the telnet service; alert on abnormally large username fields in telnet (port 23) login sequences. ↗
- →Exploit requires a ~7-second delay before sending the payload (to bypass unregistered version timeout); a long pause followed by a large burst on port 23 is a behavioral indicator. ↗
- →SEH-based exploitation: the return address 0x75022ac4 (pop/pop/ret in ws2help.dll) is placed at offset 1886 (remote) or 3318/3358 (local) within the username buffer. ↗
- →The service terminates after successful exploitation; a sudden crash/restart of the TelSrv process following a large inbound telnet connection is a post-exploitation indicator. ↗
- ·Exploit payload space is limited to 1000 bytes and a stack adjustment of -3500 is applied; payloads exceeding this space will not function correctly. ↗
- ·The return address 0x75022ac4 (ws2help.dll pop/pop/ret) is specific to Windows 2000 Pro SP0–SP4 English; offsets differ between remote (1886) and local/DHCP (3318/3358) scenarios. ↗
- ·Windows XP target offset is explicitly noted as incorrect in the module and the target is commented out; do not rely on this module for XP exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GAMSoft TelSrv 1.5 - 'Username' Remote Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2000-0665 GAMSoft TelSrv 1.5 - 'Username' Remote Buffer Overflow (Metasploit)
GAMSoft TelSrv 1.5 - 'Username' Remote Buffer Overflow (Metasploit)
---
##
# $Id: gamsoft_telsrv_username.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
'Description' => %q{
This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.
Other versions may also be affected. The service terminates after exploitation,
so you only get one chance!
},
'Author' => [ 'Patrick Webster ' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Versio
Exploit-DB
Microsoft Access 97/2000/2002 Snapshot Viewer - ActiveX Control Parameter Buffer Overflow
exploitdb·2003-09-03
CVE-2003-0665 Microsoft Access 97/2000/2002 Snapshot Viewer - ActiveX Control Parameter Buffer Overflow
Microsoft Access 97/2000/2002 Snapshot Viewer - ActiveX Control Parameter Buffer Overflow
---
// source: https://www.securityfocus.com/bid/8536/info
Microsoft Access Snapshot Viewer is prone to a remote buffer-overflow condition because the software fails to perform sufficient boundary checks on user-supplied parameters. Presumably, a remote attacker may be able to leverage this issue to execute arbitrary code in the context of the user running the affected Internet Explorer.
/* Microsoft Access Snapshot Viewer ActiveX Control Exploit
Ms-Acees SnapShot Exploit Snapview.ocx v 10.0.5529.0
Download nice binaries into an arbitrary box
Vulnerability discovered by Oliver Lavery
https://www.securityfocus.com/bid/8536/info
Remote: Yes
greetz to str0ke */
#include
#include
#define Filename "
Metasploit
GAMSoft TelSrv 1.5 Username Buffer Overflow
metasploit
GAMSoft TelSrv 1.5 Username Buffer Overflow
GAMSoft TelSrv 1.5 Username Buffer Overflow
This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5. Other versions may also be affected. The service terminates after exploitation, so you only get one chance!
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0031.htmlhttp://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0056.htmlhttp://www.osvdb.org/373http://www.securityfocus.com/bid/1478https://exchange.xforce.ibmcloud.com/vulnerabilities/4945http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0031.htmlhttp://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0056.htmlhttp://www.osvdb.org/373http://www.securityfocus.com/bid/1478https://exchange.xforce.ibmcloud.com/vulnerabilities/4945
2000-07-17
Published