cbcvebase.
CVE-2003-1141
published 2003-11-04

CVE-2003-1141: Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.

PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.32%
99.2th percentile
Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.

Affected

1 ranges
VendorProductVersion rangeFixed in
network_instrumentsniprint_lpd-lpr_print_server

Detection & IOCsextracted from sources · hover to see the quote

port515/TCP
registryNIPrint3.EXE
otherReturn address 0x00404236 (jmp esi) in NIPrint3.EXE
processNIPrint3.EXE
bytes
\xeb\x33 at offset 0 of 8192-byte request
  • Detect oversized requests (8192 bytes) to TCP port 515 (LPD), characteristic of the exploit buffer.
  • Look for the short-jump opcode bytes \xeb\x33 at the very start of an LPD request on port 515, used as the exploit trigger.
  • A return address value placed at byte offset 49 of the LPD request is a strong exploit indicator; monitor for non-printable/binary data at that offset in port-515 traffic.
  • Bad characters \x00 and \x0a are avoided in the payload; any port-515 request containing 8 KB of alphanumeric data with embedded binary at offsets 0 and 49 should be flagged.
  • Monitor for NIPrint3.EXE process anomalies or unexpected child processes, as successful exploitation targets this executable on Windows.
  • ·The Metasploit module uses a stack adjustment of -3500 bytes; payload space is limited to 500 bytes, so shellcode delivered in the wild will be constrained to this size.
  • ·Three distinct return addresses are used depending on target OS/binary version; detection rules should not rely on a single hardcoded return address value.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.