CVE-2003-1141
published 2003-11-04CVE-2003-1141: Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.
PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.32%
99.2th percentile
Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| network_instruments | niprint_lpd-lpr_print_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x33 at offset 0 of 8192-byte request
- →Detect oversized requests (8192 bytes) to TCP port 515 (LPD), characteristic of the exploit buffer. ↗
- →Look for the short-jump opcode bytes \xeb\x33 at the very start of an LPD request on port 515, used as the exploit trigger. ↗
- →A return address value placed at byte offset 49 of the LPD request is a strong exploit indicator; monitor for non-printable/binary data at that offset in port-515 traffic. ↗
- →Bad characters \x00 and \x0a are avoided in the payload; any port-515 request containing 8 KB of alphanumeric data with embedded binary at offsets 0 and 49 should be flagged. ↗
- →Monitor for NIPrint3.EXE process anomalies or unexpected child processes, as successful exploitation targets this executable on Windows. ↗
- ·The Metasploit module uses a stack adjustment of -3500 bytes; payload space is limited to 500 bytes, so shellcode delivered in the wild will be constrained to this size. ↗
- ·Three distinct return addresses are used depending on target OS/binary version; detection rules should not rely on a single hardcoded return address value. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NIPrint LPD - Request Overflow (Metasploit)
exploitdb·2010-12-25
CVE-2003-1141 NIPrint LPD - Request Overflow (Metasploit)
NIPrint LPD - Request Overflow (Metasploit)
---
##
# $Id: niprint.rb 11407 2010-12-25 06:01:12Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'NIPrint LPD Request Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the
Network Instrument NIPrint LPD service. Inspired by
Immunity's VisualSploit :-)
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11407 $',
'References' =>
[
['CVE', '2003-1141'],
['OSVDB', '2774'],
['BID', '8968'],
['URL', 'http://www.immunitysec.com/documentation
Metasploit
NIPrint LPD Request Overflow
metasploit
NIPrint LPD Request Overflow
NIPrint LPD Request Overflow
This module exploits a stack buffer overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :-)
No writeups or analysis indexed.
http://secunia.com/advisories/10143http://www.osvdb.org/2774http://www.securityfocus.com/archive/1/343257http://www.securityfocus.com/archive/1/343318http://www.securityfocus.com/bid/8968https://exchange.xforce.ibmcloud.com/vulnerabilities/13591http://secunia.com/advisories/10143http://www.osvdb.org/2774http://www.securityfocus.com/archive/1/343257http://www.securityfocus.com/archive/1/343318http://www.securityfocus.com/bid/8968https://exchange.xforce.ibmcloud.com/vulnerabilities/13591
2003-11-04
Published