cbcvebase.
CVE-2005-0260
published 2005-05-02

CVE-2005-0260: Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a…

PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.73%
99.3th percentile
Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call.

Affected

10 ranges
VendorProductVersion rangeFixed in
broadcomarcserve_backup_2000
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup_hp
broadcombrightstor_enterprise_backup
broadcombrightstor_enterprise_backup
broadcombrightstor_enterprise_backup

Detection & IOCsextracted from sources · hover to see the quote

portUDP/41524
portTCP/41523
filenamecheyprod.dll
commandcsock.put('hMETA')
commandcsock.put('META')
  • Alert on large UDP packets (>968 bytes) sent to port 41524 targeting the BrightStor ARCserve Discovery Service; the exploit sends a 4096-byte buffer to trigger the overflow.
  • The exploit offsets the return address at byte 968 or 970 within the UDP payload; inspect UDP/41524 traffic for payloads with non-ASCII or high-entropy data at those offsets.
  • The payload is placed at offset 1046 within the 4096-byte UDP buffer; null bytes (0x00) are absent from the payload due to bad-char filtering — look for large UDP/41524 datagrams with no null bytes.
  • ·The Metasploit module requires a StackAdjustment of -3500, indicating the shellcode executes in a stack context significantly below the overflow point; this may affect reliability of generic stack-pivot detections.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.