cbcvebase.
CVE-2005-0353
published 2005-05-02

CVE-2005-0353: Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.13%
99.3th percentile
Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a large amount of data to UDP port 5093.

Affected

1 ranges
VendorProductVersion rangeFixed in
safenetsentinel_license_manager

Detection & IOCsextracted from sources · hover to see the quote

portUDP/5093
portUDP/5093
portTCP/101
bytes
\x7a\x00\x00\x00\x00\x00
  • Detect exploitation attempt: oversized UDP datagrams (~1035–3900+ bytes) sent to UDP port 5093 targeting the Lservnt/SentinelLM service; the overflow triggers at approximately 3900 bytes.
  • Metasploit exploit places the return address at buffer offset 836 (or 840 for some targets) and uses a short JMP (\xeb\xf9) at offset 832 followed by a long backward JMP at offset 827; monitor for these patterns in UDP/5093 traffic.
  • Known return addresses (SEH pop/pop/ret gadgets) used by exploits targeting SentinelLM 7.2.0.0: 0x77681799 (ws2help.dll, NT4), 0x75022ac4 (ws2help.dll, Win2k EN), 0x74fa1887 (ws2help.dll, Win2k DE), 0x71aa32ad (ws2help.dll, XP SP0/SP1), 0x7ffc0638 (PEB, Win2003 SP0).
  • Post-exploitation bind shell listens on TCP port 101; monitor for unexpected listeners or connections on TCP/101 on hosts running SentinelLM.
  • ·Selecting the wrong target platform in the Metasploit module will crash the SentinelLM service permanently (no auto-restart); ensure target OS/SP is confirmed before testing.
  • ·The Metasploit payload space is limited to 800 bytes with bad characters \x00 and \x20 excluded; shellcode must avoid null bytes and space characters.
  • ·The standalone exploit's reverse-shell shellcode (scode2) has the connect-back IP and port embedded at fixed offsets (167 and 173); these must be set correctly or the payload will fail.
  • ·The popopret gadget for XP SP2/2003 (0x7ffc0638 / ebxsp2k3 = \xE1\x1B\xFA\x7F) is outside a loaded module and may be language-dependent; the author notes it was tested on English editions only.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.