CVE-2005-0353
published 2005-05-02CVE-2005-0353: Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.13%
99.3th percentile
Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a large amount of data to UDP port 5093.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| safenet | sentinel_license_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x7a\x00\x00\x00\x00\x00
- →Detect exploitation attempt: oversized UDP datagrams (~1035–3900+ bytes) sent to UDP port 5093 targeting the Lservnt/SentinelLM service; the overflow triggers at approximately 3900 bytes. ↗
- →Metasploit exploit places the return address at buffer offset 836 (or 840 for some targets) and uses a short JMP (\xeb\xf9) at offset 832 followed by a long backward JMP at offset 827; monitor for these patterns in UDP/5093 traffic. ↗
- →Known return addresses (SEH pop/pop/ret gadgets) used by exploits targeting SentinelLM 7.2.0.0: 0x77681799 (ws2help.dll, NT4), 0x75022ac4 (ws2help.dll, Win2k EN), 0x74fa1887 (ws2help.dll, Win2k DE), 0x71aa32ad (ws2help.dll, XP SP0/SP1), 0x7ffc0638 (PEB, Win2003 SP0). ↗
- →Post-exploitation bind shell listens on TCP port 101; monitor for unexpected listeners or connections on TCP/101 on hosts running SentinelLM. ↗
- ·Selecting the wrong target platform in the Metasploit module will crash the SentinelLM service permanently (no auto-restart); ensure target OS/SP is confirmed before testing. ↗
- ·The Metasploit payload space is limited to 800 bytes with bad characters \x00 and \x20 excluded; shellcode must avoid null bytes and space characters. ↗
- ·The standalone exploit's reverse-shell shellcode (scode2) has the connect-back IP and port embedded at fixed offsets (167 and 173); these must be set correctly or the payload will fail. ↗
- ·The popopret gadget for XP SP2/2003 (0x7ffc0638 / ebxsp2k3 = \xE1\x1B\xFA\x7F) is outside a loaded module and may be language-dependent; the author notes it was tested on English editions only. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sentinel LM - UDP Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0353 Sentinel LM - UDP Buffer Overflow (Metasploit)
Sentinel LM - UDP Buffer Overflow (Metasploit)
---
##
# $Id: sentinel_lm7_udp.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SentinelLM UDP Buffer Overflow',
'Description' => %q{
This module exploits a simple stack buffer overflow in the Sentinel
License Manager. The SentinelLM service is installed with a
wide selection of products and seems particular popular with
academic products. If the wrong target value is selected,
the service will crash and not restart.
},
'Author' => [ 'hdm' ],
'License' => MSF
Exploit-DB
Sentinel LM 7.x - UDP License Service Remote Buffer Overflow
exploitdb·2005-03-13
CVE-2005-0353 Sentinel LM 7.x - UDP License Service Remote Buffer Overflow
Sentinel LM 7.x - UDP License Service Remote Buffer Overflow
---
/*
SentinelLM, UDP License Service Stack Overflow
Homepage: safenet-inc.com
Affected version: 7.*
Patched version: 8.0
Link: safenet-inc.com/products/sentinel/lm.asp
Date: 09 March 2005
Advisory: securitytracker.com/alerts/2005/Mar/1013385.html
Application Risk: High
Internet Risk: Medium (UDP)
Dicovery Credits: Dennis Rand (CIRT.DK)
Exploit Credits : class101
Hole History:
07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK
09-3-2005: hat-squad's exploit done
13-3-2005: hat-squad's exploit released
Notes:
-the exploit targets 5093/UDP
-no bad chars detected
-Unlike it is said in the CIRT.DK advisory, you shouldn't submit 3000bytes of data, but indeed, the overflow is occuring at around
3900 bytes. SentinelLM wil
Metasploit
SentinelLM UDP Buffer Overflow
metasploit
SentinelLM UDP Buffer Overflow
SentinelLM UDP Buffer Overflow
This module exploits a simple stack buffer overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111022094326772&w=2http://marc.info/?l=full-disclosure&m=111072872816405&w=2http://secunia.com/advisories/14511http://www.cirt.dk/advisories/cirt-30-advisory.pdfhttp://www.kb.cert.org/vuls/id/108790http://www.securityfocus.com/bid/12742https://exchange.xforce.ibmcloud.com/vulnerabilities/19621http://marc.info/?l=bugtraq&m=111022094326772&w=2http://marc.info/?l=full-disclosure&m=111072872816405&w=2http://secunia.com/advisories/14511http://www.cirt.dk/advisories/cirt-30-advisory.pdfhttp://www.kb.cert.org/vuls/id/108790http://www.securityfocus.com/bid/12742https://exchange.xforce.ibmcloud.com/vulnerabilities/19621
2005-05-02
Published