cbcvebase.
CVE-2005-1272
published 2005-08-05

CVE-2005-1272: Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.12%
99.2th percentile
Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to execute arbitrary code via a long string sent to port (1) 6070 or (2) 6050.

Affected

12 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_enterprise_backup
broadcombrightstor_enterprise_backup
cabrightstor_arcserve_backup
cabrightstor_arcserve_backup
cabrightstor_arcserve_backup
cabrightstor_arcserve_backup
cabrightstor_arcserve_backup_agent
cabrightstor_arcserve_backup_agent
cabrightstor_arcserve_backup_agent
cabrightstor_arcserve_backup_agent
cabrightstor_enterprise_backup_agent
cabrightstor_enterprise_backup_agent

Detection & IOCsextracted from sources · hover to see the quote

port6070
port6050
processdbasqlr.exe
commandsock.put("\xff" * 0x12000)
other0x20c0c1ab
other0x20c11d64
other0x20c0cd5b
other0x20c0cd1b
filenameAsbrdcst.dll
bytes
\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff
  • Monitor for TCP connections to ports 6070 and 6050 targeting the BrightStor ARCserve SQL Backup Agent (dbasqlr.exe); large payloads (>3000 bytes) sent to these ports are indicative of exploitation attempts.
  • Exploit sends a memory-flush sequence of 0x12000 bytes of 0xFF before the overflow buffer; detect large streams of 0xFF bytes on port 6070 as a pre-exploitation indicator.
  • The exploit buffer is 3288 bytes with the return address overwrite at offset 3168 and a JMP-back stub at offset 3172; network payloads of exactly 3288 bytes to port 6070 should be flagged.
  • The exploit uses a stack-adjustment gadget at offset 1337 in the buffer; look for the byte sequence \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) embedded within oversized requests to port 6070.
  • The exploit uses a backward JMP stub \xe9\xd0\xf8\xff\xff at offset 3172 (and \xe9\x4f\xf6\xff\xff in the Metasploit variant); detect these near-end-of-buffer JMP sequences in oversized TCP payloads on port 6070.
  • ·The payload bad character restriction is \x00 only; shellcode detection signatures must account for the full byte range except null bytes.
  • ·The Metasploit module notes that 'The one line request does not work against Windows 2003', requiring multiple connection attempts with memory-flush pre-requests; detection logic should account for multi-connection exploitation patterns.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.