cbcvebase.
CVE-2005-1815
published 2005-06-01

CVE-2005-1815: Multiple buffer overflows in Hummingbird Connectivity inetD 10.0.0.1 and 9.0.0.4 allows attackers to cause a denial of service and possibly execute arbitrary…

PriorityP338medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
47.19%
98.7th percentile
Multiple buffer overflows in Hummingbird Connectivity inetD 10.0.0.1 and 9.0.0.4 allows attackers to cause a denial of service and possibly execute arbitrary code via (1) an FTP command with a long argument to FTPD (ftpdw.exe) or (2) a large amount of data to LPD (Lpdw.exe).

Affected

3 ranges
VendorProductVersion rangeFixed in
hummingbirdconnectivity
hummingbirdconnectivity
hummingbirdconnectivity

Detection & IOCsextracted from sources · hover to see the quote

port515
other0x75022ac4
other0x71aa2461
filenameftpdw.exe
filenameLpdw.exe
  • Detect exploitation attempts against the LPD service (TCP/515) sending oversized payloads — the exploit sends a buffer of 1596–1620 bytes of filler followed by an SEH overwrite record.
  • Monitor for abnormally large data sent to TCP port 515 (LPD) targeting Lpdw.exe; legitimate LPD print jobs do not require kilobyte-scale single-burst payloads.
  • Monitor for FTP commands with excessively long arguments directed at ftpdw.exe, which is the Hummingbird FTPD process; this is the second attack vector for CVE-2005-1815.
  • The exploit uses SEH-based payload delivery with bad characters \x00 and \x0a stripped; look for shellcode patterns in LPD traffic lacking null bytes and newlines.
  • The Metasploit module targets Windows 2000 SP0-SP4 and Windows XP SP0/SP1 with specific return addresses; presence of these RET values (0x75022ac4, 0x71aa2461) in network traffic to port 515 is a strong exploit indicator.
  • ·The Metasploit module was tested only against Hummingbird Exceed v10 with SP5; offsets and return addresses may differ for other patch levels.
  • ·Two distinct processes are vulnerable (ftpdw.exe on FTP and Lpdw.exe on LPD/515); detection rules and process monitoring must cover both binaries.
  • ·Payload space is constrained to 500 bytes with a stack adjustment of -3500; staged or large shellcode payloads will not fit within the exploit's payload space.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.