cbcvebase.
CVE-2005-2551
published 2005-08-12

CVE-2005-2551: Buffer overflow in dhost.exe in iMonitor for Novell eDirectory 8.7.3 on Windows allows attackers to cause a denial of service (crash) and obtain access to…

PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.42%
98.9th percentile
Buffer overflow in dhost.exe in iMonitor for Novell eDirectory 8.7.3 on Windows allows attackers to cause a denial of service (crash) and obtain access to files via unknown vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
novelledirectory

Detection & IOCsextracted from sources · hover to see the quote

port8008
path/nds/
registry0x63501f15
processdhost.exe
filenamendsimon.dlm
bytes
\x90\x90\xeb\x04
bytes
\xe9\xbd\xef\xff\xff
  • Detect exploit attempts by monitoring HTTP GET requests to the /nds/ path on port 8008 with oversized URI payloads targeting dhost.exe (iMonitor service).
  • The exploit uses a pop/pop/ret gadget at address 0x63501f15 inside ndsimon.dlm; memory analysis or crash dumps referencing this return address indicate exploitation of CVE-2005-2551.
  • Payload bad characters for this exploit are: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30 — shellcode in the URI will avoid these bytes, which can aid in distinguishing malicious payloads.
  • The Metasploit module fingerprints the iMonitor service by matching HTTP response headers containing 'DHost/' or 'HttpStk/' — monitor for these banners on port 8008 to identify exposed instances.
  • Repeated exploitation attempts will crash eDirectory (dhost.exe); monitor for dhost.exe process crashes or absence on Windows hosts running Novell eDirectory 8.7.3 as a sign of active exploitation.
  • ·The exploit payload space is limited to 4150 bytes (0x1036 in the older module); shellcode must fit within this constraint and avoid the listed bad characters.
  • ·The return address (0x63501f15) is specific to ndsimon.dlm on all Windows targets for eDirectory 8.7.3; this hardcoded RET address will not apply to other versions.
  • ·The EXITFUNC is set to 'thread', meaning the shellcode exits via thread termination; this affects post-exploitation stability and payload selection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.