CVE-2005-2551
published 2005-08-12CVE-2005-2551: Buffer overflow in dhost.exe in iMonitor for Novell eDirectory 8.7.3 on Windows allows attackers to cause a denial of service (crash) and obtain access to…
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.42%
98.9th percentile
Buffer overflow in dhost.exe in iMonitor for Novell eDirectory 8.7.3 on Windows allows attackers to cause a denial of service (crash) and obtain access to files via unknown vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | edirectory | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x90\xeb\x04
bytes↗
\xe9\xbd\xef\xff\xff
- →Detect exploit attempts by monitoring HTTP GET requests to the /nds/ path on port 8008 with oversized URI payloads targeting dhost.exe (iMonitor service). ↗
- →The exploit uses a pop/pop/ret gadget at address 0x63501f15 inside ndsimon.dlm; memory analysis or crash dumps referencing this return address indicate exploitation of CVE-2005-2551. ↗
- →Payload bad characters for this exploit are: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30 — shellcode in the URI will avoid these bytes, which can aid in distinguishing malicious payloads. ↗
- →The Metasploit module fingerprints the iMonitor service by matching HTTP response headers containing 'DHost/' or 'HttpStk/' — monitor for these banners on port 8008 to identify exposed instances. ↗
- →Repeated exploitation attempts will crash eDirectory (dhost.exe); monitor for dhost.exe process crashes or absence on Windows hosts running Novell eDirectory 8.7.3 as a sign of active exploitation. ↗
- ·The exploit payload space is limited to 4150 bytes (0x1036 in the older module); shellcode must fit within this constraint and avoid the listed bad characters. ↗
- ·The return address (0x63501f15) is specific to ndsimon.dlm on all Windows targets for eDirectory 8.7.3; this hardcoded RET address will not apply to other versions. ↗
- ·The EXITFUNC is set to 'thread', meaning the shellcode exits via thread termination; this affects post-exploitation stability and payload selection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
eDirectory 8.7.3 - iMonitor Remote Stack Buffer Overflow (Metasploit)
exploitdb·2010-07-13
CVE-2005-2551 eDirectory 8.7.3 - iMonitor Remote Stack Buffer Overflow (Metasploit)
eDirectory 8.7.3 - iMonitor Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: edirectory_imonitor.rb 9812 2010-07-13 22:11:40Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /DHost\//, /HttpStk\// ] } # custom port
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in eDirectory 8.7.3
iMonitor service. This vulnerability was discovered by Peter
Winter-
Exploit-DB
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)
exploitdb·2005-08-12
CVE-2005-2551 Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::edirectory_imonitor;
use strict;
use base "Msf::Exploit";
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'eDirectory 8.7.3 iMonitor Remote Stack Overflow',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'anonymous' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'winxp', 'win2k', 'win2003' ],
'Priv' => 1,
'AutoOpts'
Metasploit
eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow
metasploit
eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow
eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in eDirectory 8.7.3 iMonitor service. This vulnerability was discovered by Peter Winter-Smith of NGSSoftware. NOTE: repeated exploitation attempts may cause eDirectory to crash. It does not restart automatically in a default installation.
No writeups or analysis indexed.
http://secunia.com/advisories/16393http://securitytracker.com/id?1014661http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098568.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2972038.htmhttp://www.kb.cert.org/vuls/id/213165http://www.securityfocus.com/bid/14548http://secunia.com/advisories/16393http://securitytracker.com/id?1014661http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098568.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2972038.htmhttp://www.kb.cert.org/vuls/id/213165http://www.securityfocus.com/bid/14548
2005-08-12
Published