cbcvebase.
CVE-2005-3116
published 2005-11-18

CVE-2005-3116: Stack-based buffer overflow in a shared library as used by the Volume Manager daemon (vmd) in VERITAS NetBackup Enterprise Server 5.0 MP1 to MP5 and 5.1 up to…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
27.62%
97.8th percentile
Stack-based buffer overflow in a shared library as used by the Volume Manager daemon (vmd) in VERITAS NetBackup Enterprise Server 5.0 MP1 to MP5 and 5.1 up to MP3A allows remote attackers to execute arbitrary code via a crafted packet.

Affected

9 ranges
VendorProductVersion rangeFixed in
symantec_veritasnetbackup
symantec_veritasnetbackup
symantec_veritasnetbackup
symantec_veritasnetbackup
symantec_veritasnetbackup
symantec_veritasnetbackup
symantec_veritasnetbackup
symantec_veritasnetbackup
symantec_veritasnetbackup

Detection & IOCsextracted from sources · hover to see the quote

port13701
  • Monitor for inbound TCP connections to port 13701 (VERITAS NetBackup Volume Manager Daemon vmd) from untrusted/external hosts, especially those sending oversized or malformed packets.
  • The stack address used by the first-stage shellcode is static (0x0012F360 / 0x0012F000 region). Presence of these hardcoded stack addresses in network traffic to tcp/13701 is a strong exploit indicator.
  • The exploit embeds the ASCII string 'OWNED!' immediately before the return address overwrite. Scanning tcp/13701 traffic for the byte sequence 4F 57 4E 45 44 21 ('OWNED!') can identify exploit attempts.
  • The Import Address Table (IAT) offsets hardcoded in the shellcode (e.g., socket at 0x00447288, connect at 0x0044724C, recv at 0x00447234) are specific to NetBackup v5.1. Their presence in a packet payload targeting tcp/13701 is a reliable exploit indicator.
  • ·The hardcoded IAT addresses and static stack pointer (0x0012F360) in the exploit are specific to NetBackup v5.1 on Windows 2000 SP4. The exploit author notes it was tested on v4.5, 5.0, and 5.1 with 'some Maintenance Packs (not all)', so offsets may differ across versions.
  • ·The NVD advisory scopes the vulnerability to VERITAS NetBackup Enterprise Server 5.0 MP1–MP5 and 5.1 up to MP3A. The exploit code also references v4.x and v6 in its usage string, suggesting broader applicability than the official advisory.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.